The University of Illinois Chicago has licensed a Microsoft Azure tenant for subscription use by units seeking to utilize cloud computing and services in lieu of or in conjunction with traditional on-premise computing infrastructure.
Technology Solutions has taken the following steps to implement controls on the HIPAA compliant Azure compute environment:
Despite these enforced controls, there is still a significant risk of compromise, data loss, and breach of information stored in the environment if infrastructure and services are not configured properly.
Some common examples of how an environment could be misconfigured/compromised:
- Insecure application installed in the environment
- Failure to apply security updates to applications in the environment
- Misconfigured application
- (e.g. default passwords, debugging enabled, insecure interfaces)
- Locally written code running in the environment
- Azure security features disabled
- Logging
- Endpoint/DoS/Database, etc protections
- Inadvertent exposure of storage resources
- Failure to install/enable endpoint protection
- Failure to encrypt data in transit and at rest
- Incorrect setting of access permissions
- Misconfigured network access
- Failure to apply updates to containers, etc.
- Failure to regularly monitor logs for unexpected behavior
Web browsing
Web browsing from a secure environment is considered a high risk activity. When browsing the web, web sites may download program code that will execute on the device. To protect the Azure HIPAA compute environment, web browsing should be disallowed.
Secure Configuration Monitoring
Azure provides security recommendations through the Azure Security Center. The unit creating the HIPAA Environment in Azure is responsible for constantly monitoring and remediating issues identified in the following areas of the Security Center:
- Recommendations
- Security Alerts
- Secure Score
- Azure Defender
- Firewall Manager
Incident Reporting
High risk data, such as PHI, often has reporting requirements in the event of unapproved disclosure. This environment is designed to protect against such exposures but incidents may still occur. By signing this agreement, I understand that I must notify security@uic.edu immediately upon becoming aware of an incident that may have resulted in a compromise of Azure HIPAA environment or the data contained therein.
Accessing the Azure HIPAA Environment
As the Azure HIPAA environment contains and allows the end user to interact with high risk data, it is important that the computing device used to access the environment be secure to prevent back door access. The device used to access the environment must be in compliance with all security provisions related to High Risk data as documented in the UIC IT Security Program ( https://policies.security.uic.edu ). If you are unsure on the compliance status of your device, please check with your IT support person.