HIPPA Course Mapping
This course will help attendees understand the security technologies available within Azure and M365 so they can stay compliant with HIPAA. Here we have some example controls and the relatable modules that we will cover in this course.
- Role–based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions.
- Module 1, Lesson: Secure Identities and Manage RBAC
- The organization limits authorization to privileged accounts on information systems to a predefined subset of users.
- Module 1, Lesson: Configure Azure Active Directory for Azure Workloads and Subscriptions
- Strong authentication methods such as multi–factor, Radius or Kerberos (for privileged access) and CHAP (for encryption of credentials for dialup methods) are implemented for all external connections to the organizations network.
- Module 1, Lesson: Secure Identities and Manage RBAC
- Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls
- Module 3, Lesson: Implement Host Security and Update Management
- The organization’s security gateways (e.g., firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains.
- Module 3, Lessons: Build and Secure Network, Implement Platform Security
- The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access.
- Module 3, Lesson: Configure Security Policies by Using Microsoft Defender for Cloud
- Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely.
- Module 3, Lesson: Build and Secure Network
HIPAA and the HITECH Act are U.S. laws that govern the security and privacy of individually identifiable health information stored or processed electronically. This information is referred to as electronic protected health information (ePHI). HIPAA refers to healthcare providers, payors and clearinghouses that use or process ePHI as covered entities. Under HIPAA and the HITECH Act, covered entities must implement mandated physical, technical, and administrative safeguards to protect ePHI. Certain service providers that store or process ePHI on behalf of covered entities are called business associates. Covered entities must ensure that their business associates implement similar security and privacy safeguards.
- Retain ePHI compliance supporting documentation
- Module 2, Lesson: Archiving and Retention
- Apply sensitivity labels to protect ePHI
- Module 2, Lesson: Configure and apply Sensitive labels
Lastly, you will need tools that helps you manage your organization’s compliance requirements with greater ease and convenience.
- Module 4, Lesson: Compliance in M365
Who should attend
The security administrator will collaborate with EP Admins, stakeholders, and other managers implementing the security strategies needed by the organization. The Security administrator is familiar with Microsoft 365 workloads and hybrid environments. This role has strong skills and experience with identity protection, information protection, threat protection, security management and data governance. This role has communication with Chief Information Security Officers (CISOs), Chief Risk Officers (CROs), Chief Privacy Officers (CPOs), Chief Compliance Officers (CCOs), IT professionals, and security specialists.
This is a 200–level course. Attendees should take AZ-900 and SC-900 prior to attending or be familiar with:
- Understanding of Azure (Intermediate desired)
- Basic Understanding of O365
- Experience with Windows 10
- Understanding of Authorization and Authentication
- Understanding of Networking
Outline: Microsoft 365 and Azure Compliance Bootcamp – Healthcare (M365-AZ-CB)
Module 1: Identity and Access
- Configure Azure Active Directory for Azure Workloads and Subscriptions
- Register Devices with Azure AD
- Configure Azure AD Privileged Identity Management
- Secure Identities and manage RBAC
- Least Privilege
- Azure Conditional Access Policies
Module 2: Information protection, DLP and Governance
- Classify Your Data
- Configure and Apply Sensitive Labels
- Configure Trainable Classifiers
- Create and Manage DLP Policies
- Configure and Implement Retention Labels
- Archiving and Retention
- Content Search and Investigation
- Cloud App Security
- Secure Information with MDM and MAM
Module 3: Platform Protection
- Understand Cloud Security
- Build and Secure Network
- Network Security Groups
- VPN Gateway
- Implement Host Security and Update Management
- Implement Platform Security
- Application Gateway
- Azure Firewall
- Configure Security Services
- Azure Sentinel
- Azure Private Links
- Configure Security Policies by Using Microsoft Defender for Cloud
- Manage Security Alerts
- Configure Security for Data Infrastructure
- Configure Encryption for Data at Rest
- Configure and Manage Azure Key Vault
Module 4: Compliance in M365
- Compliance Center
- Compliance Manager
- Service Trust Portal