Office 365, compliance, and accidental data leaks if users use home devices?



  • Hey everyone,

    I hope it's OK if I x-post this as I'd like to get as many opinions as possible.

    We are evaluating finally moving to O365 and I had a scenario in my mind I'm not quite sure how to address and wanted to see what others are doing or if I am worrying about this too much.

    I have a group of users who need to follow HIPAA compliance. I'm concerned that by going to a cloud platform where users can access files/email from any device anywhere in the world, that they could accidentally download sensitive info to unsecured devices.

    For example, if a user logs in to OWA from their home computer and opens an attachment, that attachment is downloaded to their local temp files which is technically now on an unencrypted hard drive right?

    Or say a user logins in to their OneDrive and downloads a file with sensitive info to their home computer. You now have that data stored in an unsecure location right?

    Are there ways to mitigate these risks that I should be taking? In practice do you do anything to mitigate these risks?

    I've done a lot of searching and when I look at compliance issues related to HIPAA, folks seem to say E3 licenses are sufficient to cover your bases because you get some DLP features and email encryption, which I suppose is good to stop people from accidentally emailing sensitive info outside the org or for sharing files on OneDrive or Sharepoint outside the org, but what about the situations I described above? Am I being too paranoid? Should we just come up with a written policy that says users should not download files to their personal computer?

    I raised this issue with the company we are looking at using for help with the migration and he mentioned a lot of orgs usually issue company equipment for this type of access. Which I agree is good to do, but I'm still concerned that a user would figure out they could sign in from their home device and open up files without them even knowing that those files are then stored locally on their unprotected machine. Also, it would be nice if people could work from home using the online versions of Office without us having to issue them company equipment during this whole worldwide pandemic thing.

    Any feed back is appreciated. Thanks!



  • Use Office365 with Intune, and you can keep the data on OneDrive and not even allow users to save documents locally.



  • you can get away from home users downloading files to they're personal devices with policy... strict policy and using a VDI instead.



  • @gjacobse said in Office 365, compliance, and accidental data leaks if users use home devices?:

    you can get away from home users downloading files to they're personal devices with policy... strict policy and using a VDI instead.

    How does VDI solve this? The user can still log into M365 from their home computer, unless that "strict" you mention locks their logins down to IP's on the VDI?



  • I have a policy to only allow download on domain joined pc but I never thought about temp files if working on a doc in a browser window



  • O365 has this built-in. Check Exact Data Match (EDM), and Data Loss Prevention (DLP).

    You define what makes a document HIPAA restricted (EDM) (or for any other other reason if you wish, it does not have to be a HIPAA issue), and then you create a rule about how any document meeting that EDM can be viewed or distributed (DLP).

    In a nut shell; Let's say you have documents with Social Security numbers, you create an EDM to identify SS #s in documents (this happens as you access them) and it flags them as having met the criteria for one of your EDM rules.

    Then, your DLP rule can, for example, only allow the document to travel through email within your domain, or within a group (department, C level employees, etc). It can disallow the document from being downloaded or printed, etc.....

    Have a look here: https://docs.microsoft.com/en-us/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification?view=o365-worldwide


Log in to reply