The following is a guest post by Asaf Cidon, CEO and co-founder of Sookasa
Healthcare providers across the country are quickly learning how useful cloud-based file-sharing services like Dropbox, Box, and Google Drive can be.
These services allow practitioners to store documents in the cloud, share them with other users, and automatically synchronize the latest document versions to a number of different devices. This means that patient files can be automatically backed-up, and that healthcare providers can quickly move from tablet to laptop to desktop during their workday, while maintaining access to the information they need.
The only problem is security. Dropbox and other file-sharing services do their best to safeguard documents while they sit on their servers, but the companies can’t protect the documents once they’re downloaded to a device.
On a practical level, this means that every device you sync with your file-sharing account could house thousands of unprotected patient files. This is, of course, a HIPAA violation waiting to happen. You wouldn’t keep reams of sensitive paper files in your unlocked car, or toss them into the Dumpster behind your building. But leaving your files unprotected on a tablet or laptop is just as dangerous. Consider the fact that 12,000 laptops are stolen each week at U.S. airports alone. It’s no wonder that more than 60 percent of reported HIPAA violations are the result of lost or stolen devices.
Even encrypting your devices won’t fully solve the problem, because you’ll eventually need to share files with healthcare providers outside of your practice, who use devices outside of your control. Once you share a file externally, that file can be shared over and over again with other providers, like a children’s game of “telephone,” and some might even upload it to other file-sharing services and sync it to more devices. You or someone else might even accidentally share a file with the wrong person, simply by typing in the wrong contact information.
What’s more, if you do learn of a data breach, it will be nearly impossible to find out how it happened, because most file-sharing services only audit files while they’re stored on the cloud.
Several clunky and expensive solutions exist to help organizations add a layer of security when using cloud-based file-sharing services like Dropbox, but these solutions honestly don’t work all that well, and they require extensive IT support.
We at Sookasa believe we’ve found a better way. Our software encrypts, audits, and controls access to documents shared on Dropbox, anywhere the files go. Only trusted users can open the files, and the software allows users to revoke access, meaning that patient data can be blocked, even if a device is lost or stolen. These features convert your files into HIPAA safe havens, protecting them even when they’re downloaded onto new devices.
With the help of a product like Sookasa – along with comprehensive risk assessment from HIPAA Secure Now! – your practice can stay in HIPAA compliance, while also taking advantage of all the benefits that cloud-based file-sharing has to offer.
Asaf Cidon is CEO and co-founder of Sookasa, a company that helps businesses to control their data securely via the cloud with a product that encrypts, audits and controls access to files stored on Dropbox, and complies with HIPAA and other governmental regulations. Learn more at www.sookasa.com.
Unfortunately the data will still be residing on Dropbox’s systems, which require them to sign a BAA. And as of now, Dropbox is unwilling to sign BAAs, so this is a non starter
The data will be encrypted both in-transit and at rest on Dropbox. Consequently, Dropbox is not exposed in any way to PHI, which means Dropbox is not required to sign a Business Associate Agreement.
Sookasa developed a legal position on this issue with one of the nation’s leading healthcare privacy lawyers.