Atlantic.Net Blog

Microsoft OneDrive for Business or Google Drive for HIPAA Compliance?

File sharing is crucial to the ability to leverage the cloud and to safeguard files while controlling and sharing them. It also makes it possible for your personnel to be able to get to their files wherever they are.

For healthcare organizations looking to adopt a file sharing service, the most important consideration is to select a service that prioritizes the security that is necessary to deliver HIPAA compliance. Two of the prominent file sharing options for general storage are Microsoft OneDrive for Business and Google Drive. However, when using a third party to file sharing for your healthcare organization, it means that you are placing trust in a business associate to protect highly confidential and sensitive patient data – you need to be able to maintain HIPAA compliance.

HIPAA compliance is not a trivial concern. The Ponemon Institute revealed in 2017 that the cost of a healthcare data breach had reached a record level for the seventh year in a row. At $380 per record, it was greater than 2.5 times the worldwide average for all market sectors.

You can certainly increase your security and compliance with cloud tools, and the Health and Human Services Department that oversees healthcare law has specifically noted that cloud solutions of any configuration (public, private, and hybrid) are all acceptable for compliance if a sufficient BAA is in place. However, there are inherent challenges in file-sharing environments related to security and compliance as well.

The issue of integration is huge for organizations, especially as they are considering the substantial portability and interoperability challenges related to multi-cloud and the internet of things (IoT). Specifically related to multi-cloud, you need to meet certain functions with different environments and tools of course.

HIPAA compliance with Microsoft OneDrive for Business

Clearly, you want to know that strong practices and technologies are implemented to protect your data and help you maintain compliance, beyond the HIPAA-compliant infrastructure that delivers its raw resources and security foundation. In the case of OneDrive for Business, you need to check whether the system is compliant with the Federal Information Processing Standard 140-2 (FIPS PUB 140-2), which is a standard used by the United States government for the assessment of cryptographic modules and whether you are able to get Microsoft to sign the Business Associates Agreement.

However, it is worth noting that this service leverages 256-bit Advanced Encryption Standard (AES) to facilitate at-rest and in-transit encryption, and 2048-bit keys are used for all TLS/SSL encryption. The International Organization for Standardization’s ISO 27001 certification is also used to validate the safeguards on OneDrive for Business.

HIPAA Compliance with Google Drive

As with Microsoft, you have multiple forms of independent assessment through Google as well, in the form of SOC 2 and SOC 3 Type II audits and ISO 27001 certification. Plus, you are able to block unauthorized access via two-factor authentication and a log of access – the second of which is a specific HIPAA requirement. TLS and SSL are used for encryption of in-transit data, but you need to check how to get them to sign the Business Associate’s Agreement.

HIPAA Compliant File Sharing – How Can You Be Sure?

By partnering with a managed service provider such as Atlantic.Net, you can be confident that your file sharing environment is indeed HIPAA-compliant. In Atlantic.Net’s case, we offer HIPAA-compliant file storage as one offering in our suite of hosting services. This service comes with a Business Associate’s Agreement, ensuring that Atlantic.Net will protect ePHI in accordance with HIPAA rules.

File sharing challenges & resolutions with HIPAA

Bill Kleyman shared a story of a provider that was struggling with maintaining HIPAA compliance in a mobile world. The volume of devices that was being used for system access by physicians, nurses, and other staff members was expanding.

An IT administrator noticed while they were reviewing systems with a staff member that a substantial amount of data was being saved on that individual’s mobile device. While the smartphone was owned and broadly controlled by the organization, this finding was disturbing given compliance concerns.

Specifically, the IT specialist noticed that Dropbox was syncing whether or not the network was connected. The administrator asked the healthcare professional why the data was being saved locally. The staff member said that the only files that were being synced were free of any electronic protected health information (ePHI), the data that is safeguarded by HIPAA.

A review revealed it was correct that there was not any ePHI within the synced documents. However, it would be very simple for a user in this context to either accidentally or intentionally sync a file that did contain ePHI – which would be an immediate violation.

File sharing environments can certainly be a point of weakness in this way. To strengthen protection, the healthcare firm implemented a proactive mobility monitoring and control service. By deploying a full-featured solution to target the issue of mobility, the organization was able to close this security window. End-point storage “was replaced with secure access to central data repositories wrapped with greater controls,” noted Kleyman.

Another example of file sharing comes from a 2017 report by the de Beaumont Foundation and John Hopkins.  While this example is hypothetical, it helps establish the value of file-sharing beyond the walls of your organization.

In order to help to solve the public health issue of childhood asthma, a public agency might ask for a data file each week from the hospitals in the area that would include all ER visits and hospital admissions related to asthma for anyone under 21 years old.

The data that would be requested from these providers would only include certain fields of the records. It would include the patient age in years, gender, race and ethnicity, and date of hospital treatment. Elements that would be removed from the data file would be their addresses, Social Security Numbers (SSNs), and similar personally identifiable information irrelevant to the scope of the project.

US law allows for this use of HIPAA data. The hospitals would be protected in sharing the files.

The authors of the study said that the project would be HIPAA-compliant as long as the agency straightforwardly demonstrated that the data was being requested to monitor a public health issue. “This clear articulation gives the health department the legal authority to request and receive protected health information from local hospitals and healthcare providers under HIPAA,” explained the authors.

HIPAA compliant hosting for your file-sharing environment

Sharing files can be tricky from a data-protection standpoint, but its value for collaboration and broader analysis cannot be overstated. Are you in need of a fully secured and compliant infrastructure for your healthcare file-sharing ecosystem? HIPAA Compliant Hosting by Atlantic.Net™ is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records.

Learn more about our HIPAA compliant web hosting and HIPAA cloud hosting solutions.

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year