Why Every Healthcare Organization Should Assess their Microsoft 365 Environment
Like most healthcare organizations, you likely are running Microsoft 365 services. This suite of services, including Office 365, Teams, Azure Active Directory, and Intune, has been adopted at increasing rates; by one measure in late 2020, 79% of the healthcare industry runs these platforms.
However, with the rise of Office 365 use in healthcare, there is a common risk that is often overlooked: the settings in place for new tenants of this service are frequently insecure. Alarmingly, many organizations have migrated their data to the cloud, but have unknowingly left the door open to cyber threats.
Below, we discuss why every healthcare organization should have a third-party assessment of their Microsoft 365 environment.
What Sensitive Data is at Risk?
The healthcare field has been entrusted with the safekeeping of sensitive data, much of which resides in Microsoft 365 services.
Some of this data could include protected health information (PHI). The influx of laws such as HIPAA (1996) and the later-passed HITECH act have incurred steep penalties for breaches of health information. Furthermore, revisions to the law have required healthcare organizations – both in the categories of Covered Entities and Business Associates – to notify the Office of Civil Rights (OCR), affected patients, and even the media, in the event of an unauthorized disclosure of PHI.
Beyond this, many healthcare organizations keep other, non-PHI sensitive data that is regulated by government entities. Recently passed privacy regulations in states such as New York, Virginia, and California have placed the onus on companies to protect personally identifiable information (PII), which goes well beyond patient records. Failure to protect personnel information and even demographics on subscribers can place harsh consequences on organizations.
There are also trade secrets, such as customer lists, proprietary pricing, and product information. And finally, payment details such as credit cards (subject to PCI DSS) and banking information (falling under GLBA regulations) are often needed to be transmitted and stored by healthcare organizations.
Since Microsoft 365 is a hub of internal and external communications (Exchange Online and Teams) as well as file collaboration and storage (SharePoint and OneDrive), sensitive data frequently is handled on these platforms.
If unprotected, risks in Microsoft 365 could be used by threat actors to compromise this high-value information.
What Default and Residual Settings Cause Risk?
New tenants of Microsoft 365 have certain security features enabled out-of-the-box, such as multifactor authentication (MFA). However, Microsoft enables merely a small amount of recommended security settings, and has only begun this practice in the last few years.
Since many organizations have migrated to Microsoft 365 rapidly, they don’t take the time and effort to enforce a set of security best practices. Adding insult to injury, the more time that has passed since the initial implementation of 365, the more complex it becomes to put security controls in place.
Many organizations believe that cloud providers (such as Microsoft) are responsible for securing these environments. However, Microsoft’s Shared Responsibility Model states that the cloud service customer is responsible for the security of information & data, devices, accounts & identities, and that the customer shares the responsibility of the identity & directory infrastructure. This means the customers of services such as Microsoft 365 are responsible for ensuring their proper and secure configuration.
Verizon Business’s 2022 Data Breach Investigations Report had the following to say about this very issue: “Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), [misconfiguration] errors persist.”
We often see cloud customers relinquish security settings on a temporary basis to help an organization overcome an issue or complete an initiative. For example, an administrator may turn off multifactor authentication for a specific account to provide aid to a user in need or make this user an exception to a risky sign-in policy. Unfortunately, “temporary” settings tend to remain in place for the long term, opening the door to threat actors.
Finally, because many Office 365 environments are implemented by third-party organizations which are tasked with a quick onboarding process, the unique needs concerning healthcare organizations are often missed.
One example of this is restricting the access of the corporate Office 365 tenant only to company-sanctioned machines, which is a common area of risk for industries with highly sensitive data like healthcare. Unfortunately, this task is frequently skipped during initial implementations of Office 365, leaving many organizations vulnerable – and allowing employees to access highly sensitive data from their non-company devices.
Default and residual settings contribute to high-risk cloud environments, which helps necessitate having a third-party assess platforms like Microsoft 365.
What are the Common Cyber Threats?
Cyber criminals have straightforward methods for detecting whether an organization is using Microsoft’s cloud services. At this point, these threat actors will then attempt to exploit any “doors” that are left open in the environment.
This issue is not uncommon to customers of Microsoft 365: Citing several of the default settings in place as the cause, one backup software vendor reports that “Over 80% of deployed Microsoft 365 accounts have suffered an email breach and over 70% have suffered an account takeover.”
However, given the extensive sets of sensitive data that organizations in the healthcare industry are responsible for, these attacks on Microsoft 365 can be much more devastating. In the span of time between 2021 and Q2 2023, an alarming 1,268 healthcare breaches, affecting 38.8 million affected individuals, were reported to HHS’s Office of Civil Rights, with one commonality: All breached data was stored inside of those companies’ email systems. Because more than 79% of healthcare organizations run Office 365, we can conclude that most of these breaches involved this platform.
On top of this, many breaches go undetected for large periods of time. In an article in Healthcare IT Today, one such incident occurred in late 2022 against a healthcare revenue management vendor’s Microsoft 365 environment, where cyber criminals were able to breach email accounts containing protected health information (PHI) of five different health systems.
Five months elapsed between the hacking incident and this vendor’s report of the issue to HHS. Finally, it was found that prior to this incident, this vendor did not leverage holistic multifactor authentication, among other security best practices for Microsoft 365.
The Bottom Line
Factors such as the types of sensitive data entrusted to healthcare organizations, the insufficient default security settings, and the ever-increasing threats should cause many to consider assessing the security posture of their Microsoft 365 environments.
A third-party best practice assessment of Microsoft 365 will lower the risk to these companies, as well as close the door to attackers.