ARCHIVED: Protect sensitive data in Box
On this page:
- Before you begin
- Understand folder ownership
- Configure folders to protect data (co-owners)
- Use Box with sensitive data (everyone)
Before you begin
IU's Box cloud storage service was retired on May 10, 2021. For information about cloud storage options available at IU, see Storage at IU.
At Indiana University, to store Restricted and some Critical institutional data, such as approved protected health information (PHI), in IU Box:
- Verify that your data are allowed in Box; see ARCHIVED: Types of data appropriate for IU Box accounts.
- Put the data in a folder owned by the appropriate account.
- Understand and implement the security measures listed below.
This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.
Understand folder ownership
Although Box itself is a secure platform (for more, see ARCHIVED: Safety of files and data in enterprise Box), individual choices determine how secure a given piece of data is. Folder ownership and settings are key to the security of data in Box. When you log into Box for everyday work, you will interact with a variety of shared and private folders, each with its own level of security set by its owner. At Indiana University, institutional data must be owned by non-individual accounts (rather than individual user accounts), as this ensures that data will not move or be lost if an employee moves departments or leaves IU.
To maintain security, approved PHI may only be contained in a folder owned by a Box Health Data Account (BHDA), although you will interact with this data from within your own IU Box account. Restricted data stored in Box must be contained in a folder owned by a Box Entrusted Data Account (BEDA).
Configure folders to protect data
Visual indicators
There is no Box folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted data or approved PHI will appear alongside private folders and standard collaboration folders in each individual's Box account. Therefore, the folder owner or co-owner needs to give visual cues to the folder collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Box Health Data Accounts and Box Entrusted Data Accounts to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Box. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with and where sensitive data should be stored.
Folder icons
Folders in Box appear differently based on whether they are shared or private, hosted at IU or hosted externally, and synced or not synced. See the table below for examples. However, in order to see what account owns a given folder, you need to click the folder row and look at the
tab in the right-hand pane (you may need to enlarge your browser window to see it). Keep in mind:- Do not put Restricted or Critical data in externally hosted folders.
- Do not put Restricted or Critical data in a folder owned by an individual. This prevents exposure or loss of the data if an individual account owner leaves the university or changes departments. (Folders owned by BHDAs and BEDAs are, by their nature, not owned by individuals.)
- See Sync for important guidelines about syncing. (Note that, in addition to the checkmark illustrated below for individual folders, you can also determine which folders you have synced by clicking in the left pane.)
Folder type | Characteristics | Appearance |
---|---|---|
Private |
|
|
Private, synced |
|
|
Shared |
|
|
Shared, synced, tagged |
|
|
External |
|
Folder naming convention
The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the following naming conventions for all folders owned by Box Entrusted Data and Box Health Data Accounts (and only those folders). Only folder names need follow these conventions, not individual filenames. Complete and logical folder names will also help you and others use Box's search tool to find information. Folder and file names have a 255 character maximum.
- Box Entrusted Data Accounts: Folder names must begin with
[Box Entrusted]
,(Box Entrusted)
, or{Box Entrusted}
. Whichever option you choose, use it consistently for all folder names in the account. Example folder and sub-folder names for a review committee might be:[Box Entrusted] Prof. John Doe Tenure Committee
[Box Entrusted] Prof. John Doe Tenure - Supporting Documents
- Box Health Data Accounts: Folder names must begin with
[Box Health]
,(Box Health)
, or{Box Health}
. Whichever option you choose, use it consistently for all folder names in the account. An example folder name for a research project might be:[Box Health] Jones Pancreatic Cancer Study Team
Note:Box Health Data Accounts will be regularly audited to ensure this naming convention is followed. For Box Entrusted Data Accounts, co-owners are responsible for monitoring naming convention compliance.
