ShareFile HIPAA Security

This whitepaper outlines how firms can use ShareFile as hosted by ProCirrus to facilitate compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information (PHI).

ShareFile offers many features that help support customers’ compliance with the Security Rule.  Customers are ultimately responsible for ensuring that the way in which they use ShareFile complies with HIPAA and other applicable laws and regulations.  ShareFile referenced in this document is specific to ShareFile as hosted by ProCirrus Technologies.

Technical Safeguards

ProCirrus ShareFile provides multiple technical safeguards to support customer compliance obligations under HIPAA.  Many of these controls are not configured by default, and responsibility for implementing these safeguards, such as the ones outlined below, often falls on customers. 

Audit Controls

Customers can use the tools provided within ShareFile to review account activity, such as account usage and access to files and folders. 

Unique users and authentication

ProCirrus administrates user accounts based on unique email addresses. Customers are responsible for providing unique accounts and logins to each end user. Each user who logs into ShareFile is required to use a unique email address for his or her account. For easier access and enhanced authentication security, ProCirrus customers integrate with SAML 2.0 identity management system.

Emergency account access

Customers are responsible for assigning emergency access to PHI stored in ShareFile in the event that the account administrator is unavailable.

Session timeout

ProCirrus gives ShareFile customers the technical ability to automatically log out a user after a period of inactivity.  Customers can configure the length of this period of inactivity, and they are responsible for enforcing an automatic log-off period consistent with their internal policies. ShareFile also provides a log-out button, which lets users log out of a session at will.

Encryption

ShareFile handles the encryption and decryption of all files, including those containing PHI.  ShareFile uploads and downloads files between the end user and the storage tier directly over a Secure Socket Layer (SSL) or Transport Layer Security (TLS) encrypted segment using high-grade encryption with no less than 128-bitkey strength. ShareFile supports SSL 3.0 and TLS, which are the same encryption protocols and algorithms used by e-commerce services and online banking. 
ShareFile also stores all files at rest, subject to the customer settings, using the Advanced Encryption Standard (AES) with a 256-bit key. Additionally, customers can configure multiple mobile device controls, such as requiring users to enter a passcode to encrypt ShareFile content on mobile devices (MDM).

Integrity controls

To help ensure that PHI has not been altered or destroyed in transit or at rest, ShareFile uses industry accepted hashing algorithms to verify file integrity during fie upload and download.  Customers are encouraged to adopt and use folder and file-naming policies and conventions to further protect PHI stored in ShareFile. 

Passwords

ProCirrus gives customers the technical ability to set a unique password for each account. ProCirrus has password policy parameters that include password expiration, history and minimum length, and customers can configure password complexity controls according to their own internal policies. 

Account lock out

By default, ShareFile locks out a user for five minutes following file failed login attempts. ShareFile configures these settings as account preferences to satisfy customer requirements.  Customers are responsible for notifying ProCirrus of their preference if they require a different lockout setting, such as lockout for 30 minutes after three failed attempts.

Administrative safeguards

To comply with the HIPAA Security Rule’s administrative safeguards, entities are responsible for assessing and minimizing the relative risks to PHI that is transmitted and stored electronically.

Data backup and disaster recovery

ProCirrus provides for disaster recovery associated with its database, application and data storage. To prevent data loss in an emergency, ProCirrus maintains copies of customer files. ProCirrus SSAE datacenters provide redundant physical and environmental controls, including power and network connectivity.

Physical Safeguards

ProCirrus ShareFile application and storage are hosted in SSAE 16 accredited datacenters with security measures designed to prevent unauthorized persons from gaining access to data-processing equipment, database and application servers, and related hardware, where PHI may be processed or stored.
These measures include:

• Establishing secure areas+ protecting and restricting access paths
• Securing data-processing equipment and personal computers
• Establishing and documenting access authorizations for employees and third parties
• Placing regulations and restrictions on card-keys
• Restricting physical access to servers by using electronically-locked doors and separate cages within co-location facilities
• Logging, monitoring, auditing and tracking all access to datacenters where PHI is hosted via electronic surveillance conducted by security personnel

For suitable levels of redundancy, ShareFile maintains multiple servers in its primary datacenter.

Audit and Evaluation

To maintain compliance ProCirrus conducts an internal audit and engages an independent third party to perform annual compliance assessments as part of our SSAE 16 SOC I TYPE II and SOC II TYPE II.  This includes procedures for periodic testing and revision of its contingency plans, disaster recovery and business continuity.