A warning about Dropbox, GoogleDocs and OneDrive

Have you ever used, or thought about using, Dropbox, GoogleDocs, or OneDrive? You may have seen your kids using these applications for their school work and wondered if it was a tool you could use for your work. These types of applications are known as file hosting or file sharing applications and they have become extremely popular for many users. The applications allow a user to save documents to a special folder that can be accessed from anywhere. You can also make the folder available to others who are collaborating with you on a project, and they can access the files from anywhere.

Unfortunately, with speed and ease of access, there are also drawbacks. In most instances, these file sharing applications, which are quick to install and easy to use, can present unacceptable security, legal and business risks.

File sharing applications pose many challenges to an organization’s data. For Baptist, this becomes particularly concerning in relation to patient and employee data. Employees who use these applications can inadvertently cause massive data leaks or security breaches.

The following is a list of some of the common risks associated with file sharing applications:

  1. Data theft – Use of file sharing applications can open the door to our data being synced across your personal devices, such as your smart phone, iPad, or other tablet. If those devices are not appropriately secured and encrypted, theft of the device also means theft of patient or employee data.
  2. Data loss – Some file sharing applications may not properly back up files if you edited the document using a mobile device. So, if the original file is accidentally deleted or becomes corrupted, you will not be able to recover the file. In contrast, files stored on Baptist’s network are routinely backed up and are recoverable.
  3. Corrupted data – Many file sharing applications do not implement data integrity assurance systems to ensure that data is not corrupted.
  4. Data sharing – The company that hosts the file sharing application may reserve the right to review documents stored on its servers. Consequently, the company’s review of business documents could violate the terms of confidentiality agreements we have in place with other companies. Patients’ privacy rights could also be violated by the company reviewing any files containing patient data.
  5. HIPAA violations – Because Baptist does not have business associate agreements in place with these vendors, they are under no obligation to secure or protect Protected Health Information (PHI). Since Baptist is responsible for the protection of patient data it creates or receives, a breach of data stored on a file sharing site could still constitute a breach for Baptist, and Baptist would need to comply with HIPAA’s breach notification process.
  6. Loss of file access – Many file sharing programs do not track which users or devices accessed a file or at which times. This lack of audit information can pose a big problem if you need to determine the events leading up to a file creation, modification, or deletion.

As you can see, not all tools designed to make life easier actually accomplish their purpose. File sharing applications can be very useful for certain types of projects, but they are often not appropriate for sensitive or confidential data. It is important to understand the security options available for a file sharing application prior to saving any confidential data to the application. The Corporate Privacy & Security Department is available to help team members find appropriate tools to allow them to perform their work in an efficient and secure manner. Please contact Barbara Anson, program director for the Corporate Information, at (901) 227-3446 if you need assistance.