Descriptions
Any file or folder in Box can have a brief description. A folder's description will appear at the top of the page when you're in the folder; in the folder list view, you can hover over the information icon to the right of a file or folder name or click the
tab in the right-hand pane to see the description. UITS recommends using the description field to indicate the purpose or nature of an item to collaborators. You will have the option to add a description when creating or uploading an item. To add a description to an existing file or folder in Box, in the folder view, click the row of the item, and in the tab in the right pane, enter your text under "Description".Tags
Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tags can be applied to files as well as folders. You must tag each item manually (tags do not automatically propagate to contents or subfolders), but you can select more than one item at the same level and tag them all at once.
To apply tags:
- Right-click the file or folder and choose , and then .
- In the pop-up window that opens, enter your tag.
Shared links
Shared links are used primarily for distributing content; inviting others as collaborators is appropriate when others will be working with the content. However, for Box Health Data Accounts and Box Entrusted Data Accounts, you may use shared links only to share content with those who are already collaborators in the folder. For more about these two methods, see ARCHIVED: Share and collaborate on files with Box.
UITS recommends the following best practices for shared links in Box:
- Unless there is a strong need to customize, use the default URL generated by Box (with a random numeric string) for your shared link, rather than using the Custom URL feature.
Customized Box shared links (those beginning with
https://iu.app.box.com/v/
) that are set to open access ( ) and are not password protected are vulnerable to being guessed by computer algorithms. - Regardless of whether it is a default or custom shared link, if you share any data that should not be public and need to set the access level to , set a password on your link.
- Whenever you create a shared link of any kind, consider how long the link will be necessary. If you can determine a time limit, set an expiration date to minimize future concerns about data exposure.
For information on how to access and set these controls, see:
Collaborator permission levels
To share data, invite others into the appropriate folder as collaborators. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.
- UITS strongly recommends inviting collaborators at a level no higher than Viewer Uploader. Note that the default setting (Editor) is higher than this recommendation. Viewer Uploader is adequate for editing tasks, but does not allow Sync or content deletion. If you need higher permissions for your collaborators, consult with Health Technology Services (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
- Box uses waterfall permissions; that is, collaborators will have the same permission level in subfolders as they do in the top folder. For details, see ARCHIVED: Share and collaborate on files with Box.
- Never use single-file collaboration with Box Health Data or Box Entrusted Data Accounts. Collaboration must occur on the folder level only, as this is the level where the naming convention will tell collaborators that they are working with sensitive data. If you feel that your use case absolutely necessitates using single-file collaboration, you must consult with HTS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
Action | Co-owner | Editor | Viewer Uploader | Previewer Uploader | Viewer | Previewer | Uploader |
---|---|---|---|---|---|---|---|
Download | ✔Yes | ✔Yes | ✔Yes | No | ✔Yes | No | No |
Comment | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | No |
Delete | ✔Yes | ✔Yes | No | No | No | No | No |
Create tasks | ✔Yes | ✔Yes | ✔Yes | No | ✔Yes | No | No |
Tag | ✔Yes | ✔Yes | No | No | No | No | No |
Invite people | ✔Yes | ✔Yes* | No | No | No | No | No |
Edit folder name | ✔Yes | ✔Yes | No | No | No | No | No |
Edit folder properties | ✔Yes | No | No | No | No | No | No |
Preview | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | No |
Send view-only links | ✔Yes | ✔Yes | ✔Yes | No | ✔Yes | No | No |
Upload | ✔Yes | ✔Yes | ✔Yes | ✔Yes | No | No | ✔Yes |
View items in folder | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes |
Sync folder | ✔Yes | ✔Yes | No | No | No | No | No |
Set access permissions | ✔Yes | ✔Yes | No | No | No | No | No |
Restrict invitations | ✔Yes | No | No | No | No | No | No |
View access stats | ✔Yes | ✔Yes | No | No | No | No | No |
Create/edit Box Notes | ✔Yes | ✔Yes | ✔Yes | No | No | No | No |
View Box Notes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes | No |
* Disabled by default in Box Health Data Accounts and Box Entrusted Data Accounts.
