Document Storage for ePHI in SecureBox

SecureBox service provides a free-online file storage and collaboration service to store ePHI. It is available for UW–‍Madison staff to share ePHI data with collaborators (internal and external to UW–‍Madison) when a departmental solution is not available and the amount of data to be stored is less than 50GB. For data sets greater than 50GB, consider using Research Drive.

The SecureBox Service is not intended for use as a file transfer method. Please see the Globus File Transfer Service to fulfill this need.

You must follow these steps to use the SecureBox service:

IMPORTANT: Consult with your local IT department.

Share your request with your IT Department first as they may have a quick solution to satisfy the project’s storage needs.
Your IT Department must work with you and the Office of Cybersecurity to configure your system to meet the heightened security requirements.
SecureBox folder can only be accessed from a departmentally managed machines. Using personally owned devices (including mobile) is NOT allowed.
UW–‍Madison owned devices must meet a specific Restricted Data Security configuration as described in the Endpoint Security Recommendations Matrix and UW–‍Madison’s Endpoint Management and Security Policy.
- Installation of the Qualys Cloud agent, enabled for Policy Compliance and Vulnerability management and confirmation that the cloud agent is actively reporting into the console.
- CISCO Advanced Malware protection software is installed and actively monitored.
- The host firewall is enabled and prevented from being disabled.
- The asset’s administrator rights are revoked from the end-user account access.
- The hard drive is encrypted.
- WiscVPN or a departmental VPN is installed on devices that can be taken off the campus’ wired network.
- If external media is used in conjunction with the SecureBox folder, the media devices must also be encrypted, registered with, and tracked by the local IT department.
External collaborators are required to complete the Endpoint Security Checklist (pdf).

Relevant links

Staff Responsibilities for using SecureBox service

Use only the designated, certified workstation(s) to access the SecureBox folder.
Use a VPN connection when accessing the data from a remote location.
The SecureBox Folder owner must work with any external collaborators to ensure that the workstation(s) they are using meets these security guidelines as outlined in the Workstation Security Requirements document: Secure-Endpoint-Configuration-Matrix (10-22-20).
Ensure that data acquisition stored in the SecureBox folder uses one of the following methods:
- Encrypted drive (external or USB)
- Secure Web portal using HTTPS
- Secure File Transfer Protocol
Ensure that if data is to be temporarily stored outside of the SecureBox folder, that the following approved locations are used:
- Encrypted external hard drive which employs hardware-based encryption
- USB thumb drive which employs hardware-based encryption.
- The Secured computer’s encrypted internal hard drive
Box-Edit may be used on a secured workstation.

IT department security requirements

Maintain an accurate list of workstations accessing the SecureBox folder.
Regularly review and remediate identified Qualys compliance gaps and vulnerabilities.
- For gaps that cannot be remediated, mitigation strategy must be documented and uploaded into the SecureBox compliance folder.
Maintain an accurate user list, with appropriate access rights for the SecureBox folder.
Complete a written procedure for handling data while in use and train staff on the use of a SecureBox folder. This procedure must also define what a remote location is and how to use the VPN when remote.
Produce monthly reports validating that the asset remains in compliance and is being updated and patched appropriately.

Statistical results, which do not contain any HIPAA identifiers can be stored on other systems. These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set. If any uncertainly exists to the exact definition of what constitutes a Limited Data Set PHI, contact the UW–‍Madison HIPAA Privacy Officer.

PHI can be stored on an approved UW Box PHI project folder, after completing the requirements as outlined in this webpage.

If the project study requires data be temporarily stored outside of the SecureBox folder, these storage locations must be encrypted.

Approved storage locations are:

Encrypted external harddrive which employs hardware-based encryption
USB thumb drive which employs hardware-based encryption
The secured computer’s encrypted internal harddrive

Box-sync or box-edit may be used on a secured workstation.

All processing of the data set shall be executed on only the workstations that have been certified to meet the criteria set forth on this webpage, using storage locations outlined in the previous section.

No processing will be done on any third party systems, other cloud services or other computers.

Statistical results, which do not contain any HIPAA identifiers, are considered the output of the research and can be stored on other systems. These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set. If any uncertainty exists to the exact definition of what constitutes LDS PHI, contact the UW HIPAA Privacy Officer.

Workstation requirements for non UW–‍Madison/external collaborators

All collaborator’s listed as accessing SecureBox folder should fill out and submit an Endpoint Security Checklist (pdf).

FAQs

A secure SecureBox folder is primarily intended for storing ePHI or a Limited Data Set (LDS) securely for collaboration with external (outside of the UW–‍Madison) entities. There may be more appropriate secure collaboration solutions for sharing data internally between UW–‍Madison departments and/or UW Health. Please consult with your local HIPAA Security Coordinator or IT department before requesting a SecureBox folder.

The process to create a SecureBox folder to store ePHI is a collaboration between the Office of Cybersecurity and your local IT department and/or HIPAA security coordinator. The workstations used to access the SecureBox folder must meet technical compliance standards before folder access is granted. External collaborators should complete and submit the External Collaborator’s Asset security form. Consult with your HIPAA security coordinator and/or your local IT department prior to submitting the request form to ensure that an ePHI SecureBox folder is an appropriate solution.

Cookie Notice

Relevant links

Staff Responsibilities for using SecureBox service

IT department security requirements

Workstation requirements for non UW–‍Madison/external collaborators

FAQs

Questions about SecureBox Folder requirements?

Relevant links

Staff Responsibilities for using SecureBox service

IT department security requirements

Anti-virus, anti-malware

Firewall

Administrator access

Data acquisition

Data storage

Data processing

Maintenance and testing of security posture

Workstation requirements for non UW–‍Madison/external collaborators

FAQs

What is the intended use for SecureBox folder for ePHI?

Once I obtain a HIPAA-approved SecureBox, can I use any device to access it?

Who is responsible for maintaining technical configuration compliance of my workstation(s)?

Can I use Box-sync?

How long will it take to get an ePHI SecureBox folder approved and working?

Who is my HIPAA security coordinator?

How do I know if I am storing ePHI?

Questions about SecureBox Folder requirements?