With the news that cloud storage company Box is dusting off its initial public offering materials and heading on the road, all eyes are on the company and what its fortunes signal for the broader cloud industry. For healthcare professionals, interest in the company has coalesced on a finer point: Claims ensuring Box HIPAA compliance. It begs the question: What does it really mean for a cloud solution to be HIPAA compliant?
HIPAA compliance can be tricky, forcing providers to read between the lines a bit to understand how to be compliant. Data encryption isn’t spelled out in HIPAA guidelines. It’s simply the means through which healthcare providers ensure PHI has reasonable protections, in addition to relying on other functions like audit, access control and employee training. And with multiple ways to encrypt data, it’s difficult for healthcare providers and companies to understand whether they are actually complying with HIPAA for PHI stored in the cloud.
Most cloud services protect data at rest and in-transit with encryption. Let’s unpack just what that means.
- At-rest encryption: At-rest encryption means content is encrypted when it sits in storage; for example, on a cloud server. This security strategy limits access to those with the proper encryption keys. This would prevent someone from breaking in to the data center of the cloud storage provider that steals a hard disk from reading the data. Of course, the whole point of the cloud is that data doesn’t stay at rest. It’s moving: between users and cloud, on and off devices, and so on. That’s where SSL comes in.
Secure Sockets Layer: SSL is a secure data transfer tunnel that means data is encrypted in transit. SSL is used to protect files transferred between the user’s browser and cloud solution, for example, or between the application on a user’s device and the cloud server. This would prevent from someone listening to your internet traffic as they get routed across the Internet from being able to open the packets.
Solutions like Box that combine these parameters in conjunction with audit and access control functionality do, in fact, facilitate HIPAA compliance. But here’s the catch: The compliance only holds for files that remain within the Box application ecosystem. But say a doctor wants to download a clinical file to his laptop so she can edit or view it. In that case, all bets are off. If the doctor loses her laptop, the files are unprotected, leaving her liable for serious damages. Clearly, whether something is HIPAA compliant or not can turn on a dime.
Of course, most users don’t want to worry about the life of a file. That’s why end-to-end, file-level encryption is a better solution.
File-level encryption: File-level encryption enables users to encrypt specific files and folders with a unique key. This means the information is unavailable to unauthorized viewers, anywhere the file is stored. Importantly, it remains protected regardless of where it’s stored, because you’re encrypting more than just the place where it resides or travels.
Sookasa is the only HIPAA-certified solution that provides end-to-end encryption for cloud-based file sharing services. Files remain encrypted and are tracked by Sookasa—even if they are synchronized by the cloud application to a device. That means that even if they’re sent via email or downloaded to a device, they remain protected and auditable.
With the nuance of data encryption often eluding users, it’s more important than ever to educate everyone on your team about how they can use their files. User mistakes continue to be the top causes of HIPAA breaches, whether from losing a cell phone or failing to encrypt PHI on a stolen laptop.