3 File Sharing Risks in Healthcare

…and How Our Compliant File-Management Solution Can Help

by Stephen Trout

File management tools have certainly come a long way.

In the not-too-distant past, the “secure delivery” of your health records consisted of: a) placing copies carefully into an envelope and sealing it, b) dropping it into interoffice mail or a slot at the post-office/UPS, or c) even trusting a guy on a bike to deliver it safely to your recipient. Then, sit back and hope all goes well.

Of course, this method was fraught with vulnerabilities: any paper files or removable media such as CDs or USBs contained therein could be lost or intercepted — at any point on the journey. The bike courier might mistake the address. Even if you decided to hand-deliver yourself, you might misplace or lose it in-transit — not HIPAA compliant in the slightest.

Before you deride our predecessors for being “so archaic”, consider this: today, less than one-quarter of healthcare workers surveyed use secure file transfer to share sensitive data, according to a recent study.

In fact, healthcare workers are 36% more likely than those working in financial services to share sensitive data using unsecured means. So why this continuing lack of security in healthcare?

No doubt, the tyranny of urgency and avoiding delays in file-sharing is a factor - creating tunnel- vision and blinding staff to the larger corporate security or regulatory concerns such as HIPAA.

It’s a truth about human nature: we gravitate to the easiest means available to accomplish tasks - a majority of the healthcare workers in the survey mentioned above even admitted as much.

To illustrate, consider how the following three means of file-sharing are very much in use — and continue to pose significant risks to data exploitation and loss. These include unsecured email with attachments, insecure file-sharing apps, and flash drives:

1. Unsecured Email

Susan Hinrichs, chief of engineering at SafelyFiled, describes a typical scenario in which the convenience of email can easily lead to lapses in security:

Just the other day I received a design document from a client as an email attachment. [Regular] Email is not designed to be secure. Anyone with access to an intermediate mail server or with the ability to sniff network traffic between our mail servers would see this design document. If I needed to sign a non-disclosure agreement to see this information, they probably did not want random folks on the Internet to see this information. Instead, senders should encrypt files and use secure file-sharing services.

For healthcare, the risks of disclosing a patient’s personal information and violating HIPAA (possibly incurring potential fines and loss of business reputation) make secure email indispensable when attaching any protected health information.

Yet if your staff feels they must “jump through hoops” to expedite a file-share, it’s been shown that they’ll be less likely to have security concerns at the forefront of their mind when completing a task. A user-friendly, seamless solution is therefore critical.

2. Insecure Consumer File-sharing Apps

A typical consumer file-sharing app on your employee’s phone might seem (to them) to be a convenient way to expedite a file-share — especially if they can avoid a potentially time-consuming call to the IT department. Once again, the “easier alternative” can tend to win out. However, there’s simply no guarantee that the data — usually unencrypted — won’t be exploited on any of the numerous server stops it might make on its journey, or be opened by an unintended recipient.

Yet these unsanctioned tools (call them “shadow software”) continue to be used by individual departments in companies — without clearance by IT or approval by administration — constituting a serious risk to corporate security. It behooves companies then to find a secure file-sharing solution, along with adequate training to help establish buy-in and appropriate use.

3. Flash Drives

While flash drives may seem to be a thing of the past, a number of factors continue to make them relevant to many users:

• flash drive access is controlled by the user themselves, independent of a service provider or another department that might impose unwanted access controls.
• the convenience factor. Flash drives require no internet connection.
• the physical factor. While the cloud “feels intangible,” you can hold a flash drive in your hand. For many, this just “feels” more secure.

The danger with flash drives however is that they can be easily infected with malware. Once inserted into a networked PC’s USB port, if the flash drive is not properly scanned and autorun is enabled, it may infect the entire system.

The Secure Drive Alternative

The fact is, any traditional storage that relies on your PC’s hard drive may be a target for hackers. Multiply that by the number of PCs in your company and you have an even wider attack surface, with each potentially compromised by phishing scams, poor workstation security, unauthorized employee access, and the like.

On-site servers — despite their proximity — also depend on IT departments or even physician’s staff to manage all backups, updates, patching, mitigation, and maintenance. This, along with capital equipment expenditures and ongoing server maintenance can represent a costly scenario.

In contrast, HIPAA Vault’s fully-managed, secure file management solution for file syncing & sharing takes all these concerns off your plate. With HIPAA Drive, your important files and folders will actually be more secure than on your hard drive — and will enable efficient cloud collaboration and increased productivity with your team.

Your Drive files are encrypted at the click of a button before sharing externally, and in-transit and at-rest encryption protocols ensure complete privacy and confidentiality. HIPAA Drive also gives your team complete access control over files and folders from anywhere, while maintaining the ability to change permissions at any time.

Here’s what you’ll get with HIPAA Drive:

• A signed BAA
• A secure web interface
• Data transfer & loss protection (DLP)
• SSL, at-rest encryption, & end-to-end encryption
• Password protected, with Two-factor Authentication
• User-management capabilities, with file access from anywhere
• Granular permissions: read, edit, comment
• HIPAA Vault’s renowned managed services with tier-less, dedicated live support, with less than 15-minute response-times to critical alerts.

Above all, you’ll have the peace of mind that your important patient files will reach their destination securely — without worrying about delivery mishaps, hackers, or hard drive failures.

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure hosting and email, HIPAA compliant WordPress, secure file sharing, and more.