Dropbox and HIPAA?

In your opinion, is Dropbox HIPAA compliant? they say they have 256 bit encryption and  ssl/tls secure transfer tunnel. If password protected, seems like that would meet HIPAA guidelines, though the laws never specifically say what are adequate protection measures.
LVL 3
maharlikaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
It is unlikely because HIPAA also requires physical security.  If you were audited, how would you show that Dropbox has the physical security required by HIPAA?
0
maharlikaAuthor Commented:
HIPAA requires that PHI is encrypted at rest (e.g. where it's stored) and while in transit (if it's uploaded or moved). That's been our understanding, anyway. Same logic as for email, it must be encrypted both during transfer and storage, but we have no control over physical security once the message is sent.
0
Dave BaldwinFixer of ProblemsCommented:
But Dropbox is an 'at rest' storage location.  ??
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

maharlikaAuthor Commented:
Dropbox says it's encrypted both at rest and in transit, so that seems like it meets HIPAA guidelines.
0
Dave BaldwinFixer of ProblemsCommented:
It might then.
0
Rich RumbleSecurity SamuraiCommented:
You can use hosting providers in HIPAA and PCI etc... but as pointed out they must have certain controls, or you do to ensure the data can't be snooped on by the provider. You probably can't use DropBox as is and pass compliance. Encrypted in transit part is about all you can be sure of, and even then it's possible for them to man in the middle themselves and you'd never know it, and they could read your data in transit.
BOX claims they are compliant and are certified to be used by organizations that need HIPAA https://support.box.com/hc/en-us/articles/200526618-Box-HIPAA-and-HITECH-Overview-and-FAQs
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
DropBox has yet to make the same assertions.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.