Securing Office 365: Practical Steps for Office 365 Administrators in the Medical Community


Office 365 is popular within the medical community; small, medium, and large physician practices and other providers form a large community within the Office 365 family of users. And as Office 365 specialists, one of Withum Digital’s most frequent areas of support revolves around properly securing Office 365. Many of our medical customers are small and medium-sized businesses that may not have a full-time Office 365 Administrator. This article is targeted towards those of you administering an Office 365 tenant who are concerned about security and how to properly configure your tenant to ensure you are safe and sound.

While the Office 365 platform itself is secure, there is a bit of confusion as to what that actually means to Office 365 administrators out there supporting medical practices.

Perhaps a first principle is to understand why you have Office 365 security responsibilities in the first place. Microsoft takes many steps to keep Office 365 safe. First, they make sure that if someone gets into somebody else’s tenant, they cannot get into yours. Remember, your Office 365 tenant is like your medical practice in a larger office building. Microsoft ensures if someone breaks into one office in the building (in this case the “office building” is a data farm containing a bunch of Office 365 tenants) they cannot get into your office (tenant). However, while someone can’t get into my tenant from next door, they could come in the front door if I don’t lock it.

That’s where Microsoft helps; they give you the tools to make sure you don’t let the wrong people in or let your stuff (think content, data about your employees or patients) from leaving. In general terms, Microsoft provides you with the tools to make sure your tenant is safe and secure. But…that means you still have the responsibility to keep your information secure. So how do you do that? What can you do to make sure your Office 365 environment remains secure?

The simplest way to understand how to secure your tenant is to use Microsoft’s Secure Score feature found on your admin console (or click on this link and enter your admin credentials: https://securescore.microsoft.com/#!/dashboard. Secure Score is a tenant admin-level tool that analyzes your tenant and benchmarks how secure it is based on similar size tenants, type of industry, Microsoft recommended security features, and industry-standard security practices. It also provides practical steps you can take to improve your overall security. In short, it tells you how well you have adopted the security features of Office 365 and other industry-recommended security practices. In general, the higher your score, the more secure you are (which reduces, but does not eliminate, your chances of getting hacked or having data escape your tenant either accidentally or on purpose). Again, a high score does not mean you are safe, it just means you have taken advantage of Office 365 security features (which are considerable).

What’s great about the tool is that it shows you your score and recommends specific actions to improve security based on how aggressive you want to be securing your tenant. Using a slider, you can move from Basic, Balanced, and even Aggressive security and see specific recommendations tailored to your configuration.

For example, you may want Balanced Security and you may see things like “Enable Multi-Factor Authentication”, “Enable mailbox auditing for all users”, or “Do Not use mail forwarding to external domains”. The messages you see will be related to what Office 365 workloads you have, how you have your tenant configured, and how aggressive you want your security profile to be. Moreover, when you click on a recommendation, it tells you the impact of the setting on your security score, what specific threats it will mitigate, and what compliance controls (guidelines, regulations, standards etc.) apply to the setting.

Perhaps even better, you can filter the recommendations around impact to users, cost, types of actions, and even have it show the recommendations with the highest user impact (things that could impose an inconvenience to your users). In other words, you can focus on simple, highly effective things to do to improve your overall security posture based on how secure you want to be. And if you are not sure what a recommendation means, there are plenty of resources to help you figure it out.

Moreover, your Secure Score report lets you know what type of attack you are most at risk to experience under a “Risk Assessment” section of the report. Your report may indicate you are at risk for “Password Cracking” or “Elevation of Privilege”. Clicking on each risk provides more detail on what it is so you can take appropriate action to mitigate that specific risk.

So, what does all this mean? It means even medical providers with a few users can take advantage of big-firm security features. It means that you don’t have to be an expert in security to enable feature-risk, robust security features on your tenant. While you may need help in implementing and understanding some of the security features outlined in Secure Store, nothing should prevent you from running your own report and taking some of the actions it recommends. Still not sure on what to do, let us know how we can help.


More on Healthcare Services

How Can We Help?

Previous Post

Next Post