Risk
10/22/2012
11:27 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Office 365 Boasts HIPAA-Compliant Messaging System

Several universities adopt Microsoft's cloud-based, HIPAA-compliant system in an effort to keep personal health data safer.

7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged
(click image for larger view and for slideshow)
Microsoft recently announced that a number of academic institutions and medical schools are adopting Office 365--the company’s next-generation cloud productivity service. The system helps meet security, privacy, and other regulatory requirements mandated by HIPAA.

Universities involved in the adoption of Office 365 include Duke University, Emory University, Thomas Jefferson University, University of Iowa, and University of Washington. Each institution opted for Office 365 after experts from the academic, public, and private sector participated in a joint effort with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.

The institutions and medical schools represent approximately 188,000 additional students, faculty, and staff who are using the cloud productivity service. As a result, Microsoft says it now offers the "most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information," according to a press release.

Thomas Jefferson University began doing rolling conversions to Office 365 in December 2011 and finished the implementation of the system in March of this year. Doug Herrick, chief information officer at Thomas Jefferson University, told InformationWeek Healthcare the institution worked through a number of options before deciding on Office 365, including a hardware refresh on a previous system and even converting to Google's Gmail. "But the university was looking for a more integrated solution and more collaborative messaging and communication functions that went beyond pure email," he said.

[ For another point of view on PHRs, see Why Personal Health Records Have Flopped. ]

Additionally, the university wasn't able to negotiate a BAA with Google that was specific enough to meet HIPAA requirements. "We needed a service for faculty and staff that could pass by our legal folks and our privacy folks," Herrick explained. "That knocked Gmail out; it was fine for students, but faculty and staff needed a vendor that would sign an agreement with us and have it be relative to HIPAA requirements."

During the process of introducing Office 365, Microsoft ended up crafting a BAA for all participating universities and health systems, and Duke University was a key player in that process. Art Glasgow, chief information officer and vice president of Duke Medicine said in an interview with InformationWeek Healthcare that first and foremost, it's important for health organizations to understand not all BAAs are created equal. For instance, he said, Duke Medicine’s BAA, "is vetted by our compliance and legal [departments] and is one we're sure protects us and our responsibility to our patients."

Glasgow continued, "Working with Microsoft was easier, in my opinion, than working with other vendors in the healthcare space, and that's because Microsoft made an internal decision and a commitment to try to improve their position in this market place. It showed when working with them."

Tracy Futhey, vice president of information technology and chief information officer at Duke University, added a big advantage of approaching a joint BAA in this way was the ability to forgo a "one-on-one process many times over," she said. "Typically, each time a university or medical center wants to do something with a vendor, crafting a BAA [involves] getting attorneys together and haggling one on one," she said.

"In this case, since we had all universities interested in a BAA and in getting email and similar services from Microsoft, we were all able to come up with some common language that we and Microsoft agreed on," she added.

Unlike Thomas Jefferson University, which has already begun its use of Office 365, Duke University has been testing the service for the last several months and is looking forward to fully implementing it this fall. According to Glasgow, the service is requiring the institution to "take two separate environments"--the medical and educational environments--and "merge them into one environment in the cloud."

"We're deeply involved in testing it in both organizations and in both email environments, and now we're moving into the implementation phase," he said. "It's such a good value proposition for us because not only does it break down silos, but it allows us to deliver services important to a university," said Glasgow.

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/30/2012 | 3:26:56 AM
re: Office 365 Boasts HIPAA-Compliant Messaging System
It's nice that Microsoft has taken the time and made an effort to address HIPAA concerns, but I wonder how useful this will actually be once implemented. Many systems which run EHRs would probably more value in an integration messaging system inside the EHR itself rather than having to use Office. Having a messaging/communication platform that accessible via web is great, but ultimately having something that requires a new program and window open may be a burden.

Jay Simmons
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.