It's all sensitive and should be jealously guarded. Now, even as a customer, I wouldn't expect a deep-dive explanation of how a vendor deals with those things. Again, at some point, put together the pieces and decrypt (or decrypt and put together the pieces) and that requires knowledge of which pieces go together with which keys. Looking past catchy marketing terms like "Micro Encryption" the two key issues that remain unanswered for me are about encryption protocol (no matter how fine you chop up the encrypted pieces, if it's all done with ROT13 you don't have much actual encryption) and key management. It does shed some light, but questions remain. I will gather more info on your query about insider attacks. Here's a video on how their proprietary MicroTokenization works: Hope this helps and let me know if I can be of further assistance. It protects your corporate data, while both inside and outside the organization. Here are links that will give you more information on Bitglass and Dropbox, and Bitglass Security & Compliance for Healthcare. It's a SaaS based cloud and mobile security provider that offers security controls for cloud applications such as Dropbox. Bitglass is an option (that won't complicate your system) you should check out. Somewhat piggybacking off of this- I'll second that you can implement a solution that integrates with Dropbox to allow for HIPAA compliance. You're probably better off going with a provider who specializes in healthcare, or creating your own system using something like Owncloud. No one can see any of those records on that laptop/hard drive/USB stick/CD/whatever."īill2718 wrote:It would be possible to make Dropbox part of a workflow that was HIPAA compliant by using strong encryption and enforcing strict access controls, but by the time you do all that you'll have a complicated and not particularly friendly system.
A properly deployed encryption solution then provides "safe harbor" when it comes to the reporting and notification requirements. The value of encryption for at-rest data is when that data walks out the door. An auditor could come in tomorrow and could not cite you for unencrypted data on your servers. There is nothing in the HIPAA regulations that requires us to encrypt at-rest data. If you see something you know is a red flag, shop elsewhere. Due diligence in selectin a vendor is still something that we must do, BAA's notwithstanding. I am not a lawyer, but I wouldn't lean on that language very hard. The BAA is supposed to indemnify you, the CE from the effects of misdeeds by the BA. Provided you can effectively manage those keys yourself (no small feat, BTW, in a compliance context), you are safe using DropBox. Yes, there are client-side solutions that will encrypt data before it is stored on DropBox's servers, with keys that only you (not DropBox) hold. Nevertheless, they are all true.ĭropBox, deployed as an out-of-the-box solution does not give you, the CE, the control and accountability you need to credibly say that your ePHI is secure. If the above statements seem to conflict with each other, welcome to the club. I think they are all trying to solve the encryption and compliance problems so people don't need a third party vendor to handle it.Encryption of at-rest data is not a HIPAA requirement. Also I know Dropbox is having an Enterprise version that is heavy on encryption, key management etc. After all they market Box as the enterprise Dropbox, whatever that means. For example I would consider Google Drive and Dropbox to be on the consumer level while Box and One Drive to be on the enterprise level and have support for HIPAA or other regulations.
The cloud providers you list are somewhat different from each other. The tools work great for personal use, but for regulatory compliance you need the audit logs and those also have to be managed carefully. That's why I think it would be best to use a vendor that specializes in this sort of things instead of simple open-source encryption tools.
Potentially it should be centralized, otherwise it would be a pain for IT to support.Īudit logs would be super important.
What happens when they forget the password, delete the key, leave the company? So the only way to handle the idea of encryption company-wide is to use a product that automatically manages the keys/encryption for each user. I agree with you on the key management side and I think that giving employees access to individual encryption tools (Veracrypt, 7-zip with a password, aescrypt, gpg2 etc) on their own would be a disaster from a management perspective. Do you have any issues using Dropvault? Were you evaluating different solutions before deciding on Dropvault and why that won over the others? Thanks for the Dropvault recommendation! I am looking for such recommendations in order to see what would work for us.