Protecting privacy for personal data stored in the cloud


IT professionals, healthcare executives, and clinicians in hospitals, health systems and clinics around the world are expressing great interest in moving more of their organizations’ IT applications and services to the public cloud. The concept of having a more flexible, scalable, cost-effective means to provide information communications technologies for their business both today and well into the future is very appealing. However, in order to make such a move, these same organizations must be extremely confident that any cloud service provider they do business with maintains the highest possible standards for data privacy and security.

imageThis week, Microsoft announced a major milestone. Microsoft is the first major cloud provider to adopt the world’s first international standard for cloud privacy. That standard is known as ISO/IEC 27018. It was develop by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting the privacy for personal data stored in the cloud.  That Microsoft meets the new ISO/IEC 20718 standard for Microsoft Azure, Office 365 and Dynamics CRM Online has been independently verified by the British Standards Institute (BSI). Similarly, Bureau Veritas has done the same for Microsoft Intune.

ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways. Adherence to the standard means that enterprise customers are in control of their data according to the instructions that they provide Microsoft as their customer. It means that they will know what is happening with their data at all times. In addition, the standard provides a number of important security safeguards. It also affirms Microsoft’s longstanding commitment not to use enterprise customer data for advertising purposes. The standard also requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to an enterprise customer, unless this disclosure is prohibited by law. Microsoft has already adhered to this approach (and more), and adoption of the new standard reinforces this commitment.

For health organizations, Microsoft has also been a model for meeting the information privacy requirements of HIPAA and for signing Business Associates Agreements with health customers who use the company’s public cloud resources. All of this should give healthcare customers who entrust Microsoft with their data the highest levels of confidence.

If you are thinking about moving your healthcare organization’s data to the public cloud, you can learn more about ISO/IEC 27018 here, and more about Microsoft in health and healthcare by visiting www.microsoft.com/health. Additional resources specific to cloud services for healthcare can be found here.

Bill Crounse, MD      Senior Director, Worldwide Health           Microsoft


Comments (0)

Skip to main content