Data security and privacy are key concerns when using cloud based services for storing or sharing confidential data. It is a no brainer to use these services for storing or sharing non-confidential data, but it is completely different ball game when healthcare professionals start using file sharing services to store and exchange electronic protected health information (ePHI).
Before blindly signing up for the cheapest file sharing service, it is very important to understand how the cloud service provider protects your confidential files stored on servers in their data center (Data at Rest) and when traveling from your computer to their servers via the internet (Data in Motion). ePHI must be protected at all times and end-to-end encryption is way to do just that. It ensures that ePHI is securely encrypted at rest and in motion.
Almost all file sharing services provide encryption for “data in motion” via SSL (Secure Socket Layer) or TLS (Transport Layer Security). This ensures that the data cannot be “snooped” upon while in transit between your computer and their data center. However not all file sharing services encrypt the data when it is stored on their servers in the data center. This means that your ePHI could be stored in plain text for any unauthorized person to read if they can gain to it. Some service providers do encrypt the stored data but they also access to the encryption key. Both are potential scenarios for a data breach.
This issue can be addressed by encrypting confidential data locally on your computer before sending it to the cloud using encryption tools such as Viivo, nCrypted Cloud, BoxCryptor, CloudFogger, or Sookasa. They also connect with most major file sharing services so you can transfer your encrypted documents to the cloud very easily.
The use of file sharing is only going to increase with time due to its convenience, ease of use and improved productivity it brings. Sooner or later your employees will use it, with or without your approval. Hence all healthcare need to be proactive and take the following steps to ensure that employees use file sharing services to exchange ePHI securely:
- Have an official policy for employee usage of file sharing services. Which services are allowed and which ones are not. Explain clearly rationale for your decision with respect to data security and compliance.
- Train employees on the secure usage of file sharing services. Make them fully aware of the data security and HIPAA compliance requirements. Do not assume that employees know their compliance responsibilities.
- Limit employee access to ePHI to only those employees that need it as a part of their job responsibilities.
- Implement access and audit controls on your computer systems to monitor for unauthorized or inappropriate ePHI access and use.
- Execute a business associate agreement with the file-sharing cloud service provider to ensure that they understand their legal responsibility under HIPAA to ensure the security of your ePHI.