Risk
10/22/2012
11:27 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Office 365 Boasts HIPAA-Compliant Messaging System

Several universities adopt Microsoft's cloud-based, HIPAA-compliant system in an effort to keep personal health data safer.

7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged
(click image for larger view and for slideshow)
Microsoft recently announced that a number of academic institutions and medical schools are adopting Office 365--the company’s next-generation cloud productivity service. The system helps meet security, privacy, and other regulatory requirements mandated by HIPAA.

Universities involved in the adoption of Office 365 include Duke University, Emory University, Thomas Jefferson University, University of Iowa, and University of Washington. Each institution opted for Office 365 after experts from the academic, public, and private sector participated in a joint effort with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.

The institutions and medical schools represent approximately 188,000 additional students, faculty, and staff who are using the cloud productivity service. As a result, Microsoft says it now offers the "most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information," according to a press release.

Thomas Jefferson University began doing rolling conversions to Office 365 in December 2011 and finished the implementation of the system in March of this year. Doug Herrick, chief information officer at Thomas Jefferson University, told InformationWeek Healthcare the institution worked through a number of options before deciding on Office 365, including a hardware refresh on a previous system and even converting to Google's Gmail. "But the university was looking for a more integrated solution and more collaborative messaging and communication functions that went beyond pure email," he said.

[ For another point of view on PHRs, see Why Personal Health Records Have Flopped. ]

Additionally, the university wasn't able to negotiate a BAA with Google that was specific enough to meet HIPAA requirements. "We needed a service for faculty and staff that could pass by our legal folks and our privacy folks," Herrick explained. "That knocked Gmail out; it was fine for students, but faculty and staff needed a vendor that would sign an agreement with us and have it be relative to HIPAA requirements."

During the process of introducing Office 365, Microsoft ended up crafting a BAA for all participating universities and health systems, and Duke University was a key player in that process. Art Glasgow, chief information officer and vice president of Duke Medicine said in an interview with InformationWeek Healthcare that first and foremost, it's important for health organizations to understand not all BAAs are created equal. For instance, he said, Duke Medicine’s BAA, "is vetted by our compliance and legal [departments] and is one we're sure protects us and our responsibility to our patients."

Glasgow continued, "Working with Microsoft was easier, in my opinion, than working with other vendors in the healthcare space, and that's because Microsoft made an internal decision and a commitment to try to improve their position in this market place. It showed when working with them."

Tracy Futhey, vice president of information technology and chief information officer at Duke University, added a big advantage of approaching a joint BAA in this way was the ability to forgo a "one-on-one process many times over," she said. "Typically, each time a university or medical center wants to do something with a vendor, crafting a BAA [involves] getting attorneys together and haggling one on one," she said.

"In this case, since we had all universities interested in a BAA and in getting email and similar services from Microsoft, we were all able to come up with some common language that we and Microsoft agreed on," she added.

Unlike Thomas Jefferson University, which has already begun its use of Office 365, Duke University has been testing the service for the last several months and is looking forward to fully implementing it this fall. According to Glasgow, the service is requiring the institution to "take two separate environments"--the medical and educational environments--and "merge them into one environment in the cloud."

"We're deeply involved in testing it in both organizations and in both email environments, and now we're moving into the implementation phase," he said. "It's such a good value proposition for us because not only does it break down silos, but it allows us to deliver services important to a university," said Glasgow.

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/30/2012 | 3:26:56 AM
re: Office 365 Boasts HIPAA-Compliant Messaging System
It's nice that Microsoft has taken the time and made an effort to address HIPAA concerns, but I wonder how useful this will actually be once implemented. Many systems which run EHRs would probably more value in an integration messaging system inside the EHR itself rather than having to use Office. Having a messaging/communication platform that accessible via web is great, but ultimately having something that requires a new program and window open may be a burden.

Jay Simmons
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.