Shelling out the cash for business and healthcare versions of file sharing services grants you worthwhile visibility, control, and encryption abilities for PHI.
Google Apps and file sharing services such as Box and DropBox are tempting tools for simplifying healthcare collaboration and decision making. However, they can also expose healthcare organizations to serious HIPAA compliance and security issues at a time when personal health information (PHI) has become a more profitable target for hackers than credit card information.
If you plan to use these tools in your organization, consider the following tips:
Use the Business or Healthcare Versions.
It’s tempting to sign up for the free consumer versions of these services, but they were never designed for protecting PHI in a HIPAA regulated environment. If you don’t shell out the cash for Google G-Suite or DropBox Business, you’ll regret the lack of fine-grained visibility, access control, strong encryption and logging and auditing required for HIPAA compliance and data breach prevention. Some of these solutions, such as Box and Citrix ShareFile, even offer versions designed specifically for healthcare environments, but exclusively for paying customers.
HIPAA Compliant? Not so Fast!
Lots of file sharing vendors and Google G-Suite claim HIPAA compliance and are willing to sign a HIPAA Business Associate Agreement (BAA). The truth is; however, that making their use compliant is up to you. For example, the Google Apps BAA is based on Gmail, Calendar, Google Drive and Google Apps Vault. Google Groups, Google Contacts and Google + are not compliant. Determine who in your organization handles PHI. Then, for those users, configure those services carefully according to the vendor’s HIPAA guidance, and disable non-HIPAA compliant services in the administration console. Make sure you set the granular permissions that ensure the wrong people, both inside and outside the organization, don’t have access to PHI or financial data
Can You Trust Your Users?
Many of the data leakage prevention capabilities in these solutions are left up to the user, rather than the administrator. For example, it’s often up to users to ensure that emailed file links make shared files accessible to intended recipients only. The default is often to share the files with anyone who has access to the link. The problem is that users in a hurry often forget or don’t bother to take the proper precautions, or a recipient may forward the link to another user. Similarly, users may add others to a chat session that earlier discussed PHI or forget to set calendar entries with PHI to “Private,” possibly exposing PHI to the wrong eyes.
Encryption? Not Everywhere.
File sharing services such as Google Drive and Dropbox Business boast strong file encryption, but in many cases that is only on the server and in transit. Once those files land on laptops and other mobile devices, they’re generally no longer encrypted by default. This makes them potentially available to anyone if those devices are lost, stolen, borrowed or hacked. Because of this, you either have to disable file synchronization or deploy client-side encryption across all devices to ensure that data doesn’t get into the wrong hands. Similarly, logging mostly covers what happens on the server, not all those syncing devices.
Configure Notifications and Check Those Logs.
Anyone using these services should configure notifications to send alerts when suspicious activities are detected. These may include suspicious login attempts, users suspended by administrators, new users added, suspended users made active, users deleted, user’s password changed by administrator, user granted admin privilege, etc. It’s also important to review logs regularly.
It is possible to take advantage of enterprise file sharing and Google Apps in HIPAA regulated environment, but it takes significant care, oversight and user education that may hamper some of the convenience users know and love. In that case , watch out for Shadow IT!