Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September.

Published byBonnie Shepherd Modified over 9 years ago

Similar presentations

Presentation on theme: "Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September."— Presentation transcript:

1 Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September 17, 2014 Bringing Box into HIPAA Alignment

2 CASC. September 17, 2014 University Information Technology Services Outline 1.Introduction 2.Service Partnership 3.Box Evaluation 4.Conclusions

3 CASC. September 17, 2014 University Information Technology Services 1. Introduction

4 CASC. September 17, 2014 University Information Technology Services Nature abhors a vacuum Because of the lack of HIPAA aligned campus services that support external collaborations, biomedical researchers share sensitive data using email and cloud services such as Google docs, Dropbox, etc.

5 CASC. September 17, 2014 University Information Technology Services The lure of cheap, ubiquitous cloud storage is irresistible. Cloud providers have been unaware or unwilling to address HIPAA compliance. Market pressures are forcing some vendors, including Amazon, Microsoft, and Box, to reconsider. We at IU have also been revisiting our stance of requiring our sensitive data to be kept on site. HIPAA in the Cloud?

6 CASC. September 17, 2014 University Information Technology Services 2. Service Partnership

7 CASC. September 17, 2014 University Information Technology Services Implemented at IU in 2012, Box has become popular for sharing data with collaborators within and outside IU. Researchers in the IU School of Medicine (second largest medical school in the U.S.) want to use Box to share clinical research data. This requires that Box be HIPAA aligned. Box@IU & HIPAA

8 CASC. September 17, 2014 University Information Technology Services In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits. In late 2013, they began signing contracts promising to comply with HIPAA. Internet2 has negotiated a BAA* and revised contract with Box. Box & HIPAA * = Business Associate Agreement

9 CASC. September 17, 2014 University Information Technology Services Box@IU Basics Program rollout April 2012 Reached 50,000 users by October 2013 Currently 74,000 internal users 9,000 external collaborators 180,000 collaborations 68TB in storage All this without FERPA or HIPAA data

10 CASC. September 17, 2014 University Information Technology Services Box@IU Growth

11 CASC. September 17, 2014 University Information Technology Services 3. Box Evaluation

12 CASC. September 17, 2014 University Information Technology Services While Box told us they were HIPAA ‘compliant’, due diligence (to us) meant evaluating whether Box met the same NIST standards we follow ourselves.

13 CASC. September 17, 2014 University Information Technology Services The Stack Network Box Cloud Environment OS Application Authentication Box Box/IU Layer Responsible User Interface Box

14 CASC. September 17, 2014 University Information Technology Services What we Did We asked Box for documentation of their information security practices, audit reports, etc. We reviewed the documents thoroughly. We used the NIST HIPAA Security Rule Toolkit to answer nearly 1000 questions about Box’s security/risk management practices. Some of these answers came from the Box documentation, some from Box’s Compliance folks.

15 CASC. September 17, 2014 University Information Technology Services NIST HIPAA Security Rule Toolkit Questionnaire

16 CASC. September 17, 2014 University Information Technology Services Evaluation Results Box answered > 95% of the questions satisfactorily. They have the necessary “Required” and “Addressable” HIPAA safeguards in place. It helps greatly that they encrypt all data both during transit and at rest for enterprise customers and secure the encryption keys.

17 CASC. September 17, 2014 University Information Technology Services Current Status We have a signed BAA with Box. We are HIPAA aligning IU authentication services (Shibboleth and CAS) for ePHI, with a final check by internal governance (Security, Audit, Compliance). After the above are completed, we will issue an ATO and make Box available to biomedical researchers as a HIPAA aligned collaboration tool.

18 CASC. September 17, 2014 University Information Technology Services 4. Conclusions

19 CASC. September 17, 2014 University Information Technology Services Conclusions Box provides an ideal data sharing environment for researchers, biomedical or otherwise. Our own NIST-based evaluation found Box to be capable of keeping our ePHI secure. We are using our existing standards to satisfy dependencies and ensure end to end security.

