Skype for Business online is HIPAA compliant. Microsoft provides a HIPAA BAA, within which the following paragraph states:
“Office 365 Services” means the following services, each as a standalone service or as included in an Office 365-branded plan or suite: Exchange Online, Exchange Online Archiving, Exchange Online Protection, Advanced Threat Protection, SharePoint Online, OneDrive for Business, Project Online, Skype for Business Online, Sway, Office Online, and Yammer Enterprise. Office 365 Services do not include Office 365 ProPlus, any portion of PSTN Services that operate outside of Microsoft’s control, any client software, or any separately branded service made available with an Office 365-branded plan or suite, such as a Bing or a service branded “for Office 365.”
Skype for Business on premises isn’t certified by Microsoft as HIPAA compliant, since it’s one of the “Services that operate outside of Microsoft’s control.” The install of the system and the total infrastructure including network, Active Directory, accessing the app from mobile devices, are in scope of compliance, not just the SfB app. MSFT won’t certify an on premises workload in the same manner they do the online services, since they don’t control the data.
Organizations concerned about HIPAA compliance need to decide, document, and then likely implement and manage a few important elements:
- Archiving (of IMs). Skype for Business stores a history of IMs in a SQL database only when the archiving role is activated. If the archiving role is not active, then no PHI is stored in the system. The HIPAA requirements call for data to be encrypted at rest. SQL TDE is supported by Lync 2013 and SfB (see https://support.microsoft.com/en-us/help/2912342/lync-server-2013-supports-tde-in-sql-server-2008-or-a-later-version-on
- Monitoring (of who IM’d who, who called who, who joined meetings, etc). When this optional CDR is stored on an optional monitoring database (SQL Server), using TDE as above would be necessary.
- Conference call recording. If the user account is enabled for recordings, they are initially stored on personal devices in a specific folder. Much like the rest of the PC in a healthcare/PHI scenario, it should be configured with strong multifactor authentication, a stringent app (SfB) passphrase, and bitlocker encryption. The recordings can be moved around like any file.
- Conference call PIN rotation (static is less secure than randomly generated #s)
- Media and signaling encryption. Skype encrypts calls (using SRTP) and signaling (using TLS) by default so no eavesdropping nor man-in-the middle attacks are possible
- Modern authentication for Skype for Business mobile devices
- MDM or Mobile App Mgmt on devices running the mobile app to ensure the app is protected with a multifactor password
- Voicemail is discoverable! While Microsoft’s care for PHI can be considered covered under Office 365’s HIPAA BAA (see above), the fact is that voicemails within Outlook can be “saved as” or archived locally in a .pst. To avert the risk of PHI being at risk of being forwarded or saved, voicemails are set with a different “message type” that can be subjected to Rights Management configurations.
- Third party compliance apps like Global Relay, allow near-real-time scans and monitoring of instant messaging, mobile messaging, social media, and more to identify what information is leaving the organization.
Enabling has security professionals versed in Skype, SQL, and Exchange who can guide you through the many policy, design, and configuration options to help your organization maintain HIPAA compliant. Contact us at firstname.lastname@example.org