Is Dropbox HIPAA Compliant? And Other Cloud Storage Security Questions
Every CTO or CIO working in or around healthcare has been asked this question at least once:
“Is Dropbox HIPAA compliant? What about Google Drive?”
The short answer is yes, Dropbox, as of late 2015, complies with Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
But at Big Green IT, we believe the real question is:
“What’s the best cloud storage option for my compliancy requirements?”
In this post we’ll compare and contrast some popular cloud storage systems.
Do You Have To Comply With HIPAA And Other Compliance Requirements?
Well…
In 1996, the max penalty for a HIPAA violation was $250,000. Since 2010, the maximum penalty is now $1.5 million, not to mention jail time. A quick Internet search of “HIPAA lawsuit” should inspire healthcare organizations, and companies that work with them, to implement standard compliancy practices throughout their business, including IT.
A (Brief!) Background On HIPAA And HITECH In Regard To Cloud Storage
The security standards of HIPAA are intended to protect confidentiality, integrity, and availability of healthcare information. Rather than explain HIPAA in plain English, as this resource does nicely, we’ll touch on the topics related to cloud storage.
Electronic transferring and storing of personal health information (PHI) is especially important. The Health Information Technology for Economic and Clinical Health (HITECH) Act created a huge impact on the way business associates of healthcare companies are permitted to handle data. With HITECH, any service provider (such as file storage, email, etc.) must sign a contract called a business associate agreement (BAA) in order to work with the healthcare company.
The BAA is significant for cloud storage/email providers because it basically says that their process comply with all HIPAA security processes, procedures, and disclosures—and there are a LOT of them. Examples of security measures include contingency plans for disaster recovery, employee training, regular risk assessments, and a slew of permission-based technicalities like biometric scanning.
If the cloud storage provider can’t prove it complies with this massive list of requirements through documentation and a signed BAA, no organization that touches PHI will work with them.
If you’re considering a cloud storage solution, here’s the deal:
If PHI is out of your physical control (stored off-site at a cloud storage provider like Dropbox), you need to be 100% certain their processes for data storage and access are compliant—a BAA does this.
If a PHI data breach occurs and you, including any service providers you use, are not HIPAA compliant… Yikes.
Additionally, even with a signed BAA, it’s your job to ensure the data is secure when hosted at a cloud storage provider. Some examples are:
- Data is encrypted while on the cloud server
- Data downloaded from the cloud is protected
- The way you move data on to the cloud servers is encrypted
- The process for removing data out of the cloud is encrypted
Now that you have some background on compliance, let’s take a look at some service providers.
Cloud Storage Options That Are Not Compliant
We’re going to breeze through a few popular (yet non-compliant) file storage/sharing services for you general knowledge.
Amazon S3 Is Not HIPAA Compliant
Amazon S3 out of the box is not HIPAA compliant, but you can actually configure an environment that is. It would be a custom job that somebody familiar with Amazon Web Services (AWS) would have to implement. That seems to be the story with AWS in general.
iCloud Is Not HIPAA Compliant
Apple will not sign a BAA, which rules out HIPAA compliance and merits no further discussion.
Cloud Storage Options That Are Compliant
While ISO 27001 certification and SOC 2 and SOC 3 Type II audits are two major steps that companies can take toward HIPAA compliancy, it’s worth noting that there is no certificate of HIPAA compliancy. The rules are meant to force both organizations and providers to run constant security checks and updates, both technical and administrative.
That said, here are some of your best options for HIPAA compliant cloud storage.
Dropbox Is HIPAA Compliant
Dropbox is arguably the most popular cloud storage solution on the market. Its claim to fame is ease of use and its ability to integrate with many other apps and systems.
HIPAA compliancy was a long battle for Dropbox, but as of 2014 it is offering compliant storage solutions through its Dropbox for Business service. It even has a guide called Getting started with HIPAA on its website.
It’s worth noting that cloud storage and synchronization is all Dropbox does—you would still need to deploy third party services to ensure other electronic communication (calendars, emails, etc.) are secure.
Box Is HIPAA Compliant
Box is another popular cloud storage provider, especially for enterprise-level accounts, although HIPAA compliancy can be configured at any level. Box provides a page of resources on its HIPAA compliant technology and process here.
Box is making a serious push to attract companies in the healthcare industry. In 2014 it acquired medical-imaging software startup MedXT. Shortly after the acquisition it announced Box DICOM Viewer, which allows people to store, view and share DICOM files (x-rays, MRIs, CT scans, ultrasounds) in the service.
Again, this option doesn’t cover emails, calendars, or video chats.
Google Drive Is HIPAA Compliant
Starting in 2013, Google offered signed BAA’s to its paid Google Apps users. The services included are Gmail, Google Calendar, Google Drive, Google Sites, and Google Vault.
Configuring Google Apps for HIPAA compliance requires an extensive amount of technical work for the administrator of the service. Google has published a guide to help with this process.
Please note: Not all Google Apps services are HIPAA compliant—Hangouts (video chat), Groups, and Contacts should not store PHI.
Microsoft Office 365 Is HIPAA Compliant
As a Microsoft Cloud Champion Partner, we’re not exactly an objective party when it comes to cloud storage—we think Office 365 is the best in terms of compliance requirements.
There, we said it.
But the list of configurable options to maintain HIPAA compliance is impressive, from storage to email and more.
For example, the reason there’s no such thing as a compliant software set out of the box is because HIPAA requires you to have certain policies in place at your company. Office 365 has templates for you to create these policies, such as Data Loss Prevention. Handy.
Additionally, if you want your email to be compliant and efficient, you can set rules for Office 365 to scan your email for keywords and assign encryption based on a specific criteria.
These are just two examples of Office 365’s strength when it comes to compliancy. In addition to HIPAA, Office 365 is also designed with nine other major compliance standards in mind. Microsoft also includes an incredible amount of documentation to go along with its tools, which is nice for anybody who wants a DIY solution.
In closing, you have plenty of options when it comes to securely storing files in the cloud. If we could leave you with one piece of advice, it would be to consider your needs for compliance as a whole, and not just file storage and sharing. Consider how email encryption fits into the picture, as well as the need for on-premise features.
If you have any questions about compliance and the cloud, we would be happy to speak with you.
Big Green IT is a Microsoft Cloud Champion Partner. Our experience spans small-scale to large-scale Office 365 migrations for both the private and public sector. We specialize in migrations and deployments from 100 to 10,000 seats.