20 CASC. September 17, 2014 University Information Technology Services Contact Bill Barnett barnettw@iu.edubarnettw@iu.edu Bob Flynn reflynn@iu.edureflynn@iu.edu Anurag Shankar ashankar@iu.eduashankar@iu.edu

21 License Terms Please cite as: Barnett, W., R. Flynn and A. Shankar, Bringing Box into HIPAA Alignment, presented at the Fall 2014 Coalition for Advanced Scientific Computing meeting, Arlington, DC. Items indicated with a © are under copyright and used here with permission. Such items may not be reused without permission from the holder of copyright except where license terms noted on a slide permit reuse. Except where otherwise noted, contents of this presentation are copyright 2011 by the Trustees of Indiana University. This document is released under the Creative Commons Attribution 3.0 Unported license (http://creativecommons.org/licenses/by/3.0/). This license includes the following terms: You are free to share – to copy, distribute and transmit the work and to remix – to adapt the work under the following conditions: attribution – you must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). For any reuse or distribution, you must make clear to others the license terms of this work.http://creativecommons.org/licenses/by/3.0/

Download ppt "Bill Barnett, Bob Flynn & Anurag Shankar Pervasive Technology Institute and University Information Technology Services, Indiana University CASC. September."

Similar presentations

April 19, 2015 CASC Meeting 7 Sep 2011 Campus Bridging Presentation.

April 19, 2015 CASC Meeting 7 Sep 2011 Campus Bridging Presentation.
Win8 on Intel Programming Course Win8 and Intel Paul Guermonprez Intel Software 2013-03-20.

Win8 on Intel Programming Course Win8 and Intel Paul Guermonprez Intel Software
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.

Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.
Project Acronym:PEPPOL Grant Agreement number:224974 Project Title:Pan European Public Procurement Online Website:www.peppol.eu PEPPOL is an EU co-funded.

Project Acronym:PEPPOL Grant Agreement number: Project Title:Pan European Public Procurement Online Website: PEPPOL is an EU co-funded.
Data Gateways for Scientific Communities Birds of a Feather (BoF) Tuesday, June 10, 2008 Craig Stewart (Indiana University) Chris Jordan.

Data Gateways for Scientific Communities Birds of a Feather (BoF) Tuesday, June 10, 2008 Craig Stewart (Indiana University) Chris Jordan.
Internet of Things with Intel Edison Presentation Paul Guermonprez Intel Software 2014-11-14.

Internet of Things with Intel Edison Presentation Paul Guermonprez Intel Software
ESE Einführung in Software Engineering N. XXX Prof. O. Nierstrasz Fall Semester 2009.

ESE Einführung in Software Engineering N. XXX Prof. O. Nierstrasz Fall Semester 2009.
ESE Einführung in Software Engineering X. CHAPTER Prof. O. Nierstrasz Wintersemester 2005 / 2006.

ESE Einführung in Software Engineering X. CHAPTER Prof. O. Nierstrasz Wintersemester 2005 / 2006.
Metamodeling Seminar X. CHAPTER Prof. O. Nierstrasz Spring Semester 2008.

Metamodeling Seminar X. CHAPTER Prof. O. Nierstrasz Spring Semester 2008.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Supplemental line if need be (example: Supported by the National Science Foundation) Delete if not needed. Supporting Polar Research with National Cyberinfrastructure.

1 Supplemental line if need be (example: Supported by the National Science Foundation) Delete if not needed. Supporting Polar Research with National Cyberinfrastructure.
12. eToys. © O. Nierstrasz PS — eToys 12.2 Denotational Semantics Overview:  … References:  …

12. eToys. © O. Nierstrasz PS — eToys 12.2 Denotational Semantics Overview:  … References:  …
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Sequential Storyboards Chapter 4.1 in Sketching the User Interface: The Workbook Image from:

Sequential Storyboards Chapter 4.1 in Sketching the User Interface: The Workbook Image from:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Pti.iu.edu /jetstream Award #1445604 A national science & engineering cloud funded by the National Science Foundation Award #ACI-1445604 Prepared for the.

Pti.iu.edu /jetstream Award # A national science & engineering cloud funded by the National Science Foundation Award #ACI Prepared for the.
Win8 on Intel Programming Course Modern UI : Sensors Cédric Andreolli Intel Software.

Win8 on Intel Programming Course Modern UI : Sensors Cédric Andreolli Intel Software.
Author(s): Bob Riddle, Kathleen Ludewig Omollo License: Unless otherwise noted, this material is made available under the terms of the Creative Commons.

Author(s): Bob Riddle, Kathleen Ludewig Omollo License: Unless otherwise noted, this material is made available under the terms of the Creative Commons.
FutureGrid: an experimental, high-performance grid testbed Craig Stewart Executive Director, Pervasive Technology Institute Indiana University

FutureGrid: an experimental, high-performance grid testbed Craig Stewart Executive Director, Pervasive Technology Institute Indiana University

Similar presentations

Ads by Google