Skip to main content

Not all health clouds are created equal: Check the facts

Key Considerations for Health Organisations using the cloud

Helping you stay compliant Taking a holistic approach to cybersecurity Protecting the privacy of PHI and other data Flexibility to digitally transform your way A cloud you can trust Additional Resources


In order for your health organisation to digitally transform and realise the benefits of the cloud, you must be willing to entrust your cloud provider with one of your most valuable assets – your data. Whether you’re just starting to migrate your email or imaging storage to the cloud or you’re considering using cloud-based clinical systems, you need to be able to trust the technology you’re using. Trust is essential as you move datasets containing protected health information (PHI), including patient demographics and treatment information, to the cloud. It’s critical as you share data across the health ecosystem, and expand how and where health professionals and patients access confidential information. So wherever you are on your journey to the cloud, it’s vital to work with a service provider that you can trust. Not all clouds are created equal – it’s crucial to check the facts and know what you’re getting:

  • How does a cloud service provider help its health customers stay compliant?
  • Does it also help them secure their infrastructure across all its endpoints?
  • How does it help health organisations to keep PHI and other sensitive data private? Do their customers retain control of their data and are the cloud service providers transparent about what they are and are NOT doing with their data?
  • Can you trust that a cloud service provider will offer you the choice of services and flexibility in how you implement them that you need to digitally transform your way – today and into the future?

Below we cover these key considerations for health organisations as they begin or extend their use of the cloud. And we offer information and resources to help you find answers to your questions and understand how we earn our health customers’ trust in our cloud services.

Helping you stay compliant

You know how complicated – and ever-changing – compliance requirements can be in the health industry. You need to be able to trust that your cloud service provider knows, too. Is it keeping up with the latest regulations in health? What’s its history when it comes to compliance leadership? Microsoft has been involved with health industry standards groups and consortiums of customers and partners around the world for more than a decade. We behave and are audited like a healthcare covered entity across technical, physical and administrative safeguards. And we’re proud of leading the way when it comes to offering cloud services that can help health organisations maintain compliance with applicable laws, regulations and key international standards. For example, we recently announced that Microsoft Azure is one of the first hyper-scale cloud computing platforms to become HITRUST CSF Certified. We were also the first hyper-scale cloud vendor to offer a HIPAA business associates agreement (BAA). And we offer more covered services than any other cloud provider under one umbrella HIPAA BAA to help health organisations have the choice and flexibility they need while streamlining their compliance efforts. Our HIPAA BAA covers cloud services for productivity and collaboration, patient relationship management, analytics, application hosting, data storage and application and device management. And we’re always adding more, so keep checking the list of services covered. To help your health organisation comply with national, regional and industry-specific requirements governing the collection and use of sensitive data, Microsoft offers the most comprehensive set of compliance offerings of any cloud service provider. Our cloud services operate with a cloud control framework, which aligns controls with multiple regulatory standards. We design and build our cloud services using a common set of controls, which streamlines compliance across a range of regulations not only for today, but for tomorrow as well. Then we engage independent auditors to perform in-depth audits of the implementation and effectiveness of these controls.

Taking a holistic approach to cybersecurity

Your health organisation is likely realising that security isn’t just about complying with regulations. And it isn’t just about your cloud services. Weakness anywhere in your technology stack can undermine security applied to other areas. To avoid technology breaches and cyberattacks – which are so often in the news these days – you need to take an end-to-end approach to protecting your data and infrastructure. You need an approach that helps you answer questions like:

  • Are the people accessing your network who they say they are, and if they are, do they make preventable mistakes?
  • Are the devices connecting to your network free from viruses and malware? What if they get compromised by a zero-day attack? What if they get lost or stolen?
  • Can you trust the operating system and the software that runs on it to be robust and secure?
  • Can you trust not only that your data is protected, but also that you know where it came from and it hasn’t been tampered with?

Most cybercriminal schemes are successful because authentication controls and activity auditing around people, machines, software and data are lacking. We manage our cloud infrastructure across all these areas. When you put your infrastructure in our cloud, we manage the systems and software you use, and protect your data with strong security controls and sound processes that are independently verified. And we have a portfolio of technologies that can help you prevent and mitigate breaches in areas you manage: the identities of your people, their devices and the software and data on their devices. Microsoft builds security into our products and services from the start. That’s how we deliver a comprehensive, agile platform to better protect your endpoints, move faster to detect threats and respond to security breaches across even the largest of organisations. We offer industry-leading security, including encryption – at no additional cost, plus robust anti-virus, anti-threat and other security features.

Protecting the privacy of PHI and other data

When you use cloud services, you want to trust that the privacy of PHI and other data will be protected. You want to know that you still own and control the data you’re putting in the cloud and have visibility into how it’s being stored and processed. At Microsoft, we understand that when our customers put their data in our cloud, it’s their data, not ours. When you use our cloud services, you have control over the collection, use and distribution of your data:

  • We use your customer data only to provide the services we have agreed upon. We do not scan it for marketing purposes or treat it as a product to sell to others.
  • You know where your customer data is stored in our datacentres around the globe. You know who can access it and under what circumstances, and how it is responsibly protected, transferred and deleted.
  • When data from many customers is stored at a shared physical location, we use logical isolation to segregate each customer’s cloud services data from that of others.
  • If a government approaches us for access to customer data, we redirect the inquiry to you, the customer, whenever possible and have and will challenge in court any invalid legal demand that prohibits disclosure of a government request for customer data.

What’s more, our time-tested approach to privacy is grounded in the Microsoft Privacy Standard and the Microsoft Security Development Lifecycle. Third-party audits and certifications validate our rigorous technical development standards and help ensure that privacy and data protections are systematically implemented. For example, Microsoft was the first major cloud provider to incorporate the first international code of practice for cloud privacy, ISO/IEC 27018. We also back those protections with strong contractual commitments.

Flexibility to digitally transform your way

Digital transformation in health is a journey, not a destination. So you need to be able to trust that your cloud service provider can offer you the choice and flexibility you need not only today, but into the future. Whether you need to better engage patients, empower care teams, optimise clinical and operational effectiveness, or transform the care continuum, you can choose from the wide range of cloud eHealth solutions from Microsoft and our partners to help you achieve your goals. That means that rather than piecing together solutions using different cloud platforms, you can take advantage of the interoperability of our comprehensive set of Microsoft cloud services. You can also move to the cloud at your own pace. Our hybrid cloud solutions enable you to use a combination of on-premises and cloud services. By using eHealth solutions that are built to work together, you can streamline security and administration across your infrastructure – and save money.

A cloud you can trust

With eHealth solutions from Microsoft and our partners, you not only benefit from our deep compliance, security and privacy experience and long history of health industry collaboration, but also choice and flexibility to digitally transform your way. It’s how we’ve earned the trust of our health customers around the world that are using the Microsoft Cloud to empower better health for their communities. In the U.S. alone, more than 35,000 health organisations use our cloud services.

Additional Resources

Cybersecurity in Health eBook We hope the information above helps you begin to check the facts as you take advantage of the cloud to help you improve care quality and efficiency, while reducing costs. To learn more, visit the Microsoft Trust Centre. It offers detailed security, privacy and compliance information and resources for all Microsoft cloud services. And if you have any questions or comments, please reach out to us via email, Facebook or Twitter.