HIPAA’s Omnibus Final Rule specified a compliance deadline of Sept. 23, 2013. As a result, entities that maintain and transmit PHI are subject to enhanced compliance regulation. To address these new requirements, ShareFile has updated its architecture to provide greater data segregation and security for customers in the healthcare space.
Now, all customers who sign a Business Associates Agreement (BAA) with ShareFile will join a secure data storage enclave dedicated only for PHI. This storage enclave, the ShareFile Cloud for Healthcare, enables covered entities and their business associates to leverage the secure ShareFile platform to process, maintain and store PHI. (Enterprise customers who choose to use customer-managed StorageZones for their ShareFile accounts will not need to execute a BAA with Citrix, as Citrix does not maintain access to the data stored in their StorageZones and their files are not hosted on Citrix servers.)
ShareFile provides multiple technical safeguards to support customer compliance obligations under HIPAA. Many of these controls are not configured by default, and responsibility for implementing these safeguards, such as the ones outlined below, often falls on customers.
Customers can use the tools provided within ShareFile to review account activity, such as account usage and access to files and folders.
Unique users and authentication
ShareFile lets customers create individualuser accounts based on unique email addresses. Customers are responsible for providing unique accounts and logins to each end user. Each user who logs into ShareFile is required to use a unique email address for his or heraccount. It is up to the customer to assign unique accounts to their users. For easier access and enhanced authentication security, customers also can integrate with a SAML 2.0-compatible identity management solution to enable single-sign-on.
Emergency account access
Account administrators on the customer side are the only people with total authorized access to their ShareFile accounts. Customers are responsible for assigning emergency access to PHI stored in ShareFile in the event that the account administrator is unavailable.
ShareFile gives customers the technical ability to automatically log out a user after a period of inactivity. Customers can configure the length of this period of inactivity, and they are responsible for enforcing an automatic log-off period consistent with their internal policies. ShareFile also provides a log-out button, which lets users log out of a session at will.
ShareFile handles the encryption and decryption of all files, including those containing PHI. Customers can, at their discretion, also encrypt files prior to uploading. If a customer chooses to do this, ShareFile will still automatically encrypt files a second time. ShareFile uploads and downloads files between the end user and the storage tier directly over a Secure Socket Layer (SSL) or Transport Layer Security (TLS) encrypted segment using high-grade encryption with no less than 128-bit key strength. ShareFile supports SSL 3.0 and TLS, which are the same encryption protocols and algorithms used by e-commerce services and online banking. ShareFile also stores all files at rest using the Advanced Encryption Standard (AES) with a 256-bit key. Additionally, customers can configure multiple mobile device controls, such as requiring users to enter a passcode to encrypt ShareFile content on mobile devices.
To help ensure that PHI has not been altered or destroyed in transit or at rest, ShareFile uses industry-accepted hashing algorithms to verify file integrity during file upload and download. Customers are encouraged to adopt and usefolder and file-naming policies and conventions to further protect PHI stored in ShareFile.
ShareFile gives customers the technical ability to set a unique password for each account. ShareFile has password policy parameters that include password expiration, history and minimum length, and customers can configure password complexity controls according to their own internal policies. To take advantage of the added security and convenience of single sign-on, customers can use the tools provided by ShareFile to integrate with identity management solutions that are compatible with SAML 2.0.
Account lock out
By default, ShareFile locks out a user for five minutes following five failed login attempts. ShareFile configures these settings as account preferences to satisfy customer requirements. Customers are responsible for notifying ShareFile of their preference if they require a different lockout setting, such as lockout for 30 minutes after three failed attempts.
To comply with the HIPAA Security Rule’s administrative safeguards, both ShareFile and covered entities are responsible for assessing and minimizing the relative risks to PHI that is transmitted and stored electronically.
Data backup and disaster recovery
ShareFile provides for disaster recovery associated with its database, application and file-storage tier. To prevent data loss in an emergency, ShareFile maintains copies of customer files. ShareFile’s datacenters provide redundant physical and environmental controls, including power and network connectivity.
Testing and evaluation
To maintain compliance with the HIPAA Security Rule, ShareFile conducts an internal audit and/or engages an independent third party to perform annual HIPAA-related risk assessments. ShareFile has implemented procedures for periodic testing and revision of its contingency plans, and ShareFile tests disaster recovery and business continuity at least once a year. ShareFile also assesses the relative criticality of specific applications and data as they relate to ShareFile.
The ShareFile SaaS application and storage tier are hosted by industry-leading providers in geographically separate SSAE 16 accredited datacenters. Measures are in place to prevent unauthorized persons from gaining access to data-processing equipment, such as telephones, database and application servers, and related hardware, where PHI may be processed or stored.
These measures include:
• establishing secure areas
• protecting and restricting access paths
• securing data-processing equipment and personal computers
• establishing and documenting access authorizations for employees and third parties
• placing regulations and restrictions on card-keys
• restricting physical access to servers by using electronically-locked doors and separate cages within co-location facilities
• logging, monitoring, auditing and tracking all access to datacenters where PHI is hosted via electronic surveillance conducted by security personnel