Bringing Box into HIPAA Alignment
advertisement
Bringing Box into HIPAA Alignment Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September 17, 2014 University Information Technology Services CASC. September 17, 2014 Outline 1. Introduction 2. Service Partnership 3. Box Evaluation 4. Conclusions University Information Technology Services CASC. September 17, 2014 1. Introduction University Information Technology Services CASC. September 17, 2014 Nature abhors a vacuum Because of the lack of HIPAA aligned campus services that support external collaborations, biomedical researchers share sensitive data using email and cloud services such as Google docs, Dropbox, etc. University Information Technology Services CASC. September 17, 2014 HIPAA in the Cloud? • The lure of cheap, ubiquitous cloud storage is irresistible. • Cloud providers have been unaware or unwilling to address HIPAA compliance. • Market pressures are forcing some vendors, including Amazon, Microsoft, and Box, to reconsider. • We at IU have also been revisiting our stance of requiring our sensitive data to be kept on site. University Information Technology Services CASC. September 17, 2014 2. Service Partnership University Information Technology Services CASC. September 17, 2014 Box@IU & HIPAA • Implemented at IU in 2012, Box has become popular for sharing data with collaborators within and outside IU. • Researchers in the IU School of Medicine (second largest medical school in the U.S.) want to use Box to share clinical research data. • This requires that Box be HIPAA aligned. University Information Technology Services CASC. September 17, 2014 Box & HIPAA • In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits. • In late 2013, they began signing contracts promising to comply with HIPAA. • Internet2 has negotiated a BAA* and revised contract with Box. * = Business Associate Agreement University Information Technology Services CASC. September 17, 2014 Box@IU Basics • Program rollout April 2012 • Reached 50,000 users by October 2013 • Currently 74,000 internal users 9,000 external collaborators 180,000 collaborations 68TB in storage • All this without FERPA or HIPAA data University Information Technology Services CASC. September 17, 2014 Box@IU Growth University Information Technology Services CASC. September 17, 2014 3. Box Evaluation University Information Technology Services CASC. September 17, 2014 While Box told us they were HIPAA ‘compliant’, due diligence (to us) meant evaluating whether Box met the same NIST standards we follow ourselves. University Information Technology Services CASC. September 17, 2014 The Stack Layer Responsible Authentication Box/IU User Interface Application Box OS Cloud Environment Network Box Box Box Box University Information Technology Services CASC. September 17, 2014 What we Did • We asked Box for documentation of their information security practices, audit reports, etc. • We reviewed the documents thoroughly. • We used the NIST HIPAA Security Rule Toolkit to answer nearly 1000 questions about Box’s security/risk management practices. • Some of these answers came from the Box documentation, some from Box’s Compliance folks. University Information Technology Services NIST HIPAA Security Rule Toolkit Questionnaire CASC. September 17, 2014 University Information Technology Services CASC. September 17, 2014 Evaluation Results • Box answered > 95% of the questions satisfactorily. • They have the necessary “Required” and “Addressable” HIPAA safeguards in place. • It helps greatly that they encrypt all data both during transit and at rest for enterprise customers and secure the encryption keys. University Information Technology Services CASC. September 17, 2014 Current Status • We have a signed BAA with Box. • We are HIPAA aligning IU authentication services (Shibboleth and CAS) for ePHI, with a final check by internal governance (Security, Audit, Compliance). • After the above are completed, we will issue an ATO and make Box available to biomedical researchers as a HIPAA aligned collaboration tool. University Information Technology Services CASC. September 17, 2014 4. Conclusions University Information Technology Services CASC. September 17, 2014 Conclusions • Box provides an ideal data sharing environment for researchers, biomedical or otherwise. • Our own NIST-based evaluation found Box to be capable of keeping our ePHI secure. • We are using our existing standards to satisfy dependencies and ensure end to end security. University Information Technology Services CASC. September 17, 2014 Contact Bill Barnett barnettw@iu.edu Bob Flynn reflynn@iu.edu Anurag Shankar ashankar@iu.edu License Terms Please cite as: Barnett, W., R. Flynn and A. Shankar, Bringing Box into HIPAA Alignment, presented at the Fall 2014 Coalition for Advanced Scientific Computing meeting, Arlington, DC. Items indicated with a © are under copyright and used here with permission. Such items may not be reused without permission from the holder of copyright except where license terms noted on a slide permit reuse. Except where otherwise noted, contents of this presentation are copyright 2011 by the Trustees of Indiana University. This document is released under the Creative Commons Attribution 3.0 Unported license (http://creativecommons.org/licenses/by/3.0/). This license includes the following terms: You are free to share – to copy, distribute and transmit the work and to remix – to adapt the work under the following conditions: attribution – you must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). For any reuse or distribution, you must make clear to others the license terms of this work.
