Bringing Box into HIPAA
Alignment
Bill Barnett, Bob Flynn & Anurag Shankar
Pervasive Technology Institute and
University Information Technology Services,
Indiana University
CASC. September 17, 2014
University Information Technology Services
CASC. September 17, 2014
Outline
1. Introduction
2. Service Partnership
3. Box Evaluation
4. Conclusions
University Information Technology Services
CASC. September 17, 2014
1. Introduction
University Information Technology Services
CASC. September 17, 2014
Nature abhors a vacuum
Because of the lack of HIPAA aligned
campus services that support external
collaborations, biomedical researchers
share sensitive data using email and
cloud services such as Google docs,
Dropbox, etc.
University Information Technology Services
CASC. September 17, 2014
HIPAA in the Cloud?
• The lure of cheap, ubiquitous cloud storage is
irresistible.
• Cloud providers have been unaware or unwilling to
address HIPAA compliance.
• Market pressures are forcing some vendors, including
Amazon, Microsoft, and Box, to reconsider.
• We at IU have also been revisiting our stance of
requiring our sensitive data to be kept on site.
University Information Technology Services
CASC. September 17, 2014
2. Service
Partnership
University Information Technology Services
CASC. September 17, 2014
Box@IU & HIPAA
• Implemented at IU in 2012, Box has become
popular for sharing data with collaborators
within and outside IU.
• Researchers in the IU School of Medicine
(second largest medical school in the U.S.)
want to use Box to share clinical research data.
• This requires that Box be HIPAA aligned.
University Information Technology Services
CASC. September 17, 2014
Box & HIPAA
• In 2013, Box began talking about the possibility
of HIPAA alignment after conducting thirty party
security and HIPAA audits.
• In late 2013, they began signing contracts
promising to comply with HIPAA.
• Internet2 has negotiated a BAA* and revised
contract with Box.
* = Business Associate Agreement
University Information Technology Services
CASC. September 17, 2014
Box@IU Basics
• Program rollout April 2012
• Reached 50,000 users by October 2013
• Currently
74,000 internal users
9,000 external collaborators
180,000 collaborations
68TB in storage
• All this without FERPA or HIPAA data
University Information Technology Services
CASC. September 17, 2014
Box@IU Growth
University Information Technology Services
CASC. September 17, 2014
3. Box Evaluation
University Information Technology Services
CASC. September 17, 2014
While Box told us they were
HIPAA ‘compliant’, due
diligence (to us) meant
evaluating whether Box met
the same NIST standards we
follow ourselves.
University Information Technology Services
CASC. September 17, 2014
The Stack
Layer
Responsible
Authentication
Box/IU
User Interface
Application
Box
OS
Cloud Environment
Network
Box
Box
Box
Box
University Information Technology Services
CASC. September 17, 2014
What we Did
• We asked Box for documentation of their
information security practices, audit reports, etc.
• We reviewed the documents thoroughly.
• We used the NIST HIPAA Security Rule Toolkit to
answer nearly 1000 questions about Box’s
security/risk management practices.
• Some of these answers came from the Box
documentation, some from Box’s Compliance
folks.
University Information Technology Services
NIST HIPAA
Security Rule
Toolkit
Questionnaire
CASC. September 17, 2014
University Information Technology Services
CASC. September 17, 2014
Evaluation Results
• Box answered > 95% of the questions
satisfactorily.
• They have the necessary “Required” and
“Addressable” HIPAA safeguards in place.
• It helps greatly that they encrypt all data both
during transit and at rest for enterprise
customers and secure the encryption keys.
University Information Technology Services
CASC. September 17, 2014
Current Status
• We have a signed BAA with Box.
• We are HIPAA aligning IU authentication services
(Shibboleth and CAS) for ePHI, with a final check
by internal governance (Security, Audit,
Compliance).
• After the above are completed, we will issue an
ATO and make Box available to biomedical
researchers as a HIPAA aligned collaboration tool.
University Information Technology Services
CASC. September 17, 2014
4. Conclusions
University Information Technology Services
CASC. September 17, 2014
Conclusions
• Box provides an ideal data sharing
environment for researchers, biomedical or
otherwise.
• Our own NIST-based evaluation found Box
to be capable of keeping our ePHI secure.
• We are using our existing standards to
satisfy dependencies and ensure end to end
security.
University Information Technology Services
CASC. September 17, 2014
Contact
Bill Barnett barnettw@iu.edu
Bob Flynn reflynn@iu.edu
Anurag Shankar ashankar@iu.edu
License Terms
Please cite as: Barnett, W., R. Flynn and A. Shankar, Bringing Box into HIPAA
Alignment, presented at the Fall 2014 Coalition for Advanced Scientific
Computing meeting, Arlington, DC.
Items indicated with a © are under copyright and used here with permission.
Such items may not be reused without permission from the holder of copyright
except where license terms noted on a slide permit reuse.
Except where otherwise noted, contents of this presentation are copyright
2011 by the Trustees of Indiana University.
This document is released under the Creative Commons Attribution 3.0
Unported license (http://creativecommons.org/licenses/by/3.0/). This license
includes the following terms: You are free to share – to copy, distribute and
transmit the work and to remix – to adapt the work under the following
conditions: attribution – you must attribute the work in the manner specified by
the author or licensor (but not in any way that suggests that they endorse you
or your use of the work). For any reuse or distribution, you must make clear to
others the license terms of this work.