Prime Factors Blog

Dropbox in Healthcare: What File Sharing Means for Patients

Posted by Gwen Fremonti on Mar 21, 2017 10:00:00 AM


Cloud sharing is on everyone’s mind, even though some people still don't really understand what it is. It often helps to put a brand name to these generic services, and Dropbox is one of the most recognizable names when it comes to identifying cloud service providers. Dropbox is used at businesses around the country as a way to gain access and edit files from one central, user-friendly place. Accounts can be activated and deactivated in line with the projects employees are working on, and larger file sizes can be shared without hassle between multiple people. 

While other services like Google docs promote many of the same services, Dropbox has won the loyalty of millions of people with its free and paid packages alike. Many who use Dropbox use it primarily as a means to pass administrative files back and forth, but healthcare professionals have long recognized the potential for improving the level of patient care too. As file sharing is likely to increase across non-affiliated hospitals in the coming years, it's worth understanding what that really means for PHI.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Rules of the Past

Back in 2012 and 2013, HIPAA made it clear that entities could use Dropbox, so long as Dropbox signed off on a BAA (Business Associate Agreement.) This document states that a cloud provider is committed to keeping PHI as safe as possible in accordance with HIPAA and HITECH rules. However, when healthcare companies appealed to Dropbox to sign, they were told they should seek services elsewhere. Dropbox never claimed to be HIPAA compliant, and had even made it clear on their website that their services didn't meet the standards. At the time, Dropbox kept certain metadata that was neither encrypted nor secure. The controls were simply not in place to store something as sensitive as public health data, and Dropbox was loath to expose their business to potential hefty fines from the government. However, Dropbox makes money from through paid accounts, and healthcare companies were willing to pay for the upgraded features.

Stepping Up to the Plate

Dropbox changed their tune in 2015, and announced that they'd be happy to sign BAAs for those who requested them. The cloud-sharing service promised to keep up with any and all changes that may be made in HIPAA, so it would never endanger their clients' reputation or financial holdings. They offer proactive solutions to healthcare companies so that they're able to integrate Dropbox into current compliance strategies with as little disruption as possible. In January, Dropbox announced that they had acquired a number of additional clients in both the medical research and healthcare fields. It comes as a boon to their business that major conglomerates like Gladstone Institutes and Boston Heart Diagnostics have chosen Dropbox to protect a vast array of information. Professionals could now share scanned images of tissue samples that colleagues can view and potentially even diagnose. Healthcare providers champion file sharing as a way to save time and increase accuracy when it comes to patient care. This type of change to their workflow, which used to include physically mailing the samples, can positively change how staff conducts business.

Exploring the Past

Many of these features sound too good to be true, but it's also worth addressing some of the less positive aspects of Dropbox. In 2012, the company experienced a data breach that affected an incredible 68 million accounts. The leak included both email addresses and hashed passwords. Hashing is a type of cryptography, which differs from encryption in that it condenses and hides information based on mathematical principles. Depending on the strength of the math, it can be decrypted by hackers who spot the pattern. In this case, it appears as though Dropbox did do its due diligence in terms of creating a safe algorithm. Security researchers definitively stated that even though the data was available to hackers, it would still remain protected. But the efficacy of Dropbox when it comes to patients may be more complicated than that.

What File Sharing Means for Companies

Practically every company that promotes security believes they've taken all the necessary precautions. However, these promises are notoriously difficult to keep, especially when it comes to genius hackers who have nothing but time to solve the problem. While most people seem to agree that Dropbox is committed to keeping the public's information safe, healthcare companies still need to be careful. The transition of changing communication systems can often fluster and aggravate employees, regardless of how simple the new ways may seem. Complications that could never be foreseen can end up costing millions if even one wrong person gains access to patient files. If you're thinking about implementing file sharing, it may still require further steps on your end. The more eyes and hands are involved with one medical record, the more likely it is that someone will make an error with it. Encryption and tokenization measures should be implemented to make data unreadable to anyone who does get their hands on it.

What It Means for Patients

The average patient is more concerned about their overall health than they are about how their information is being shared. After all, their files are being shared with other professionals who could potentially save their lives. The problem occurs if the data is compromised, confused, or otherwise lost. Medical fraud has been on the rise for a variety of reasons. Insurance companies, vendors, doctors and even the patients all have access to PHI, creating an infinite number of ways for hackers to make their move. With trillions of dollars being spent on healthcare in just one year alone, hackers continue to see it for the profitable target it is. Criminals may be after free services, reimbursement for fictitious services, financial details, or even potentially blackmail. The bigger Dropbox (and file sharing, in general) gets, the more hackers will ramp up their efforts. Patients will inevitably need as many security layers as possible to stay safe.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: encryption, PCI Data Encryption, hipaa