The Sookasa Blog

How sync can undermine HIPAA compliance

If you’ve looked into the guidelines for HIPAA compliance, you already know that achieving compliance isn’t exactly straightforward. Unfortunately, neither is evaluating cloud-based solutions that trumpet their HIPAA certification. That’s because one critical part of the workflow—syncing to devices—can actually undermine your security.

That’s why it’s essential to read the fine print—or sometimes read between the lines—when learning about cloud solutions that tout HIPAA compliance.

So, why does syncing sometimes undermine compliance? Because file synchronization duplicates thousands of non-encrypted files to many mobile devices. In other words, even if files are secured on the cloud, once they reach devices, they’re unprotected.

Synchronizing files supplies a powerful productivity advantage. But when protected health information is in play, syncing can pose a huge risk because actually working with PHI on synced devices essentially breaks the encryption protection. Subsequent theft or loss of these synced devices—which now contain unencrypted data—can cause a massive HIPAA breach.

And this happens all the time. Healthcare professionals are regularly downloading sensitive document that’s been synced to his or her laptop or phone. Isn’t the whole point of the cloud to be able to work seamlessly?

But you won’t find explicit caveats about this on the websites or Help Desks of major cloud players. In a recent blog post from Box CEO Aaron Levie on the company’s acquisition of Subspace, he noted that “The Subspace team will let us go even deeper with our security and data policies, enabling reliable corporate security policies, even when content leaves the Box platform to be accessed on a customer or partner’s device.” It’s a little oblique—and could mean that help is on the way–but the bottom line is that to date, content isn’t safe when it leaves the Box platform.

Consider what the University of California at Berkeley recommends to safeguard against Box syncing issues with sensitive information. Among other precautions, for laptops with Box Sync, its guidelines urge students and faculty to take the extra step of whole-disk encryption. That’s a dramatic additional step to require for a solution that purports to guarantee HIPAA compliance. The alternative? Limiting sync, one of the things that probably led you to the cloud in the first place. And how can you do whole disk encryption when you’re using an iPad or an Android phone? Tough luck.

Besides the encryption protections, certain file sharing services only provide auditing for files when they are stored on the cloud. Once the files are synchronized to a device or shared externally, they’re invisible to the cloud service’s auditing function. In those cases, these audits don’t exactly comply with the letter of the law.

At Sookasa, our philosophy is that there shouldn’t be a tradeoff between convenience and compliance. Nor should it take an attorney’s level of scrutiny to figure out how to safely use a service. That’s why we provide end-to-end encryption that extends to devices, so that working normally with files doesn’t pose an inadvertent risk.