Intelligence in Healthcare + Improving Cyber Hygiene
microsoft 365 security assessment microsoft 365 security best practices

Why Every Healthcare Organization Should Implement Office 365 Security Best Practices

Like most healthcare organizations, you likely are running Microsoft 365 services. This suite of services, including Office 365, Teams, Azure Active Directory, and Intune, has been adopted at increasing rates; by one measure in late 2020, 79% of the healthcare industry runs these platforms.

However, with the rise of Office 365 use in healthcare, there is a common risk that is often overlooked: the settings in place for new tenants of this service are frequently insecure. Alarmingly, many organizations have migrated their data to the cloud, but have unknowingly left the door open to cyber threats. Performing a Microsoft 365 security assessment can help understand these risks.

Below, we discuss why every healthcare organization should have a third-party assessment of their Microsoft 365 environment.

Microsoft Office 365 Security Review for Healthcare
Learn more about our Microsoft Office 365 Assessments

What Sensitive Data is at Risk?

The healthcare field has been entrusted with the safekeeping of sensitive data, much of which resides in Microsoft 365 services.

Some of this data could include protected health information (PHI). The influx of laws such as HIPAA (1996) and the later-passed HITECH act have incurred steep penalties for breaches of health information. Furthermore, revisions to the law have required healthcare organizations – both in the categories of Covered Entities and Business Associates – to notify the Office of Civil Rights (OCR), affected patients, and even the media, in the event of an unauthorized disclosure of PHI.

Beyond this, many healthcare organizations keep other, non-PHI sensitive data that is regulated by government entities. Recently passed privacy regulations in states such as New York, Virginia, and California have placed the onus on companies to protect personally identifiable information (PII), which goes well beyond patient records. Failure to protect personnel information and even demographics on subscribers can place harsh consequences on organizations.

There are also trade secrets, such as customer lists, proprietary pricing, and product information. And finally, payment details such as credit cards (subject to PCI DSS) and banking information (falling under GLBA regulations) are often needed to be transmitted and stored by healthcare organizations.

Since Microsoft 365 is a hub of internal and external communications (Exchange Online and Teams) as well as file collaboration and storage (SharePoint and OneDrive), sensitive data frequently is handled on these platforms.

If unprotected, risks in Microsoft 365 could be used by threat actors to compromise this high-value information. That's why is so important to perform a Microsoft 365 security assessment.

What Microsoft 365 Security Defaults and Residual Settings Cause Risk?

New tenants of Microsoft 365 have certain security features enabled out-of-the-box, such as multifactor authentication (MFA). However, Microsoft enables merely a small amount of recommended security settings, and has only begun this practice in the last few years.

Since many organizations have migrated to Microsoft 365 rapidly, they don’t take the time and effort to enforce a set of Office 365 security best practices. Adding insult to injury, the more time that has passed since the initial implementation of 365, the more complex it becomes to put security controls in place.

Many organizations believe that cloud providers (such as Microsoft) are responsible for securing these environments. However, Microsoft’s Shared Responsibility Model states that the cloud service customer is responsible for the security of information & data, devices, accounts & identities, and that the customer shares the responsibility of the identity & directory infrastructure. This means the customers of services such as Microsoft 365 are responsible for ensuring their proper and secure configuration.

Verizon Business’s 2022 Data Breach Investigations Report had the following to say about this very issue: “Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), [misconfiguration] errors persist.”

We often see cloud customers relinquish security settings on a temporary basis to help an organization overcome an issue or complete an initiative. For example, an administrator may turn off multifactor authentication for a specific account to provide aid to a user in need or make this user an exception to a risky sign-in policy. Unfortunately, “temporary” settings tend to remain in place for the long term, opening the door to threat actors.

Finally, because many Office 365 environments are implemented by third-party organizations which are tasked with a quick onboarding process, the unique needs concerning healthcare organizations are often missed.

One example of this is restricting the access of the corporate Office 365 tenant only to company-sanctioned machines, which is a common area of risk for industries with highly sensitive data like healthcare. Unfortunately, this task is frequently skipped during initial implementations of Office 365, leaving many organizations vulnerable – and allowing employees to access highly sensitive data from their non-company devices.

Default and residual settings contribute to high-risk cloud environments, which helps necessitate having a third-party assess platforms like Microsoft 365.

What are the Common Cyber Threats?

Cyber criminals have straightforward methods for detecting whether an organization is using Microsoft’s cloud services. At this point, these threat actors will then attempt to exploit any “doors” that are left open in the environment.

This issue is not uncommon to customers of Microsoft 365: Citing several of the default settings in place as the cause, one backup software vendor reports that “Over 80% of deployed Microsoft 365 accounts have suffered an email breach and over 70% have suffered an account takeover.”

However, given the extensive sets of sensitive data that organizations in the healthcare industry are responsible for, these attacks on Microsoft 365 can be much more devastating. In the span of time between 2021 and Q2 2023, an alarming 1,268 healthcare breaches, affecting 38.8 million affected individuals, were reported to HHS’s Office of Civil Rights, with one commonality: All breached data was stored inside of those companies’ email systems. Because more than 79% of healthcare organizations run Office 365, we can conclude that most of these breaches involved this platform.

On top of this, many breaches go undetected for large periods of time. In an article in Healthcare IT Today, one such incident occurred in late 2022 against a healthcare revenue management vendor’s Microsoft 365 environment, where cyber criminals were able to breach email accounts containing protected health information (PHI) of five different health systems.

Five months elapsed between the hacking incident and this vendor’s report of the issue to HHS. Finally, it was found that prior to this incident, this vendor did not leverage holistic multifactor authentication, among other security best practices for Microsoft 365.

The Bottom Line on Microsoft 365 Security Best Practices

Factors such as the types of sensitive data entrusted to healthcare organizations, the insufficient default security settings, and the ever-increasing threats should cause many to consider assessing the security posture of their Microsoft 365 environments.

A third-party best practice assessment of Microsoft 365 and a Microsoft 365 security assessment will lower the risk to these companies, as well as close the door to attackers.

Sign up to get Cyber Intelligence Weekly in your inbox.