Edit

Share via

Azure Local and HIPAA

  • Article

Applies to: Azure Local 2311.2 and later

This article provides guidance on how organizations can most efficiently navigate HIPAA compliance for solutions built with Azure Local.

Healthcare compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare standards such as Health Information Technology for Economic and Clinical Health (HITECH) and Health Information Trust Alliance (HITRUST) protect the confidentiality, integrity, and availability of patients' protected health information (PHI). These regulations and standards ensure that healthcare organizations such as doctors' offices, hospitals, and health insurers ("covered entities") create, receive, maintain, transmit, or access PHI appropriately. In addition, their requirements extend to business associates who provide services that involve PHI for the covered entities. Microsoft is an example of a business associate that provides information technology services like Azure Local to help healthcare companies store and process PHI more efficiently and securely. The following sections provide information on how Azure Local capabilities help organizations meet these requirements.

Shared responsibilities

Microsoft customers

As a covered entity who is subject to HIPAA laws, healthcare organizations independently analyze their unique technology environments and use cases and then plan and implement policies and procedures that comply with the requirements of the regulations. Covered entities are responsible for ensuring compliance of their technology solutions. The guidance in this article and other resources provided by Microsoft may be used as a reference.

Microsoft

Under HIPAA regulations, business associates do not assure HIPAA compliance, but instead enter into a Business Associate Agreement (BAA) with covered entities. Microsoft offers a HIPAA BAA as part of the Microsoft Product Terms (formerly Online Services Terms) to all customers who are covered entities or business associates under HIPAA for use with in-scope Azure services.

Azure Local compliance offerings

Azure Local is a hybrid solution that hosts and stores virtualized workloads on both Azure cloud and your on-premises datacenter. This means that HIPAA requirements need to be satisfied in both the cloud and your local data center.

Azure cloud services

As HIPAA legislation is designed for healthcare companies, cloud services such as Microsoft Azure can't be certified. However, Azure and Azure Local connected cloud services comply with other established security frameworks and standards that are equivalent to or more stringent than HIPAA and HITECH. Learn more about the Azure compliance program for the healthcare industry at Azure and HIPAA.

On-premises environment

As a hybrid solution, Azure Local combines Azure cloud services with operating systems and infrastructure hosted on-premises by customer organizations. Microsoft provides an array of features that help organizations satisfy compliance with HIPAA and other healthcare industry standards, both in cloud and on-premises environments.

Azure Local capabilities relevant for the HIPAA Security Rule

This section outlines how the features of Azure Local help you achieve the security control objectives of the HIPAA Security Rule, which comprises the following five control domains:

Important

The following sections provide guidance focused on the platform layer. Information on specific workloads and application layers is out-of-scope.

Identity and access management

Azure Local provides full and direct access to the underlying systems via multiple interfaces such as Azure Arc and Windows PowerShell. You can use either conventional Windows tools in local environments or cloud-based solutions like Microsoft Entra ID (formerly Azure Active Directory) to manage identity and access to the platform. In both cases, you can take advantage of built-in security features, such as multifactor authentication (MFA), conditional access, role-based access control (RBAC), and privileged identity management (PIM) to ensure your environment is secure and compliant.

Learn more about local identity and access management at Microsoft Identity Manager and Privileged Access Management for Active Directory Domain Services. Learn more about cloud-based identity and access management at Microsoft Entra ID.

Data protection

Encrypting data with BitLocker

On Azure Local instances, all data-at-rest can be encrypted via BitLocker XTS-AES 256-bit encryption. By default, the system will recommend you enable BitLocker to encrypt all the operating system (OS) volumes and cluster shared volumes (CSV) in your Azure Local deployment. For any new storage volumes added after the deployment, you need to manually enable BitLocker to encrypt the new storage volume. Using BitLocker to protect data can help organizations stay compliant with ISO/IEC 27001. Learn more at Use BitLocker with Cluster Shared Volumes (CSV).

Protecting external network traffic with TLS/DTLS

By default, all host communications to local and remote endpoints are encrypted using TLS1.2, TLS1.3, and DTLS 1.2. The platform disables the use of older protocols/hashes such as TLS/DTLS 1.1 SMB1. Azure Local also supports strong cipher suites like SDL-compliant elliptic curves, limited to NIST curves P-256 and P-384 only.

Protecting internal network traffic with Server Message Block (SMB)

SMB signing is enabled by default for client connections in Azure Local instances. For intra-cluster traffic, SMB encryption is an option organizations may enable during or after deployment to protect data in transit between systems. AES-256-GCM and AES-256-CCM cryptographic suites are now supported by the SMB 3.1.1 protocol used by client-server file traffic and the intra-cluster data fabric. The protocol continues to support the more broadly compatible ES-128 suite as well. Learn more at SMB security enhancements.

Logging and monitoring

Local system logs

By default, all operations that are performed within Azure Local are recorded so that you can track who did what, when, and where on the platform. Logs and alerts created by Windows Defender are also included to help you prevent, detect, and minimize the likelihood and impact of a data compromise. Since the system log often contains a large volume of information, much of it extraneous to information security monitoring, you need to identify which events are relevant to be collected and utilized for security monitoring purposes. Azure monitoring capabilities help collect, store, alert, and analyze those logs. Reference the Security Baseline for Azure Local to learn more.

