University of Wisconsin–Madison

Document Storage for ePHI in SecureBox

SecureBox service provides a free-online file storage and collaboration service to store ePHI.  It is available for UW–‍Madison staff to share ePHI data with collaborators (internal and external to UW–‍Madison) when a departmental solution is not available and the amount of data to be stored is less than 50GB. For data sets greater than 50GB, consider using Research Drive.

The SecureBox Service is not intended for use as a file transfer method. Please see the Globus File Transfer Service to fulfill this need.

You must follow these steps to use the SecureBox service:

IMPORTANT: Consult with your local IT department.

  1. Share your request with your IT Department first as they may have a quick solution to satisfy the project’s storage needs.
  2. Your IT Department must work with you and the Office of Cybersecurity to configure your system to meet the heightened security requirements.
  3. SecureBox folder can only be accessed from a departmentally managed machines. Using personally owned devices (including mobile) is NOT allowed.
  4. UW–‍Madison owned devices must meet a specific Restricted Data Security configuration as described in the Endpoint Security Recommendations Matrix and UW–‍Madison’s Endpoint Management and Security Policy.
    • Installation of the Qualys Cloud agent, enabled for Policy Compliance and Vulnerability management and confirmation that the cloud agent is actively reporting into the console.
    • CISCO Advanced Malware protection software is installed and actively monitored.
    • The host firewall is enabled and prevented from being disabled.
    • The asset’s administrator rights are revoked from the end-user account access.
    • The hard drive is encrypted.
    • WiscVPN or a departmental VPN is installed on devices that can be taken off the campus’ wired network.
    • If external media is used in conjunction with the SecureBox folder, the media devices must also be encrypted, registered with, and tracked by the local IT department.
  5. External collaborators are required to complete the Endpoint Security Checklist (pdf).

Relevant links

Staff Responsibilities for using SecureBox service

  • Use only the designated, certified workstation(s) to access the SecureBox folder.
  • Use a VPN connection when accessing the data from a remote location.
  • The SecureBox Folder owner must work with any external collaborators to ensure that the workstation(s) they are using meets these security guidelines as outlined in the Workstation Security Requirements document: Secure-Endpoint-Configuration-Matrix (10-22-20).
  • Ensure that data acquisition stored in the SecureBox folder uses one of the following methods:
    • Encrypted drive (external or USB)
    • Secure Web portal using HTTPS
    • Secure File Transfer Protocol
  • Ensure that if data is to be temporarily stored outside of the SecureBox folder, that the following approved locations are used:
    • Encrypted external hard drive which employs hardware-based encryption
    • USB thumb drive which employs hardware-based encryption.
    • The Secured computer’s encrypted internal hard drive
  • Box-Edit may be used on a secured workstation.

IT department security requirements

  • Maintain an accurate list of workstations accessing the SecureBox folder.
  • Regularly review and remediate identified Qualys compliance gaps and vulnerabilities.
    • For gaps that cannot be remediated, mitigation strategy must be documented and uploaded into the SecureBox compliance folder.
  • Maintain an accurate user list, with appropriate access rights for the SecureBox folder.
  • Complete a written procedure for handling data while in use and train staff on the use of a SecureBox folder. This procedure must also define what a remote location is and how to use the VPN when remote.
  • Produce monthly reports validating that the asset remains in compliance and is being updated and patched appropriately.

Statistical results, which do not contain any HIPAA identifiers can be stored on other systems.  These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set.  If any uncertainly exists to the exact definition of what constitutes a Limited Data Set PHI, contact the UW–‍Madison HIPAA Privacy Officer.

 

|

Install Cisco AMP (see Cisco AMP departmental support KB )

Run a host-based firewall at all times.

Administrator access will be restricted to designated local IT security professionals.

Data acquisition requires one of the following:

  • Encrypted drive (external or USB)
  • Secure Web portal using HTTPS
  • Secure File Transfer Protocol

PHI can be stored on an approved UW Box PHI project folder, after completing the requirements as outlined in this webpage.

If the project study requires data be temporarily stored outside of the SecureBox folder, these storage locations must be encrypted.

Approved storage locations are:

  • Encrypted external harddrive which employs hardware-based encryption
  • USB thumb drive which employs hardware-based encryption
  • The secured computer’s encrypted internal harddrive

Box-sync or box-edit may be used on a secured workstation.

All processing of the data set shall be executed on only the workstations that have been certified to meet the criteria set forth on this webpage, using storage locations outlined in the previous section.

No processing will be done on any third party systems, other cloud services or other computers.

Statistical results, which do not contain any HIPAA identifiers, are considered the output of the research and can be stored on other systems. These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set. If any uncertainty exists to the exact definition of what constitutes LDS PHI, contact the UW HIPAA Privacy Officer.

Per UW Endpoint Management and Security policy 526 (Source: policy.wisc.edu) and Information Technology (IT) Asset Reporting policy 527 (Source: policy.wisc.edu) , your IT department is required to maintain and test the security posture of these devices.

Workstation requirements for non UW–‍Madison/external collaborators

All collaborator’s listed as accessing SecureBox folder should fill out and submit an Endpoint Security Checklist (pdf).

FAQs

|

A secure SecureBox folder is primarily intended for storing ePHI or a Limited Data Set (LDS) securely for collaboration with external (outside of the UW–‍Madison) entities. There may be more appropriate secure collaboration solutions for sharing data internally between UW–‍Madison departments and/or UW Health. Please consult with your local HIPAA Security Coordinator or IT department before requesting a SecureBox folder.

No, you may only use UW–‍Madison managed devices which meet the technical compliance standards established in this process. These devices must be identified and documented with your request.

Your HIPAA Security Coordinator will work with your local IT department to verify compliance initially and make sure it continues to meet security requirements on a regular basis. This includes routine security patches and anti-malware updates among other things.

Yes. Box sync may be used on approved and managed workstations.

The process to create a SecureBox folder to store ePHI is a collaboration between the Office of Cybersecurity and your local IT department and/or HIPAA security coordinator. The workstations used to access the SecureBox folder must meet technical compliance standards before folder access is granted. External collaborators should complete and submit the External Collaborator’s Asset security form. Consult with your HIPAA security coordinator and/or your local IT department prior to submitting the request form to ensure that an ePHI SecureBox folder is an appropriate solution.

UW–‍Madison HIPAA security coordinators are listed on the HIPAA Program website.

The Office of Compliance has developed a webpage that defines ePHI/PHI and how to keep it confidential.

Questions about SecureBox Folder requirements?

Contact us