Skip to Content

CISO: Office 365, OneDrive, and HIPAA data

Listen to this article:

Purpose

This article is a statement from the Chief Information Security Officer (CISO), Leo Howell, regarding HIPAA Data in Microsoft OneDrive

Statement

Office 365 (O365) has been vetted and approved by the Information Security Office for storage of sensitive data including HIPAA covered data. The University has a current Business Associate Agreement with Microsoft, in which Microsoft has agreed to take responsibility for addressing security of the cloud environment in which our data is stored. However, the security provided by Microsoft does not account for user-level actions in sharing, downloading and printing documents in O365. To ensure that sensitive documents are always protected, owners of documents in O365 should follow the guidelines below:

Sharing

  • Only share files or folders with individuals who have “need to know”
  • Limit sharing of sensitive files to “Specific People.” See details on permissions for Sharing Files and Folders here
  • Unless required, disable Editing with individuals who only require view access
  • Revoke re-sharing of files or folders to unapproved individuals; re-sharing notifications are sent to your email

Downloading

Currently there are no controls to block download of files once shared with someone else (even if shared as view-only).  Additionally, there are no logs in place to provide monitoring/alerting of such downloads. Consequently, when you share sensitive files or folders, you should only do so with trusted individuals who have “need to know.” Additionally, you should provide clear instructions on your limitations regarding downloading or making copies.

Printing

Currently there are no controls to block printing of files once shared with someone else (even if shared as view-only).  Additionally, there are not logs in place to provide monitoring/alerting of printing activities. Consequently, when you share sensitive files or folders, you should only do so with trusted individuals who have “need to know”. Additionally, you should provide clear instructions on your limitations regarding printing of files and/or physical protection of printed documents.

Links to Additional Content