Cloud-based file-sharing services like Dropbox have become popular, but organizations with sensitive data say they're reluctant to turn it over to cloud services. Instead, they're buying file-sharing products they manage on their own for bulk file transfers among business partners.
They're setting up their own large-file transfer services using products from Biscom and Accellion, among others, to allow password-protected access to upload or download large amounts of data. Among the advantages to these products, according to enterprise IT managers using them, is they can be integrated with Active Directory or LDAP for role-based end-user authentication privileges.
Rodney Cook, information technology manager for Denver-based CACHIE Support Services, the separate tech services arm for the Colorado Community Managed Care Network (CCMCN), says his job is to provide help to outside healthcare providers in setting up electronic patient records that qualify under federal Medicare/Medicaid rules.
CACHIE provides a fairly new type of electronic file storage and management service that's now being funded in every state as part of the Patient Protection and Affordable Care Act of 2010, Cook says. "Every state has at least one," he adds, saying CACHIE is funded in Colorado to encourage the rollout of electronic health records and provide data storage for organizations that don't want to do this on their own.
While CACHIE's parent organization, CCMCN, did at one time use Dropbox for its own internal needs such as writing research grants, some of the security incidents at Dropbox during the past year prompted CCMCN look to for alternatives to cloud services when it was setting up CACHIE Support Services to share sensitive personal health information.
Dropbox had a glitch related to a software upgrade last June that affected the authentication mechanism and allowed logging into an account without the correct password, Dropbox acknowledged. Dropbox was also in the news when last August, security researchers at USENIX disclosed exploits against the service, vulnerabilities that Dropbox fixed.
It all convinced Cook that CACHIE should manage its own file-sharing with healthcare providers, and the choice was made to use the Accellion Secure Collaboration appliance to send and receive large electronic files securely.
"Not only is it encrypted but we integrate it with Active Directory," says Cook. There's a file-synchronization feature and it's possible to set timelines for documents, requiring them to be checked at specific intervals. CACHIE now uses this with 123 healthcare providers in Colorado to help them manage electronic patient files.
Boston-based Children's Hospital, the primary pediatric teaching hospital for Harvard Medical School, also had a file-sharing requirement, and it chose to go with the Biscom a few years ago. Scott Bolser, messaging and collaboration team leader at Children's Hospital, says at the time, the licensing arrangement for the Biscom Delivery Server was more attractive than comparable products from Accellion.
The Biscom software, which sits on a Windows server, supports encrypted file-sharing mainly among researchers that might need to send a 50MB radiology file, which falls way outside the normal 10- to 20-meg limits for e-mail messages. For those authorized to use Biscom, "they fill out a form and it looks like you're composing e-mail," he says. "But we have the file, not a cloud service."
Bolser says the integration with Active Directory and LDAP for internal users helps in security administration. Biscom is set up at Children's Hospital to allow users to register themselves and create a password, and it's used with outside partners on a sporadic basis when file-sharing needs arise. Biscom has a flexible licensing scheme that lets the hospital buy 500 licenses but revoke any of them when they're not in everyday use. And Children's Hospital IT staffers have administrative oversight to determine how any of the file-sharing takes place.
But can cloud-based file-sharing services suffice instead of the enterprise operating its own bulk file-sharing?
"Dropbox doesn't make the cut for enterprise-class security," says Gartner analyst John Pescatore, but he adds that other cloud file-sharing services, including Box, might under certain circumstances.
Enterprises, especially those with sensitive healthcare or financial data, must not only ensure the encryption they need is in place, but that the service provider can satisfy various regulatory requirements, he says.
For the government's HIPAA guidelines, for example, that would include having a so-called "business associate agreement." In addition, in general it needs to be clear how e-discovery can be done to satisfy any legal demands. Plus, if there's concern over where exactly data is held, the cloud provider is going to have to be transparent about that, Pescatore says. And when an employee leaves the company, you'll want to be sure you can de-provision them, which is generally more easily done with file-sharing products maintained on site.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.