When I first considered writing this post about possible HIPAA violations, I could clearly imagine how non-IT compliant file sharing could cause issues with HIPAA compliance. It wasn't until I really started digging into it that a whole world of real-life examples opened up to me. In fact, if you think that your current policy of allowing non-IT file sharing is okay, you might want to reconsider. How so?
First, let me relate the account of a hospital that was actually fined for violating HIPAA requirements. The hospital had no evidence of a breach. No patient data was compromised as far as anyone could tell. However, because their users were sharing patient data in a way that put them at risk, they were fined. The data didn't have to be exploited to be found in violation. It just had to be capable of being stolen. That hospital ended up being fined over $200,000. There is a definite downside to our users circumventing IT controls and making their own decisions.
I believe we should consider the following areas when it comes to secure file transfer and storage:
Data at rest and data in motion need to be part of the solution. Using Next Generation Encryptions, such as AES-256, Elliptical Curve Diffie Hellman, SHA-256, and so on are keys to enhancing the security level of your data. No matter where data exists in your environment, it should be protected at, a minimum, by some form of strong encryption.
The solution cannot leave data free in the open with no authentication controls. Strong user authentication also has to be in place. Password strength should be high, using the standard requirements of variations in upper and lower case, alphanumeric values, and special characters. A longer password length will provide additional security. Restricting access to data, even encrypted data, ensures that it doesn't end up somewhere it shouldn't be and become vulnerable to theft.
We should also consider anti-malware filtering. We never want our organization to be a source of malware. Making sure that we aren’t inadvertently sharing malware is critical. The rise of malware as the preferred method of data theft and exfiltration means we need to be even more vigilant about keeping our organization free from attack.
Length of storage
For a while, I used a Keyboard Maestro snippet, a Hazel rule, three folders, and Dropbox to personally share files. I had three folders:
- 1 Day
- 5 Days
- 30 Days
I could put a file in one of those three folders and then Hazel would look at them constantly. If a file in the 1 Day folder was older than 1 day, Hazel would delete it. The same was true with the other folders and their respective durations.
That was a good solution for a home user, but it’s not a good solution for an enterprise. However, several offerings today are able to place a lifetime of the data as well as a user’s access. These things need to be factored in as well. And remember that good data hygiene practices should be followed with a time-limited storage sharing system. Critical data can get exploited in a matter of minutes when it isn't protected.
Audit logging and user tracking is another important factor. If you don’t have this kind of visibility, how do you know if, for example, your data is being downloaded by a trusted user in Colorado and 15 minutes later by the same user--only this time from China. These types of things would certainly raise a red flag. If we’re flying blind, we’re putting ourselves in line for big fines or worse.
When it comes to file-sharing solutions, if a user is working with a laptop, we need to be concerned about that laptop being stolen and whether or not we have a remote wipe capability.
Where do we go from here?
I think the best solution is to educate ourselves about our options and then educate our users on how to get the most out of the solution. Of course, this may not be your approach. That’s okay. But anyone who’s responsible for the deployment of a solution should do their due diligence in selecting the best one for their organization.
What experiences have you had in working with a secure file sharing solution and navigating HIPAA compliance?