HIPAA M365 Controls - Controls implemented for the UW-Madison Health Care Component

In early 2019, the HIPAA Executive Board at UW-Madison approved the implementation of the following controls for the UW-Madison Health Care Component.

At UW-Madison, the HCC comprises the covered entity to which HIPAA regulations apply. To reduce the risk of inappropriate disclosure of sensitive and restricted data, the campus HIPAA Executive Board has approved the implementation of additional controls affecting Microsoft 365. These controls include:

Restrictions on auto-forwarding email from wisc.edu addresses.

Prohibited use of Basic Authentication.

  • Modern Authentication (also called Password Security at UW-Madison) provides additional security controls when compared to Basic Authentication, including no longer storing M365 credentials locally in email clients. It also allows the use of Multi-Factor Authentication. This significantly reduces the likelihood of credential compromise associated with M365 accounts. The control was implemented for the HCC in 2020.

Prohibited use of the POP email protocol.

  • Post Office Protocol version 3 (POP3) is an older email protocol that does not support Modern Authentication. The control was implemented for the HCC in 2020.

Allow Local IT to better control email clients through the use of distributed Conditional Access.

  • Conditional Access is the tool used within M365 that leverages user and device identity to make decisions, and enforce organizational policies. This could prevent a user from connecting to email and exposing sensitive data if using an unsupported email client or out of date operating system. This control is actively being investigated and will be deployed in the future.

Enforce encryption on mobile devices used to access wisc.edu email accounts.

  •  This control is dependent on a Mobile Device Management solution to be implemented for campus. MDM is being investigated and will be deployed in the future.

Develop and implement policy for data segregation, archiving, and use when individuals transition into new roles but continue utilizing the same wisc.edu email account (to prevent individuals from retaining access to PHI after a transition/termination of employment).

  • This control is actively being investigated and will be deployed in the future.


Keywords:
HIPAA, M365, Controls 
Doc ID:
104867
Owned by:
Patti H. in Cybersecurity
Created:
2020-08-12
Updated:
2024-08-05
Sites:
Office of Cybersecurity