Dr. Mohamed Ayad, Industry Specialist, U.S. Health and Sciences at Microsoft, took to the blogs today to discuss Microsoft’s most recent achievement in healthcare certification. Mohamed also took some time to cover the storied history Microsoft has with healthcare.
I hope you guys are ready for some alphabet soup because Microsoft and healthcare organizations will have you drowning in letters and acronyms by the end of this piece.
As more and more tech companies begin to lean on the cloud and offer their integrated approach to health, fitness, and well-being, it’s important to understand the history healthcare has with the cloud. Mohamed makes note, “Microsoft was the first major cloud services provider to offer regulated entities an industry co-developed HIPAA Business Associate Agreement. This BAA, jointly developed by a consortium of academic medical centers, memorializes Microsoft’s compliance commitment to implementing the physical, technical and administrative safeguards and breach notification requirements set forth in HIPAA/HITECH.”
With over 10 million enterprise users from hundreds of organizations all signed with BAA, it’s a rather impressive feat Microsoft can tuck under its belt. Some BAA businesses include Thomas Jefferson University, Mihills Webb Medical,Steward Healthcare. More recently, the Department of Health and Human Services announced its intent to move 125,000 seats over to using certified Office 365. Wins such as these go a long way in establishing Microsoft’s trustworthiness in regards to the healthcare industries. Companies like Google and Apple are currently seeking to establish this level of trust with their new cloud-connected offerings.
Microsoft wasn’t ready to just hang their hats on the BAA or even just being HIPPA/HITECH compliant. The BAA was only one large piece of a much larger industry puzzle, however. The second and arguably more important is the transparency businesses who have access to healthcare data are utilizing. Microsoft is pushing HIPPA compliant partners to be more transparent with how they validate their compliance. Achieving this validation can be done using several standards and certifications. For instance, a company can use (ISO 27018), developed by the International Organization for Standardization. Another alternative is the SSAE 16 which was handed out by the American Institute of Certified Public Accountants. Healthcare organizations trusting in these methods can bypass a lengthy vetting process because getting certified by these standards means a company went through a third party audit.
Enter HITRUST (CSF) or the Health Information Trust Alliance Common Security Framework. HITURST is designed to help healthcare companies who are reviewing multiple certification standards as they intend to move toward the cloud. Mohamed sheds some more light on the topic. “Their goal was to create a CSF with an accompanying assessment and certification process that would reduce the complexity of managing multiple standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The HITRUST CSF is modeled after the National Institute of Standards and Technology’s Computer Security Division’s NISTIR 7358 standard – Program Review for Information Security Management Assistance (PRISMA), where an organization can demonstrate 5 different levels of “maturity” for a particular security requirement.” HITRUST partners include:
- Health Care Service Corporation
- Humana, Inc.
- Children’s Medical Center of Dallas
- IMS Health
- Highmark Inc.
- Anthem, Inc.
- UnitedHealth Group
- Express Scripts, Inc.
- McKesson Corporation
- Kaiser Permanente
- Blue Cross Blue Shield of Massachusetts
- Hospital Corporation of America
- CVS Caremark
Now healthcare organizations can rely on the CSF report produced by HITRUST certified assessors to speed up the vetting processes for most healthcare businesses. With that being said, Microsoft has added another ‘first’ notch on its cloud belt. Microsoft Office 365 has undergone the assessment of the CSF and achieved the highest possible CSF rating — a five. The assessment was initiated by Centura Health, which is 18,000 professionals, 15 hospitals, and 11 more affiliate hospitals, as well as 100 physicians working in Colorado and Kansas. Centura Health used the assessment as part of their overall strategy in finally choosing Microsoft and Office 365 as their preferred cloud and office solutions.
“For Centura Health, it is important that our business partners are securing our information to the same standards that we adhere to,” said Kris Kistler, director, data security, Centura Health. “We believe that the HITRUST Common Security Framework (CSF) is the most comprehensive security framework available.”
For healthcare organizations contemplating a move to Office 365, Microsoft is ready to sign HIPAA BAA, as well as a CSF assessment and they are also ready to be as transparent as necessary.