Azure & Office 365

Azure Health Data Services is a cloud-based platform that enables healthcare organizations to manage and analyze health data, such as FHIR, DICOM, and MedTech data, with integrations into other Azure services. Azure Health Data Services provides a secure and compliant environment for storing and processing health data, with features such as encryption, auditing, role-based access control, and data protection.

By default, Azure Health Data Services encrypts the data in its underlying Azure services, such as Azure Cosmos DB, Azure Storage, and Azure SQL Database, using Microsoft-managed keys. Microsoft-managed keys are encryption keys that are generated and managed by Microsoft on behalf of the customer. Microsoft-managed keys offer a simple and convenient way to encrypt data, without requiring any additional configuration or maintenance from the customer.

However, some customers may have specific security or compliance requirements that require them to use their own encryption keys to protect their data. For example, some customers may need to comply with regulations that mandate the use of customer-managed keys, such as the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR). Some customers may also want to have more control and flexibility over their encryption keys, such as the ability to rotate, revoke, or export their keys.

To address these needs, Azure Health Data Services supports encryption with customer-managed keys, which is a feature that allows customers to use their own encryption keys to encrypt their data, instead of using Microsoft-managed keys. Customer-managed keys are encryption keys that are created and stored by the customer in their own Azure Key Vault or Azure Key Vault Managed HSM. Azure Key Vault and Azure Key Vault Managed HSM are Azure services that provide secure and scalable key management and cryptography capabilities.

When customers enable encryption with customer-managed keys for their Azure Health Data Services account, they can specify an Azure Key Vault key URI, which is a unique identifier for their encryption key. Azure Health Data Services then passes this key URI to the underlying Azure services, such as Azure Cosmos DB, Azure Storage, and Azure SQL Database, which use the customer-managed key to encrypt and decrypt the data. Azure Health Data Services also uses the customer-managed key to encrypt and decrypt the data in transit, such as when the data is transferred between Azure services or between Azure and the customer’s applications.

Encryption with customer-managed keys offers several benefits for customers, such as:

• Enhanced security and privacy: Encryption with customer-managed keys adds a second layer of encryption on top of the default encryption with Microsoft-managed keys, which means that the data is encrypted twice. This provides an extra level of protection and assurance for the data, as it prevents unauthorized access or disclosure, even if the Microsoft-managed keys are compromised. Encryption with customer-managed keys also enables customers to control and monitor the access and usage of their encryption keys, by using Azure Key Vault or Azure Key Vault Managed HSM features, such as access policies, logging, and auditing.
• Improved compliance and governance: Encryption with customer-managed keys helps customers to meet their specific security or compliance requirements, such as HIPAA or GDPR, that mandate the use of customer-managed keys. Encryption with customer-managed keys also enables customers to demonstrate their compliance and governance to their stakeholders, such as regulators, auditors, or customers, by using Azure Key Vault or Azure Key Vault Managed HSM features, such as reports, certificates, or attestations.
• Simplified management and operation: Encryption with customer-managed keys leverages the existing capabilities and integrations of Azure Key Vault and Azure Key Vault Managed HSM, which means that customers do not need to deploy or maintain any additional hardware or software for their encryption keys. Encryption with customer-managed keys also allows customers to use the same encryption keys for multiple Azure services, which simplifies the management and operation of their encryption keys.

Encryption with customer-managed keys is currently in public preview, which means that it is available for testing and evaluation purposes, but not for production use.

Encryption with customer-managed keys is a promising feature that aims to make encryption easier and better for customers who use Azure Health Data Services. Encryption with customer-managed keys offers several advantages, such as enhanced security and privacy, improved compliance and governance, and simplified management and operation. Encryption with customer-managed keys can help customers to achieve their goals and requirements, while saving time, money, and effort. Encryption with customer-managed keys is a feature that is worth trying out and exploring, especially for customers who have sensitive or confidential health data. Encryption with customer-managed keys is a feature that can potentially transform the way customers use encryption in Azure Health Data Services.

Comments are closed.