The Sookasa Blog

How to maintain HIPAA compliance with Dropbox and Box

The emergence of cloud and mobile technologies has introduced major challenges for healthcare organizations seeking to adopt cutting-edge productivity tools while facing rising HIPAA obligations. This post explains the compliance risks associated with these technologies and provides a clear guideline for fully adopting cutting-edge cloud technologies, such as Dropbox and Box, in a healthcare setting.

File Sharing HIPAA Risks

File sharing services are booming in popularity. Osterman Research forecasts that in 2017 the number of file sharing users worldwide will reach close to 800 million (1). Nasuni estimates that one in five professionals already uses Dropbox for work documents (2).

However, cloud file sharing services like Dropbox and Box create significant new compliance risks and challenges for healthcare organizations of all sizes:

1. Sync: File sharing services allow employees to sync thousands of files containing PHI onto their personal unencrypted desktops or mobile devices. Theft or exposure of these devices can cause a massive HIPAA breach.

2. Unauthorized Sharing: Since shared folders may contain thousands of files, it’s very easy to inadvertently share large amounts of files containing PHI with unauthorized people.

3. Recursive Sharing: After a folder has been shared externally, it’s typically very difficult to keep track of it or prevent it from being shared on recursively. These files can in turn be passed on to other people, further exacerbating the problem.

3. Scattering of Data: The files that are synced to desktops and mobile devices tend to be opened on multiple different applications, or uploaded to other cloud services. It’s very hard to audit and secure these files after they have left the file sharing service.

4. Lack of Auditing: Most file sharing services only provide auditing for files when they are stored on the cloud, and even then these audits don’t necessarily comply with HIPAA. Once the files are synchronized to a device or shared with external people, they are invisible to the cloud service’s auditing.

Studies show that over one million devices are lost or stolen each week in the US, including 12,000 laptops in US airports alone (3). A recent survey (Sophos) shows that 22% of respondents lost their phones in the last year (4). With these statistics a breach is virtually guaranteed.

Many healthcare organizations are therefore faced with the following dilemma: should we ban cloud file sharing, or enable it while accepting the increased legal liabilities?

According to the new HIPAA HITECH regulations, you are legally obliged to report to the US Department of Health and Human Services every time one of your employees loses or accidentally shares information about 500 or more individuals at one time. In such a case not only can you be fined up to $1.5 million, but you are also exposed to unlimited privacy breach liabilities. Not surprisingly, over 60% of HIPAA violations reported by the Department of Health occur as a result of lost or stolen devices. This problem is seriously exacerbated by cloud file sharing services, where a single device can be synchronized to thousands of files with PHI.

Cloud applications and mobile file access provide significant productivity gains by enabling your employees to access files from anywhere, synchronize their data across disparate locations, and share and collaborate seamlessly with colleagues.

Sookasa offers a revolutionary service that leverages the use of modern file sharing technologies in order to improve data security and compliance without increasing liability. Sookasa provides a complete compliance “shield” around files stored on Dropbox, converting the files stored on your favorite file sharing service, whether on the cloud or a device, into a HIPAA safe haven. As the cloud file sharing and on-device folders are made safe, other “breach-prone” solutions for accessing and sharing documents outside the organization, such as removable media, portable drives, printed material and email attachments, can be eliminated.

Sookasa accomplishes this task by encrypting, auditing and controlling access to files anywhere they go.

With Sookasa, you can revoke access in real-time to any user or device. As a result, Sookasa safeguards your organization’s sensitive data on Dropbox, even if an employee loses a device or mistakenly shares data with an unauthorized third party.

Furthermore, Sookasa gives you complete monitoring of access to your data, and generates audit trails that show you who accessed and changed any file. By tracking exactly which files have been exposed in the event of an incident, you can prove that no unauthorized parties have viewed the sensitive data from the lost device.

Cloud applications are here to stay, and their use among healthcare practitioners is bound to increase. With Sookasa you can be sure that your organization’s transition to the cloud runs smoothly and safely.

References:

http://www.marketwire.com/press-release/osterman-research-current-file-sync-share- fraught-with-security-governance-control-issues-1803627.htm
http://www.nasuni.com/news/press_releases/65- survey_nearly_half_of_employees_that_use_file
http://www.ponemon.org/news-2/8
http://usatoday30.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1