Risk
10/22/2012
11:27 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Office 365 Boasts HIPAA-Compliant Messaging System

Several universities adopt Microsoft's cloud-based, HIPAA-compliant system in an effort to keep personal health data safer.

7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged
(click image for larger view and for slideshow)
Microsoft recently announced that a number of academic institutions and medical schools are adopting Office 365--the company’s next-generation cloud productivity service. The system helps meet security, privacy, and other regulatory requirements mandated by HIPAA.

Universities involved in the adoption of Office 365 include Duke University, Emory University, Thomas Jefferson University, University of Iowa, and University of Washington. Each institution opted for Office 365 after experts from the academic, public, and private sector participated in a joint effort with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.

The institutions and medical schools represent approximately 188,000 additional students, faculty, and staff who are using the cloud productivity service. As a result, Microsoft says it now offers the "most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information," according to a press release.

Thomas Jefferson University began doing rolling conversions to Office 365 in December 2011 and finished the implementation of the system in March of this year. Doug Herrick, chief information officer at Thomas Jefferson University, told InformationWeek Healthcare the institution worked through a number of options before deciding on Office 365, including a hardware refresh on a previous system and even converting to Google's Gmail. "But the university was looking for a more integrated solution and more collaborative messaging and communication functions that went beyond pure email," he said.

[ For another point of view on PHRs, see Why Personal Health Records Have Flopped. ]

Additionally, the university wasn't able to negotiate a BAA with Google that was specific enough to meet HIPAA requirements. "We needed a service for faculty and staff that could pass by our legal folks and our privacy folks," Herrick explained. "That knocked Gmail out; it was fine for students, but faculty and staff needed a vendor that would sign an agreement with us and have it be relative to HIPAA requirements."

During the process of introducing Office 365, Microsoft ended up crafting a BAA for all participating universities and health systems, and Duke University was a key player in that process. Art Glasgow, chief information officer and vice president of Duke Medicine said in an interview with InformationWeek Healthcare that first and foremost, it's important for health organizations to understand not all BAAs are created equal. For instance, he said, Duke Medicine’s BAA, "is vetted by our compliance and legal [departments] and is one we're sure protects us and our responsibility to our patients."

Glasgow continued, "Working with Microsoft was easier, in my opinion, than working with other vendors in the healthcare space, and that's because Microsoft made an internal decision and a commitment to try to improve their position in this market place. It showed when working with them."

Tracy Futhey, vice president of information technology and chief information officer at Duke University, added a big advantage of approaching a joint BAA in this way was the ability to forgo a "one-on-one process many times over," she said. "Typically, each time a university or medical center wants to do something with a vendor, crafting a BAA [involves] getting attorneys together and haggling one on one," she said.

"In this case, since we had all universities interested in a BAA and in getting email and similar services from Microsoft, we were all able to come up with some common language that we and Microsoft agreed on," she added.

Unlike Thomas Jefferson University, which has already begun its use of Office 365, Duke University has been testing the service for the last several months and is looking forward to fully implementing it this fall. According to Glasgow, the service is requiring the institution to "take two separate environments"--the medical and educational environments--and "merge them into one environment in the cloud."

"We're deeply involved in testing it in both organizations and in both email environments, and now we're moving into the implementation phase," he said. "It's such a good value proposition for us because not only does it break down silos, but it allows us to deliver services important to a university," said Glasgow.

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/30/2012 | 3:26:56 AM
re: Office 365 Boasts HIPAA-Compliant Messaging System
It's nice that Microsoft has taken the time and made an effort to address HIPAA concerns, but I wonder how useful this will actually be once implemented. Many systems which run EHRs would probably more value in an integration messaging system inside the EHR itself rather than having to use Office. Having a messaging/communication platform that accessible via web is great, but ultimately having something that requires a new program and window open may be a burden.

Jay Simmons
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.