The Future of HIPAA and Changes to NIST 800-66: Access Control and Information Access Management
We can peer somewhat into the future of the Health Insurance Portability and Accountability Act (HIPAA) and overall healthcare data security policy by following the trend in heightened attacks against healthcare providers and proposals for new Federal policy, but there are also key signs for healthcare providers and Electronic Health Records (EHR) system vendors when reviewing the possible changes to National Institute of Standards and Technology (NIST) Special Publication 800-66 (NIST 800-66). NIST 800-66r2 Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, is “designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI.” 1 There are two subjects emphasized and woven throughout the newly published NIST 800-66r2 Draft. The first is risk analysis and management, and the second is access management. Interestingly, an entire risk management section is injected into the document, and both topics have more net new content than others throughout the draft. It is for this reason I’d like to highlight some of the new guidance, implications for these additions, and potential capabilities within Microsoft 365 and Azure that can address it.Federal Discretion for HIPAA and Telehealth Expiring May 11 - Implications for Microsoft Teams
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) issued four distinct Notifications of Enforcement Discretion between April, 2020 and February 2021, and all Notifications collectively were associated with the COVID-19 public health emergency. These discretions were issued to essentially allow healthcare providers the ability to adapt their care models to unprecedented circumstances during the pandemic. In this quick blog I will discuss one of the expiring discretions associated with telehealth and the use of “non-public facing remote communication technologies”, which includes Microsoft Teams. When healthcare providers use virtual healthcare or telemedicine to deliver services, they must ensure that they comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR is tasked with enforcing this application of HIPAA and HITECH to these services that use remote communication technologies, thus, why they issued the initial notification detailing their provision to not impose penalties. When they issued the notice on March 17, 2020 – the accompanying FAQ did not specify when the notification would expire. That TBD expiration date is now May 11, 2023.AZ-500: Microsoft Azure Security Technologies Study Guide
The AZ-500 certification provides professionals with the skills and knowledge needed to secure Azure infrastructure, services, and data. The exam covers identity and access management, data protection, platform security, and governance in Azure. Learners can prepare for the exam with Microsoft's self-paced curriculum, instructor-led course, and documentation. The certification measures the learner’s knowledge of managing, monitoring, and implementing security for resources in Azure, multi-cloud, and hybrid environments. Azure Firewall, Key Vault, and Azure Active Directory are some of the topics covered in the exam.Why Microsoft Teams "sprawl" is the best thing that has ever happened to your company!
I have been asked countless times by IT managers, "How do I control Teams Sprawl", and this question always throws me off because the question is asked in a way that indicates "sprawl" is a bad thing. The way I look at this is that it shows natural, organic growth, and to me that is a good thing. That means the company likes and is enjoying the solution. I am not sure why you would want to limit this. It is small business owners dream that their product goes viral or for a young artist to have their YouTube video get a million views in a few days. Why would we not want the same thing within our own departments in corporate America?
