How important is it for healthcare businesses to choose the right file-sharing service and use it correctly?
According to the IBM X-Force Report, “inadvertent activity such as misconfigured cloud infrastructure was responsible for the exposure of nearly 70 percent of compromised records.”
The statistics tell an insightful story about data breaches. While the world is quick to assume black hat actors are responsible, that’s actually one of the least likely scenarios. As a HIPAA-compliant organization, you need to not only identify this risk but also mitigate it.
Working in the cloud introduces a whole new set of security problems for healthcare. To protect your company from HIPAA violations, finding HIPAA-compliant file storage services is essential.
- Dropbox for Business
- G Suite
- ShareFile Business
Why HIPAA compliance matters in cloud storage
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. According to HITECH, HIPAA compliance standards apply to any service provider that can access personal health information. This includes providers of cloud-based file storage services.
Failure to comply comes with stiff penalties under the HITECH Act. The new law created a tiered penalty structure with an increasing level of culpability for each infraction:
- Unknowing violations run from $100 to $50,000 per violation. The annual maximum for multiple identical infringements is $1.5 million.
- Violations with reasonable cause start at $1,000 per offense and have the same maximums as unknowing violations.
- Violations due to willful neglect that are corrected within the required timeframe have a minimum penalty of $10,000 and a maximum of $50,000. The maximum annual penalty is $1.5 million for the same violation.
- Violations due to willful neglect that are not corrected within the required timeframe start at $50,000. The annual maximum per violation is $1.5 million.
Monetary penalties can be increased and jail time added if a criminal violation also occurred. Since these fines fall on the “covered entity” and not the service provider, it’s vital to find a HIPAA-compliant provider.
What to look for in a HIPAA-compliant storage service
Is it enough to have HIPAA/HITECH support? While that is an essential factor, it’s not the only thing healthcare businesses should require in a file-sharing service. Other things to consider include
- The ability to perform audits. Administrators need a way to audit users to ensure they remain security compliant, especially when using mobile devices. Look for a platform with a host of administrative controls, such as reports and audit trails.
- Business associate agreements (BAA). A business associate agreement is a HIPAA standard. It defines the cloud storage company’s responsibilities for safeguarding protected health information.
- Encryption methods. Companies need to encrypt data to prevent access by unauthorized individuals.
Here are four of the best HIPAA-compliant file sharing services.
1. Dropbox for Business
In November of 2015, Dropbox Business created a platform that boasted compliance with HIPAA and the HITECH Act. The service includes
- Administrative controls
- Review and removal functions for linked devices
- User access with activity reports
- Optional two-step authentication
Dropbox uses an enterprise-grade security system with 256-bit AES encryption along with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption for safe data transmission. Dropbox meets compliance standards for ISO 27001 and SOC 2, as well.
In 2013, Box added HIPAA and HITECH compliance standards to its enterprise accounts. The features from Box include
- Access monitoring
- Audit trails
Box provides large file access for healthcare companies and works with different operating systems for employee devices. What stands out about Box storage is the number of advanced integrations available. Currently, Box integrates with
- Oracle Marketing Cloud
- Office 365
Box allows users to securely share and view imaging files, such as X-rays, CT scans, and ultrasounds.
3. G Suite
G Suite, once called Google Apps for Work, is ISO 27001 certified and has passed both SOC2 and SOC3 audits. Customers who opt for this file-sharing option get BAA signed, which is a prerequisite for HIPAA compliance. This fact and the others listed below essentially makes G Suite a HIPAA-compliant tool. Because these customers also get
- Administrative controls
- Account activity tracking and audits
- App activity tracking and audits
- File-sharing permissions
- Google Vault for electronic discovery reference
- Two-factor authentication
- TLS and SSL encryption
4. ShareFile Business
The ShareFile Business package is a simpler way to go about sharing files. Users have the option to download a desktop app or go online to the ShareFile web portal.
ShareFile provides a more stripped down solution than the competitors. However, it still offers very attractive security features, such as
- SSL/TLS encryption protocols
- SSAE 16 Type II certified data centers
- Audit trails
- Configurable permissions
Staying HIPAA compliant with the right tech stack
The vast majority of file exposures in your organization are most likely due to factors within your control. You can, and should, mitigate this risk.
By choosing the right solutions for gathering, processing, and storing PHI, you can ensure your procedures meet HIPAA standards at all times.