Cloud Security and Best Practices

Your Microsoft 365 credentials are the key to your entire cloud environment — email, files, Teams, and any connected applications. Protecting these credentials is your highest-priority security responsibility:

• Multi-Factor Authentication (MFA) is mandatory for cloud accounts in healthcare — MFA requires a second verification step beyond your password when logging in (typically a code sent to your phone or an authenticator app notification). Even if a hacker obtains your password, they cannot access your account without the second factor. If your organization offers optional MFA, enable it immediately. In a compliant healthcare environment, MFA should be required by policy.
• Never log into your work Microsoft 365 account from a public or shared computer — computers in libraries, hotel business centers, or other shared environments may have keyloggers or cached session tokens that expose your credentials after you log out. If you must access work files remotely from a non-work device, use a personal device on a private network, not a shared or public one.
• Sign out of cloud accounts when done on a non-work device — in Outlook web, Teams web, or SharePoint, click your account icon and select Sign Out. Close the browser after signing out. This prevents session persistence that can be exploited on a shared or family device.
• Change your password immediately if you suspect a compromise — if you notice unfamiliar sign-in activity (Microsoft sends security alerts for sign-ins from new locations or devices), change your password immediately and notify IT. Speed matters in credential compromise scenarios — the faster the password changes, the shorter the attacker's window.

The network you use to access cloud services affects the security of that connection — public Wi-Fi has known security risks that affect professional cloud access:

• Avoid accessing work cloud services on public Wi-Fi — public networks in coffee shops, airports, and hotels are unencrypted and potentially monitored by other users on the same network. A technique called 'man-in-the-middle' allows attackers on the same public network to intercept unencrypted web traffic. While HTTPS provides some protection, the combination of public Wi-Fi and credential entry creates unnecessary risk.
• Use a VPN (Virtual Private Network) if you must access work systems remotely — a VPN encrypts your internet traffic and tunnels it through a secure server, protecting your connection even on a public network. Many organizations provide a VPN for remote access to clinical systems. If your office provides one, use it whenever accessing work systems from outside the office.
• The office Wi-Fi is more secure than public Wi-Fi, but is not impenetrable — avoid transmitting sensitive information over the waiting room guest Wi-Fi (which is the same network patients use). All clinical and administrative work should use the staff-only network.

The 'principle of least access' means giving each person access to only the files they need for their specific job — and nothing more. Applying this principle in your sharing decisions significantly reduces the risk of unauthorized data exposure:

• Audit your shared files regularly — check the Manage Access panel for any file you have shared (as covered in the previous lesson) every quarter. Remove access from anyone who no longer needs it. In a medical practice with staff turnover, outdated sharing permissions accumulate quickly.
• Use 'View' access by default for external sharing — when in doubt about which permission level to grant an external party, always start with 'Can view.' Upgrade to 'Can edit' only when you have a specific, confirmed need. It is easy to upgrade permissions; it is harder to undo damage from edit access that should not have been granted.
• Report accidental sharing immediately — if you accidentally shared a file with the wrong person (especially a file containing PHI), notify your supervisor and IT immediately. Do not wait to see if the recipient noticed. In a HIPAA breach scenario, the timeliness of the notification and response is a factor in regulatory assessment. Early, transparent reporting is always the correct response to accidental disclosure.