Local activity logs

Azure Local creates and stores activity logs for any action plan executed. These logs support deeper investigation and compliance monitoring.

Cloud activity logs

By registering your clusters with Azure, you can use Azure Monitor activity logs to record operations on each resource at the subscription layer to determine the what, who, and when for any write operations (put, post, or delete) taken on the resources in your subscription.

Cloud identity logs

If you're using Microsoft Entra ID to manage identity and access to the platform, you can view logs in Azure AD reporting or integrate them with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for sophisticated monitoring and analytics use cases. If you're using on-premises Active Directory, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

SIEM integration

Microsoft Defender for Cloud and Microsoft Sentinel is natively integrated with Arc-enabled Azure Local machines. You can enable and onboard your logs to Microsoft Sentinel, which provides security information event management (SIEM) and security orchestration automated response (SOAR) capability. Microsoft Sentinel, like other Azure cloud services, complies with many well-established security standards such as HIPAA and HITRUST, which can help you with your accreditation process. Additionally, Azure Local provides a native syslog event forwarder to send the system events to third party SIEM solutions.

Azure Local Insights

Azure Local Insights enables you to monitor health, performance, and usage information for systems that are connected to Azure and are enrolled in monitoring. During Insights configuration, a data collection rule is created, which specifies the data to be collected. This data is stored in a Log Analytics workspace, which is then aggregated, filtered, and analyzed to provide prebuilt monitoring dashboards using Azure workbooks. You can view the monitoring data for single node or multi-node systems from your Azure Local resource page or Azure Monitor. Learn more at Monitor Azure Local with Insights.

Azure Local Metrics

Metrics store numeric data from monitored resources into a time-series database. You can use Azure Monitor metrics explorer to interactively analyze the data in your metric database and chart the values of multiple metrics over time. With Metrics, you can create charts from metric values and visually correlate trends.

Log alerts

To indicate problems in real time, you may set up alerts for Azure Local systems, using pre-existing sample log queries such as average server CPU, available memory, available volume capacity and more. Learn more at Set up alerts for Azure Local systems.

Metric alerts

A metric alert rule monitors a resource by evaluating conditions on the resource metrics at regular intervals. If the conditions are met, an alert is fired. A metric time-series is a series of metric values captured over a period of time. You can use these metrics to create alert rules. Learn more about how to create metric alerts at Metric alerts.

Service and device alerts

Azure Local provides service-based alerts for connectivity, OS updates, Azure configuration and more. Device-based alerts for cluster health faults are available as well. You may also monitor Azure Local instances and their underlying components using PowerShell or Health Service.

Protection against malware

Windows Defender Antivirus

Windows Defender Antivirus is a utility application that enables enforcement of real-time system scanning and periodic scanning to protect platform and workloads against viruses, malware, spyware, and other threats. By default, Microsoft Defender Antivirus is enabled on Azure Local. Microsoft recommends using Microsoft Defender Antivirus with Azure Local rather than third-party antivirus and malware detection software and services as they may impact the operating system's ability to receive updates. Learn more at Microsoft Defender Antivirus on Windows Server.

Application Control

Application Control is enabled by default on Azure Local to control which drivers and applications are allowed to run directly on each server, helping prevent malware from accessing the system. Learn more about base policies included in Azure Local and how to create supplemental policies at Manage Application Control for Azure Local.

Microsoft Defender for Cloud

Microsoft Defender for Cloud with Endpoint Protection (enabled through the Defender for Servers plan) provides a security posture management solution with advanced threat protection capabilities. It provides you with tools to assess the security status of your infrastructure, protect workloads, raise security alerts, and follow specific recommendations to remediate attacks and address future threats. It performs all these services at high speed in the cloud with no deployment overhead through autoprovisioning and protection with Azure services. Learn more at Microsoft Defender for Cloud.

Backup and recovery

Stretched cluster

Azure Local provides built-in support for disaster recovery of virtualized workloads through stretched clustering (Available in Azure Local, version 22H2). By deploying a stretched Azure Local instance, you can synchronously replicate its virtualized workloads across two separate on-premises locations and automatically failover between them. Planned site failovers can happen with no downtime using Hyper-V live migration.

Kubernetes cluster nodes

If you use Azure Local to host container-based deployments, the platform helps you enhance the agility and resiliency inherent to Azure Kubernetes deployments. Azure Local manages automatic failover of VMs serving as Kubernetes cluster nodes if there's a localized failure of the underlying physical components. This configuration supplements the high availability built into Kubernetes, which automatically restarts failed containers on the same or another VM.

Azure Site Recovery

This service allows you to replicate workloads running on your on-premises Azure Local VMs to the cloud so that your information system can be restored if there's an incident, failure, or loss of storage media. Like other Azure cloud services, Azure Site Recovery has a long track record of security certificates including HITRUST, which you can use to support your accreditation process. Learn more at Protect VM workloads with Azure Site Recovery on Azure Local.

Microsoft Azure Backup Server (MABS)

This service enables you to back up Azure Local virtual machines, specifying a desired frequency and retention period. You can use MABS to back up most of your resources across the environment, including:

  • System State/Bare-Metal Recovery (BMR) of Azure Local host
  • Guest VMs in a system that has local or directly attached storage
  • Guest VMs on Azure Local instance with CSV storage
  • VM Move within a cluster

Learn more at Back up Azure Local virtual machines with Azure Backup Server.