O365 - managing calendars
-
@scottalanmiller said:
@coliver said:
That isn't necessarily the place of IT though... that would be management or HR.
Absolutely, if management or HR knew that they were saying that stuff and didn't take action I'd be shocked!!
That happens all the time here, and management does know.. and no action is taken.. but I'm not in a good example.
-
@Dashrender said:
The biggest concern I have to moving to hosted Exchange is two things - first HIPAA. With an internal server, and encryption setup everywhere I little concerns here. Moving to a hosted solution concerns me. Sure MS will give me their boilerplate HIPAA compliance, but I have no idea if it's good enough for court.
It's better for the court, right? Unlike your own HIPAA compliance which is nothing more than "Dashrender said so", this is a big vendor standing behind it and presumably being tested on it all the time. If I was the business owner, I would demand to be on Office 365 solely for this reason - running email in house without a huge vendor indemnifying me feels unreasonable. It's a risk I'd be unwilling to take on. Getting Microsoft to verify that they are HIPAA compliant and carrying that responsibility would be the single biggest decision making factor for me.
What could be better in court than this? What's the alternative that doesn't scare you?
-
@Dashrender said:
Now, that said, I know that OWA has had huge improvements and one such improvement is the ability to see multiple calendars without having to 'log in' as the desired user like OWA of the past. So one possible solution would be to move everyone to using OWA instead of Outlook on the desk - this actually solves another issue by moving to O365 - I wouldn't need Office licenses on the majority of my desktops anymore, this could save me a bundle!
This is my take on it... explain the necessity for both business (money, practicality, protection) and HIPAA (legal protection) needs to management. Explain that you need to move people to OWA and that this will be an update to the very latest that you don't have internally yet. You can demo it for them if they want. Get them to sign off that this is what is happening, period. Don't do this without them.
Then have management present this as the plan going forward. People who don't like it... tough, you don't only do the parts of your job that you want to do or like. Everyone has to do something at work that they dislike or else they wouldn't need to get paid for it.
It's all about management buy in and support. If management doesn't care, don't bother. Literally, if they don't care you should not care. If they do care, get them involved and let them do their portion of the job and this should be easy. When the boss says "use OWA" it would be a pretty crazy person that refuses.
-
I'm all about hosted email, I believe in it strongly - as the right thing to do for a business. But I also understand that tons of small businesses, especially those in the medical sector, have a tradition of not treating themselves seriously as a business (many actively lose a fortune and continue to operate because they literally don't care about losing the money) and may not care at all that you have a solution that could improve things for them. So the biggest thing that it seems like you need is a the business to support the decision. Once they support it and understand why it is "needed", it doesn't seem like the other issues exist, right? It is only in trying to move to hosted email as a grassroots movement, rather than top down, that user buy in or HIPAA indemnification come into play?
-
I'm not really worried about the move to OWA since you can now see multiple calendars at once just like in Outlook.
I guess if Microsoft is signing something saying they are HIPAA compliant, that really is all I need.
My concern grows from the fact that we currently use email between internal users as our way of 'securely' communicating with each other about patients. They have been unwilling to pay for secure text messaging and email has more or less solved this - save those who refuse to participate (owners always get to do whatever they want no matter how much risk they put the company at - no stock holders other than owners).Yeah I'm sure I'll be making this move when SA expires.
-
@Dashrender said:
I guess if Microsoft is signing something saying they are HIPAA compliant, that really is all I need.
My concern grows from the fact that we currently use email between internal users as our way of 'securely' communicating with each other about patients.How does this change?
-
@coliver said:
@Dashrender said:
I guess if Microsoft is signing something saying they are HIPAA compliant, that really is all I need.
My concern grows from the fact that we currently use email between internal users as our way of 'securely' communicating with each other about patients.How does this change?
In theory it doesn't. I simply have to trust in the system MS has that there is no bleed over from one company account to another - which I do trust in, but none the less makes me a bit more concerned when you have things like HIPAA breathing down your neck. So I'm being cautious more than anything.
Many large vendors have had major breaches in recent years - thankfully I don't think MS is among them.
-
@Dashrender said:
In theory it doesn't. I simply have to trust in the system MS has that there is no bleed over from one company account to another - which I do trust in, but none the less makes me a bit more concerned when you have things like HIPAA breathing down your neck. So I'm being cautious more than anything.
Why do you need to trust in that? As a HIPAA concern, that's between Microsoft and the inspectors, right? If MIcrosoft fails, that's their issue. Not that there is any reason for concern, their entire business is built around this. One of the most secure environments in the world. If Microsoft can't do it, no one can expect you to be more secure.
Remember HIPAA in this case would be Microsoft problems and secondly you have done your due diligence by going to the most secure option available. It's doing something other than having Microsoft offload the responsibility and doing the most secure thing that should keep you up at night.
-
I'm a needless worrier at times...
Although I don't believe you are completely out of the woods just because you have a business Agreement (BA) with a provider you use that is housing Personal Health Information (PHI) - in fact I'm pretty sure that I'm suppose to request a result of their own audit to ensure they are doing what they are suppose to be doing.. only after collecting that yearly (though how I'm suppose to know it's valid is beyond me) would I be close to be indemnified.Granted, as you said, this is Microsoft - they want to do it right.
-
@Dashrender said:
I'm a needless worrier at times...
I'd say less of needless worry, HIPAA is a big deal, but definitely worry in the opposite direction that I would have. From a HIPAA perspective I would feel worlds better having to face management or even a court hearing being able to show Microsoft's documentation, possibly having Microsoft attorneys standing there with me and being able to show industry best practices and having gone above and beyond the HIPAA requirements by going for one of the most secure environments available. Nothing is 100% secure, but there is "doing the minimum" and "doing pretty much the most that you could."
If a court is going to fault you for HIPAA on Office 365, they were going to get you no matter what you had done. So while there are certainly cases and reasons to not just "go to hosted" every time for every thing, in a case like this when looking at the HIPAA concerns my worry would be "holding the hot potato" instead of passing that on to Microsoft. Going on premises and being solely responsible for every decision from the storage to the server to the application would be what would worry me far more. Going to Office 365 is what would give me the warm and fuzzies.
-
@Dashrender said:
Although I don't believe you are completely out of the woods just because you have a business Agreement (BA) with a provider you use that is housing Personal Health Information (PHI) - in fact I'm pretty sure that I'm suppose to request a result of their own audit to ensure they are doing what they are suppose to be doing.. only after collecting that yearly (though how I'm suppose to know it's valid is beyond me) would I be close to be indemnified.
That's possible, back when I was doing HIPAA all the time that was not the case but it does get updated regularly.
Knowing that it is valid is likely none of your concern. You can't know that audits are valid more or less by definition. You'd need the auditor to be audited and that auditor audited and so on and so forth.