Microsoft Teams is one of the most widely-used video conferencing platforms for clinics and healthcare providers. It is packed with helpful features that make collaboration and communication seamless.
• As of 2022, Microsoft Teams has more than 270 million daily active users (1)
• More than 1 million organizations use Teams as their default messaging application (2)
• Employees save over 4 hours a week using Teams to share key information with one another (3)
While Microsoft Teams does offer basic security features that check safety boxes for most businesses, it has several vulnerabilities that can be exploited by hackers.
Continue reading to learn more about how Microsoft Teams addresses HIPAA compliance, and what you can do to enhance the security of an already reliable and outstanding piece of software.
Does Microsoft Teams Meet HIPAA Compliance Requirements?
Built on the Microsoft 365 and Office 365 enterprise-grade cloud, Teams leverages a number of security measures and features to support the security of their users (source):
• Microsoft 365 and Office 365 customers own and control their own data
• Enforce team and organization-wide two-factor authentication (2FA) and single sign-on
• End-to-end encryption secures audio, video, and screensharing during calls
• Uses both in-transit and at-rest encryption
• Integrating Microsoft 365 with Teams gives users additional security features, such as the ability to use Microsoft Defender and an additional level of encryption
Video conferencing platforms like Microsoft Teams need an active Business Associate Agreement (BAA) to be compliant with HIPAA Privacy Rule and Security Rule.
The BAA outlines:
• What types of data can be stored
• Who has access to data
• When data can be accessed
• Where data is sent
• What safety measures are in place
Under a BAA, Microsoft Teams is technically HIPAA compliant.
But Teams isn’t HIPAA compliant out of the box. Even with certain security measures built into the platform, Microsoft Teams does have security vulnerabilities that hackers can exploit.
If Microsoft Teams had additional security features to protect those vulnerabilities, then it would meet compliance standards for HIPAA.
What Security Features Would Make Microsoft Teams HIPAA Compliant?
Encryption
While Microsoft Teams already has encryption in place, there are additional tiers of encryption that can be added to the platform to make it more secure. Encryption scrambles data so only authorized personnel can view and share the decrypted version of that information.
End-to-end encryption is the preferred method for video conferencing platforms and services like Microsoft Teams.
End-to-end encryption prevents third parties––like hackers and threat actors––from being able to intercept and steal your data while it’s being transferred from one endpoint device to the other.
Proper Permissions and Authorization
Users should be granted only the permissions they strictly need to do their jobs.
Some employees do not need to be included in certain workplace chats or calls.
As a result, they should not be able to access those areas. Having tiered levels of security permissions and access should be included in healthcare organizations’ policies and procedures. Microsoft Teams unfortunately does not operate in a way that supports a tiered authorization system.
Several Authentication Methods
Microsoft Teams offers single sign-on and two-factor authentication (2FA) — the most common types of authentication. Unfortunately, these authentication methods can still be exploited.
If an employee was a victim of a phishing scam, it’s easy for the scammer to find ways around these authentication methods.
Relying on these vulnerable authentication methods alone is not enough to keep ePHI protected. This doesn’t mean you should get rid of these methods. Instead, implementing additional authentication methods, such as
• Out-of-band authentication
• Phone authentication
• Push authentication
• Biometric authentication
can make it more difficult for hackers to access protected patient information.
Advanced Security and Compliance Mechanisms
Significant security concerns come not only from within Microsoft products and others like it. All too often your endpoint devices themselves are wide open to vulnerabilities.
For example, a computer in your clinic or organization infected with malware could have its video and/or audio compromised.
Shutting down a hacker’s access to cameras and speakers is a proactive measure one could take to protect telehealth visits.
How Do You Make MS Teams HIPAA Compliant?
Although Microsoft Teams is an outstanding tool for team collaboration and communication, its core security features alone are not enough to meet HIPAA requirements.
Luckily, that doesn’t mean you need to end your service agreement with Microsoft.
Our world-class software Zerify Defender easily integrates with MS Teams and offers a variety of features to make your video conferencing fully HIPAA compliant.
Zerify Defender puts security mechanisms in place to protect PHI.
Acting as a simple add-on to video conferencing platforms, it covers the Microsoft Team platform using nearly every endpoint security feature mentioned in the previous section:
• Encrypted communication: prevents threat actors and outside parties from breaching and accessing patient data
• Authorization and permission levels: decrease the risk of exposure by giving tiered access only to personnel that need it
• Multiple authentication methods (one-time passcode, 2FA, phone/out-of-band, push, biometric): reduces the risk of a breach
• Video and audio lockdown: stops threat actors from accessing video and audio during a conference call
• Anti-screen capture: prevents unauthorized parties from taking screenshots of sensitive data or patient information
• Anti-hooking keyboard and clipboard protection: protects potentially sensitive information you’ve typed out on your keyboard or stored in your computer’s clipboard
Zerify Defender can seamlessly integrate with virtually any leading video conferencing platform to make it HIPAA compliant.
Learn More About How Zerify Can Configure Microsoft Teams in a HIPAA-Compliant Manner for the Healthcare Industry
If you want to ensure Microsoft Teams or your organization’s unified communication platform is fully HIPAA-covered, contact us today to learn more about Zerify’s suite of secure video conferencing solutions.
