Skip to content

Not all health clouds are created equal: Check the facts

By Hector Rodriguez, Worldwide Health CISO & Standards, Microsoft on February 13, 2017

Filed under Health

Keep your cloud healthy banner

Key Considerations for Health Organizations using the cloud

Helping you stay compliant
Taking a holistic approach to cybersecurity
Protecting the privacy of PHI and other data
Flexibility to digitally transform your way
A cloud you can trust
Additional Resources


In order for your health organization to digitally transform and realize the benefits of the cloud, you must be willing to entrust your cloud provider with one of your most valuable assets—your data.

Whether you’re just starting to migrate your email or imaging storage to the cloud or you’re considering using cloud-based clinical systems, you need to be able to trust the technology you’re using.

Trust is essential as you move datasets containing protected health information (PHI), including patient demographics and treatment information, to the cloud. It’s critical as you share data across the health ecosystem, and expand how and where health professionals and patients access confidential information.

So wherever you are on your journey to the cloud, it’s vital to work with a service provider that you can trust. Not all clouds are created equal—it’s crucial to check the facts and know what you’re getting:

  • How does a cloud service provider help its health customers stay compliant?
  • Does it also help them secure their infrastructure across all its endpoints?
  • How does it help health organizations to keep PHI and other sensitive data private? Do its customers retain control of their data and is the cloud service provider transparent about what it is and is NOT doing with their data?
  • Can you trust that a cloud service provider will offer you the choice of services and flexibility in how you implement them that you need to digitally transform your way—today and into the future?

Below we cover these key considerations for health organizations as they begin or extend their use of the cloud. And we offer information and resources to help you find answers to your questions and understand how we earn our health customers’ trust in our cloud services.

Helping you stay compliant

You know how complicated—and ever-changing—compliance requirements can be in the health industry. You need to be able to trust that your cloud service provider knows, too. Is it keeping up with the latest regulations in health? What’s its history when it comes to compliance leadership?

Microsoft has been involved with health industry standards groups and consortiums of customers and partners around the world for more than a decade. We behave and are audited like a healthcare covered entity across technical, physical, and administrative safeguards. And we’re proud of leading the way when it comes to offering cloud services that can help health organizations maintain compliance with applicable laws, regulations, and key international standards.

For example, we recently announced that Microsoft Azure is one of the first hyper-scale cloud computing platforms to become HITRUST CSF Certified.

We were also the first hyper-scale cloud vendor to offer a HIPAA business associates agreement (BAA). And we offer more covered services than any other cloud provider under one umbrella HIPAA BAA to help health organizations have the choice and flexibility they need while streamlining their compliance efforts.

Our HIPAA BAA covers cloud services for productivity and collaboration, patient relationship management, analytics, application hosting, data storage, and application and device management. And we’re always adding more, so keep checking the list of services covered.

To help your health organization comply with national, regional, and industry-specific requirements governing the collection and use of sensitive data, Microsoft offers the most comprehensive set of compliance offerings of any cloud service provider.

Our cloud services operate with a cloud control framework, which aligns controls with multiple regulatory standards. We design and build our cloud services using a common set of controls, which streamlines compliance across a range of regulations not only for today, but for tomorrow as well. Then we engage independent auditors to perform in-depth audits of the implementation and effectiveness of these controls.

Taking a holistic approach to cybersecurity

Your health organization is likely realizing that security isn’t just about complying with regulations. And it isn’t just about your cloud services. Weakness anywhere in your technology stack can undermine security applied to other areas.

To avoid technology breaches and cyberattacks—which are so often in the news these days—you need to take an end-to-end approach to protecting your data and infrastructure. You need an approach that helps you answer questions like:

  • Are the people accessing your network who they say they are, and if they are, do they make preventable mistakes?
  • Are the devices connecting to your network free from viruses and malware? What if they get compromised by a zero-day attack? What if they get lost or stolen?
  • Can you trust the operating system and the software that runs on it to be robust and secure?
  • Can you trust not only that your data is protected, but also that you know where it came from and it hasn’t been tampered with?

Most cybercriminal schemes are successful because authentication controls and activity auditing around people, machines, software, and data are lacking.

We manage our cloud infrastructure across all these areas. When you put your infrastructure in our cloud, we manage the systems and software you use, and protect your data with strong security controls and sound processes that are independently verified. And we have a portfolio of technologies that can help you prevent and mitigate breaches in areas you manage: the identities of your people, their devices, and the software and data on their devices.

Microsoft builds security into our products and services from the start. That’s how we deliver a comprehensive, agile platform to better protect your endpoints, move faster to detect threats, and respond to security breaches across even the largest of organizations. We offer industry-leading security, including encryption – at no additional cost, plus robust anti-virus, anti-threat, and other security features.

Protecting the privacy of PHI and other data

When you use cloud services, you want to trust that the privacy of PHI and other data will be protected. You want to know that you still own and control the data you’re putting in the cloud and have visibility into how it’s being stored and processed.

At Microsoft, we understand that when our customers put their data in our cloud, it’s their data, not ours.

When you use our cloud services, you have control over the collection, use, and distribution of your data:

  • We use your customer data only to provide the services we have agreed upon. We do not scan it for marketing purposes or treat it as a product to sell to others.
  • You know where your customer data is stored in our datacenters around the globe. You know who can access it and under what circumstances, and how it is responsibly protected, transferred, and deleted.
  • When data from many customers is stored at a shared physical location, we use logical isolation to segregate each customer’s cloud services data from that of others.
  • If a government approaches us for access to customer data, we redirect the inquiry to you, the customer, whenever possible and have and will challenge in court any invalid legal demand that prohibits disclosure of a government request for customer data.

What’s more, our time-tested approach to privacy is grounded in the Microsoft Privacy Standard and the Microsoft Security Development Lifecycle. Third-party audits and certifications validate our rigorous technical development standards and help ensure that privacy and data protections are systematically implemented.

For example, Microsoft was the first major cloud provider to incorporate the first international code of practice for cloud privacy, ISO/IEC 27018. We also back those protections with strong contractual commitments.

Flexibility to digitally transform your way

Digital transformation in health is a journey, not a destination. So you need to be able to trust that your cloud service provider can offer you the choice and flexibility you need not only today, but into the future.

Whether you need to better engage patients, empower care teams, optimize clinical and operational effectiveness, or transform the care continuum, you can choose from the wide range of cloud eHealth solutions from Microsoft and our partners to help you achieve your goals. That means that rather than piecing together solutions using different cloud platforms, you can take advantage of the interoperability of our comprehensive set of Microsoft cloud services.

You can also move to the cloud at your own pace. Our hybrid cloud solutions enable you to use a combination of on-premises and cloud services.

By using eHealth solutions that are built to work together, you can streamline security and administration across your infrastructure—and save money.

A cloud you can trust

With eHealth solutions from Microsoft and our partners, you not only benefit from our deep compliance, security, and privacy experience and long history of health industry collaboration, but also choice and flexibility to digitally transform your way.

It’s how we’ve earned the trust of our health customers around the world that are using the Microsoft Cloud to empower better health for their communities. In the U.S. alone, more than 35,000 health organizations use our cloud services.

Additional Resources

Cybersecurity in Health e-book

We hope the above helps you begin to check the facts as you take advantage of the cloud to help you improve care quality and efficiency, while reducing costs. To learn more, visit the Microsoft Trust Center. It offers detailed security, privacy, and compliance information and resources for all Microsoft cloud services.

And if you have any questions or comments, please reach out to us via email, Facebook, or Twitter.

Useful Links

Contact Us