This is the second in a series of articles covering data security and privacy in Rutgers Connect, addressing both the standards and capabilities of the Office 365 platform and the Rutgers-specific customizations and policies related to these topics.
The first entry in the series, Rutgers Connect Security and Trust Part One: The Office 365 Platform Security, introduced users to security and data resiliency features native to the Office 365 platform.
In this article, we focus on Rutgers-specific security considerations as well as additional protective features included in the Rutgers Connect implementation of Office 365.
While Microsoft Office 365 is a HIPAA-compliant product and Microsoft has signed a Business Associate Agreement (BAA) with the University, Rutgers Connect is currently undergoing a rigorous in-house analysis to evaluate and document all aspects of the product, both as offered by Microsoft and as configured by the University, with regard to HIPAA compliance. When this effort is complete, the University should be able to provide better guidance about which specific HIPAA data types, communications, and activities can be used, stored, and conducted via Rutgers Connect. In the meantime, please contact the Office of Enterprise Risk Management, Ethics, and Compliance if you have any questions.
Along with the provisions set forth in the University’s BAA with Microsoft for Office 365 and the security features built into the platform, Rutgers Connect automatically enforces a number of additional security features for University members who are part of units designated as HIPAA-covered entities.
Email originating from users belonging to such units and addressed to external users is automatically routed through a product named Zix. Zix scans outgoing messages for HIPAA-covered data, such as private patient information, and ensures that the message is delivered securely to the recipient by ensuring end-to-end encryption of the communication channel via a number of different technologies.
The end user needs to ensure that any communications involving HIPAA data are sent only to those parties who have the correct authorization to handle the data they receive. Proper training for all users handling and communicating HIPAA data is essential.
Current, already-existing procedures which cover the handling of HIPAA and NPPI data (like using a patient portal for doctors to securely communicate with patients) should NOT be changed simply because Rutgers Connect is now available. All standard procedures for handling HIPAA data and communications should continue unchanged. Proposals for new procedures or changes to existing procedures involving HIPAA data should be submitted for evaluation and authorization to the appropriate organizations tasked with those responsibilities.
More information about Office 365 and HIPAA is available from Microsoft. Interested users may wish to visit the Office 365 & Microsoft Dynamics CRM Online HIPAA/HITECH frequently asked questions page on the Microsoft website.
Additional Implemented Security and Privacy Features
After consulting with IPS (Information Protection and Security) and ERM (the Office of Enterprise Risk Management, Ethics, and Compliance), OIT has made a number of security-related choices when configuring Rutgers Connect which protect users from intentional or accidental exposure of private or internal data.
Anonymous external sharing of all data is restricted. While users may certainly share Calendars, OneDrive stored files, etc with colleagues external to Rutgers Connect and the University at large, the sharing cannot be anonymous. The intended recipient of the share must create their own set of unique login credentials when they receive the first share notification and use these credentials whenever accessing the shared data. Calendars may be externally shared anonymously, but with limitations on what information is exposed; recipients can view the times and names of events, but no event details, notes, or attachments will be visible.
At this time, users cannot access the plugin store or grant third-party applications permission to interact directly with the data stored in their accounts. Third-party applications may request access to your mailbox, OneDrive data, and more; to avoid accidental or malicious exposure of your data, user authorization of such third-party application access is not enabled. That does not mean we cannot integrate Rutgers Connect with third-party services – in fact, we have already done so for a number of Rutgers-supported services such as Blackboard – but such configurations and associations must be made by OIT systems administrators after appropriate review.
To protect users from both accidental deletions of email or files and malicious data removal in the case of an account breach, OIT has configured Rutgers Connect to retain and potentially recover data for 30 to 60 days after deletion. The length of time for which an item is retained varies. Newly-created or received items can be recovered for up to 60 days from the day of creation or receipt regardless of when they were deleted, while older items can be recovered for 30 days after deletion. This is not an effortless operation; users should always be careful to preserve data they still need and only delete unnecessary items.
Access to Rutgers Connect services via mobile devices is limited to only web access unless the device is enrolled in the Rutgers Connect Mobile Device Management system. Mobile Device Management (MDM) will be covered in more depth in the third article in this series.
Additional security features such as two-factor authentication, data loss protection algorithms and policies, and Advanced Threat Protection are being currently evaluated and will be deployed when appropriate.
Rutgers Connect is centrally configured, managed and supported by OIT, primarily by the Enterprise Messaging group and the OIT Help Desk. When picking the product, a fundamental feature the selection committee considered was the ability to delegate certain administrative tasks and functions to local and departmental IT support structures.
Whenever possible, OIT delegates control over departmental domain management, resource creation and maintenance, various user support functions, etc. to the IT staff directly supporting various academic and administrative units. This delegation leverages the Role-Based Access Control capabilities of Office 365 to ensure that no departmental IT staff has access to the resources and data owned by other departments. Additionally, tools and APIs are in place to ensure that all business practices are enforced across all departments and IT staff.
Delegated administrators are bound to the same requirements and rules regarding user information and privacy as the central OIT staff managing Rutgers Connect. These rules are formulated and maintained by the University, including the Office of General Counsel and other parties.
Rutgers Access to User Data
User privacy is of utmost importance, and OIT is cognizant of the trust placed in our hands. To ensure that this privacy is always respected, OIT has implemented the following guidelines and tools.
- No OIT staff member or delegated departmental administrator will access user data without first obtaining the explicit permission of the user except under a very narrow set of cases such as:
- Performing a legal eDiscovery or OPRA search at the written request of the Office of General Counsel. In these cases, OIT staff do not access the data directly, but retrieve it for use by OGC without examining it.
- Combating or investigating an active and emergent security threat where we believe an account is being used maliciously or by unauthorized actors.
- In the unusual case that an OIT staff member needs access to a user’s account in the course of providing support or performing maintenance functions, OIT staff will first obtain permission from the user to access the data, either directly from the user or via local support acting as intermediaries for the user. Such access will always be limited to the minimum required to solve the issue at hand, and permission to access the account is considered withdrawn when the issue is resolved.
- All actions taken by OIT staff or delegated departmental administrators are immutably logged. No one in Rutgers University can alter these logs in any way; these logs are not under the control of the University, but rather they are immutably maintained by Microsoft. Logging of administrator actions cannot be turned off or bypassed.
- All eDiscovery and OPRA searches are immutably logged. In addition, records are kept of the official requests received from the Office of General Counsel directing the searches in question.
Additional standards and policies are being developed by the Office of General Counsel in consultation with other relevant parties. Any new standards and procedures will be posted in the appropriate locations.
Authors: Vladimir Gabrielescu, Elizabeth McMillion, Rae Clarke
This concludes Part Two of the Rutgers Connect Security and Trust series. Stay tuned for the third and final article in the series, which will cover Mobile Device Management.
If you have any questions, comments or suggestions regarding the Rutgers Connect article series, please write to firstname.lastname@example.org.