Bringing Box into HIPAA Alignment Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September 17, 2014
University Information Technology Services
CASC. September 17, 2014
Outline 1. Introduction 2. Service Partnership 3. Box Evaluation 4. Conclusions
University Information Technology Services
CASC. September 17, 2014
1. Introduction
University Information Technology Services
CASC. September 17, 2014
Nature abhors a vacuum Because of the lack of HIPAA aligned campus services that support external collaborations, biomedical researchers share sensitive data using email and cloud services such as Google docs, Dropbox, etc.
University Information Technology Services
CASC. September 17, 2014
HIPAA in the Cloud? • The lure of cheap, ubiquitous cloud storage is irresistible. • Cloud providers have been unaware or unwilling to address HIPAA compliance. • Market pressures are forcing some vendors, including Amazon, Microsoft, and Box, to reconsider. • We at IU have also been revisiting our stance of requiring our sensitive data to be kept on site.
University Information Technology Services
CASC. September 17, 2014
2. Service Partnership
University Information Technology Services
CASC. September 17, 2014
Box@IU & HIPAA • Implemented at IU in 2012, Box has become popular for sharing data with collaborators within and outside IU. • Researchers in the IU School of Medicine (second largest medical school in the U.S.) want to use Box to share clinical research data. • This requires that Box be HIPAA aligned.
University Information Technology Services
CASC. September 17, 2014
Box & HIPAA • In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits. • In late 2013, they began signing contracts promising to comply with HIPAA. • Internet2 has negotiated a BAA* and revised contract with Box. * = Business Associate Agreement
University Information Technology Services
CASC. September 17, 2014
Box@IU Basics • Program rollout April 2012 • Reached 50,000 users by October 2013 • Currently 74,000 internal users 9,000 external collaborators 180,000 collaborations 68TB in storage
• All this without FERPA or HIPAA data
University Information Technology Services
CASC. September 17, 2014
Box@IU Growth
University Information Technology Services
CASC. September 17, 2014
3. Box Evaluation
University Information Technology Services
CASC. September 17, 2014
While Box told us they were HIPAA ‘compliant’, due diligence (to us) meant evaluating whether Box met the same NIST standards we follow ourselves.
University Information Technology Services
CASC. September 17, 2014
The Stack Layer
Responsible
Authentication
Box/IU
User Interface Application
Box
OS Cloud Environment Network
Box Box
Box Box
University Information Technology Services
CASC. September 17, 2014
What we Did • We asked Box for documentation of their information security practices, audit reports, etc. • We reviewed the documents thoroughly. • We used the NIST HIPAA Security Rule Toolkit to answer nearly 1000 questions about Box’s security/risk management practices. • Some of these answers came from the Box documentation, some from Box’s Compliance folks.
University Information Technology Services
NIST HIPAA Security Rule Toolkit Questionnaire
CASC. September 17, 2014
University Information Technology Services
CASC. September 17, 2014
Evaluation Results • Box answered > 95% of the questions satisfactorily.
• They have the necessary “Required” and “Addressable” HIPAA safeguards in place. • It helps greatly that they encrypt all data both during transit and at rest for enterprise customers and secure the encryption keys.
University Information Technology Services
CASC. September 17, 2014
Current Status • We have a signed BAA with Box.
• We are HIPAA aligning IU authentication services (Shibboleth and CAS) for ePHI, with a final check by internal governance (Security, Audit, Compliance). • After the above are completed, we will issue an ATO and make Box available to biomedical researchers as a HIPAA aligned collaboration tool.
University Information Technology Services
CASC. September 17, 2014
4. Conclusions
University Information Technology Services
CASC. September 17, 2014
Conclusions • Box provides an ideal data sharing environment for researchers, biomedical or otherwise. • Our own NIST-based evaluation found Box to be capable of keeping our ePHI secure. • We are using our existing standards to satisfy dependencies and ensure end to end security.
University Information Technology Services
CASC. September 17, 2014
Contact
Bill Barnett
[email protected] Bob Flynn
[email protected] Anurag Shankar
[email protected]
License Terms Please cite as: Barnett, W., R. Flynn and A. Shankar, Bringing Box into HIPAA Alignment, presented at the Fall 2014 Coalition for Advanced Scientific Computing meeting, Arlington, DC. Items indicated with a © are under copyright and used here with permission. Such items may not be reused without permission from the holder of copyright except where license terms noted on a slide permit reuse. Except where otherwise noted, contents of this presentation are copyright 2011 by the Trustees of Indiana University.
This document is released under the Creative Commons Attribution 3.0 Unported license (http://creativecommons.org/licenses/by/3.0/). This license includes the following terms: You are free to share – to copy, distribute and transmit the work and to remix – to adapt the work under the following conditions: attribution – you must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). For any reuse or distribution, you must make clear to others the license terms of this work.
