Your tenant holds ePHI. Your MFA doesn't cover everyone.
30+ HIPAA controls + HITRUST mapping. Free 14-day trial.
Why This Matters for Healthcare
The Microsoft 365 misconfiguration gap is where most healthcare breaches begin. Here is what is at stake.
Breach Reporting Has Teeth
The HIPAA Breach Notification Rule requires covered entities to notify HHS and affected individuals within 60 days of a breach involving unsecured ePHI. Breaches affecting 500 or more individuals are posted publicly on the OCR "Wall of Shame." A single misconfigured sharing policy in SharePoint can meet the threshold for a reportable breach, triggering mandatory notification, fines of up to $1.9 million per violation category per year, and lasting reputational damage with patients and payers.
Clinical Workflows Live in M365
Care coordination happens in Teams channels, patient intake forms move through SharePoint, and scheduling lives in Exchange calendars. This makes M365 a de facto clinical system — but most healthcare IT teams configure it as if it were a generic office productivity suite. The result is ePHI flowing through communication channels without the access controls, audit logging, or encryption enforcement that HIPAA's Technical Safeguard requirements demand. HICP guidance specifically calls out securing Microsoft 365 as a foundational practice.
Auditors Have Gotten Sharper
OCR investigations increasingly request configuration evidence — not just policies. During a HIPAA audit, you may be asked to demonstrate that multi-factor authentication is enforced for all users accessing ePHI, that audit logs were retained and reviewed, and that data loss prevention policies were active on email. A written policy stating these controls exist is not enough. You need documented technical evidence. Our assessment generates that evidence automatically, mapped to the specific safeguards and implementation specifications under 45 CFR Part 164.
What We Audit
Thousands of checks across every M365 service and Azure resource — filtered to the controls that matter most for healthcare organizations.
Exchange Online & Email Security
External forwarding rules, transport rule audit, anti-phishing policies, DMARC/DKIM enforcement, and mailbox delegation configurations that could expose ePHI in transit.
Entra ID & Identity Controls
MFA enforcement for all users accessing patient data, conditional access policies, legacy authentication blocking, privileged identity management, and guest account governance.
SharePoint & OneDrive Sharing
Anonymous link policies, external sharing permissions, site-level oversharing, sensitivity label application, and OneDrive sync restrictions for managed devices.
Teams & Collaboration Controls
External guest access, channel data retention policies, Teams meeting recording governance, and ePHI exposure through unmanaged Teams apps and connectors.
Audit Logging & Monitoring
Unified Audit Log enablement and retention, mailbox audit bypass detection, Azure Monitor coverage gaps, Defender for Office 365 alert policy completeness, and SIEM integration posture.
Azure Infrastructure & Storage
Azure Blob public access, storage account encryption key management, network exposure of Azure resources handling ePHI, Key Vault access policies, and Azure Policy compliance posture.
Compliance Coverage
Every finding maps to the specific framework control it addresses. No manual crosswalk required.
HIPAA Security Rule
45 CFR Part 164 — Administrative, Physical, and Technical Safeguards
We map your M365 and Azure configuration to all 18 HIPAA implementation specifications — including addressable requirements that many organizations incorrectly treat as optional. Every gap surfaces with the specific CFR citation and remediation guidance.
HITRUST CSF
Health Information Trust Alliance Common Security Framework
We map your environment to HITRUST CSF control categories across information security management, access control, audit logging, and risk management — the same categories evaluated during a formal HITRUST assessment. Use findings as pre-assessment gap evidence.
HICP — Health Industry Cybersecurity Practices
HHS 405(d) Program — Microsoft 365 Security Practices
The HHS 405(d) HICP publication specifically names securing Microsoft 365 as a critical practice for healthcare organizations. Our assessment validates all M365-relevant HICP Technical Volume 1 practices, giving you alignment evidence for the voluntary but increasingly expected framework.
NIST 800-53 & CIS M365 Benchmark
Additional frameworks included at no extra cost
We also map findings to NIST SP 800-53 security controls and the CIS Microsoft 365 Benchmark — the controls most commonly referenced in cyber insurance underwriting and third-party vendor assessments from health plans and hospital systems.
Healthcare Risk Spotlight
The specific M365 and Azure findings that appear most frequently across healthcare assessments — and carry the highest regulatory risk.
ePHI in Teams Chat
Clinicians routinely share patient details in Teams channels with no retention or DLP policies — creating uncontrolled ePHI stores that are rarely audited and difficult to purge on request.
BAA Coverage Gaps
Third-party apps connected to your M365 tenant that handle ePHI without a signed Business Associate Agreement — a direct HIPAA violation that is easy to miss across a large tenant.
Audit Log Retention Gaps
HIPAA requires six years of record retention. Default M365 audit log retention is 90 days. Organizations without E5 or long-term SIEM integration routinely fall short of this requirement.
MFA on Clinical Apps
Conditional access exclusions for "clinical workflow" accounts that bypass MFA — often created during an EHR rollout and never revisited — leave high-value accounts exposed to credential stuffing.
External Email Forwarding
Auto-forwarding rules sending ePHI to personal email accounts — a top OCR finding and one of the easiest misconfigurations for attackers to implant post-compromise to maintain data exfiltration.
Unprotected Azure Storage
Azure Blob containers hosting medical imaging, lab results, or billing exports with public access enabled or without customer-managed encryption keys — a direct ePHI exposure in the cloud layer.
"We went into our OCR audit believing our HIPAA controls were solid. The assessment surfaced 14 findings our internal team had never seen — including external forwarding rules on three executive mailboxes. We remediated everything in a week and walked into the audit with documented evidence. That changed everything."
Find your compliance gaps before OCR does.
Start with the 14-day free trial — no commitment, no changes to your environment. See real findings across your M365 and Azure tenant in under 10 minutes.
BAA available — read-only access — results in under 10 minutes.