Hey everyone,
I hope it's OK if I x-post this as I'd like to get as many opinions as possible.
We are evaluating finally moving to O365 and I had a scenario in my mind I'm not quite sure how to address and wanted to see what others are doing or if I am worrying about this too much.
I have a group of users who need to follow HIPAA compliance. I'm concerned that by going to a cloud platform where users can access files/email from any device anywhere in the world, that they could accidentally download sensitive info to unsecured devices.
For example, if a user logs in to OWA from their home computer and opens an attachment, that attachment is downloaded to their local temp files which is technically now on an unencrypted hard drive right?
Or say a user logins in to their OneDrive and downloads a file with sensitive info to their home computer. You now have that data stored in an unsecure location right?
Are there ways to mitigate these risks that I should be taking? In practice do you do anything to mitigate these risks?
I've done a lot of searching and when I look at compliance issues related to HIPAA, folks seem to say E3 licenses are sufficient to cover your bases because you get some DLP features and email encryption, which I suppose is good to stop people from accidentally emailing sensitive info outside the org or for sharing files on OneDrive or Sharepoint outside the org, but what about the situations I described above? Am I being too paranoid? Should we just come up with a written policy that says users should not download files to their personal computer?
I raised this issue with the company we are looking at using for help with the migration and he mentioned a lot of orgs usually issue company equipment for this type of access. Which I agree is good to do, but I'm still concerned that a user would figure out they could sign in from their home device and open up files without them even knowing that those files are then stored locally on their unprotected machine. Also, it would be nice if people could work from home using the online versions of Office without us having to issue them company equipment during this whole worldwide pandemic thing.
Any feed back is appreciated. Thanks!