Folder security settings
In both Box Health Data accounts and Box Entrusted Data acounts, the folders' security settings will be set for you by administrators. Do not change any of those settings without first consulting with HTS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts). The settings will be as follows:
Collaboration
- Invitation Restrictions:
- (checked): Restrict the ability to invite collaborators to only owners and co-owners. No other permission level will be able to invite collaborators. This is the single most important setting for securing your files and folders. Only individuals who own the content should decide who is able to access the content.
- (depends): This setting determines whether or not this folder and its content will allow collaborators outside of IU. This will vary by your department/project needs. It is your responsibility to share data with only those who should have access to the data.
- (unchecked): This option is only useful if you are sharing with "People with the link" or "People in your company." Do not check this for any folder containing Restricted or Critical data.
- Commenting:
- (unchecked): As sharing and collaboration is the goal of using Box, UITS does not recommend disabling the ability to comment on folders. Keep in mind that all roles (except Uploader) have the ability to view comments.
- Shared Link Access:
- (checked): Shared links provide quick access directly to files and folders by only clicking the link. This setting limits access to shared links to those who already have access to the content as collaborators. This is an important access control for any folder you are trying to secure and monitor. Leave the option next to "For:" set to .
Privacy
- Collaborators:
- UITS does not recommend hiding collaborators with Restricted or Critical data; it is more secure to know exactly who has access to files and folders. (unchecked):
Watermarking
- Watermark Folder:
- Watermarking Files. (checked): Watermarking can help deter unauthorized re-sharing of sensitive information in your Box account. When you turn on watermarking for a file, it places a semi-transparent overlay of the current viewer's email address or IP address (depending on whether the viewer is logged in or not), as well as time of access across the document's contents. For more, see
Uploading
- Email Uploads:
- or Box Drive. (unchecked): If anyone (you or your collaborators) were to send sensitive data via an unencrypted email message, the data would not be protected in transit. It is more secure to only allow uploads using the web interface
Use Box with sensitive data
Everyone who interacts with sensitive data in Box, including owners, co-owners, and other collaborators, must help keep it secure. If you put sensitive data in Box, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.
Laptop and mobile device security
IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Box with sensitive data.
Box apps
Only a subset of official and third-party Box Apps are approved for use with institutional data. Apps not listed in the ARCHIVED: approved list may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's Box agreement. Also, ARCHIVED: certain apps are approved for use with most institutional data, but not approved for PHI; these may not be used with any data in Box Health Data Accounts.
See below for additional details about certain apps.
Box Sync
Syncing folders allows data to be transferred without a log trail, which presents a security risk for regulated data. In addition, having extra copies of data on a local device increases the risk of inappropriate access. Therefore:
- Do not sync folders containing PHI or other sensitive university data unless it is required for your work.
- Do not sync folders containing PHI or other sensitive university data onto a personally owned computer under any circumstances.
- Unless your collaborators require Sync to perform their tasks, prevent them from syncing folders by inviting them at a permission level that does not allow it--that is, no higher than Viewer Uploader--as recommended above.
- If you feel that Sync is necessary for you or your collaborators, consult with HTS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts) before enabling it.
Also, be aware that tags and descriptions do not propagate via Sync.
Box Drive
You may use Box Drive to access protected health information (PHI) in Box Health Data Accounts (BHDAs) and Restricted institutional data in Box Entrusted Data Accounts (BEDAs) in online mode only; those folders must not be marked for offline availability. For more about Box Drive, see ARCHIVED: About Box Drive.
Box Edit
Box Edit at IU is approved for use with the sensitive data allowed in Box, including PHI. However, it is still important to follow these best practices when working with PHI through Box Edit:
- Always close the application you are editing in and log out of Box from your browser before you leave or log off of your computer. This way, if access to your computer is compromised, the restricted data will remain protected.
- If you have any questions or concerns about the security of your data when using Box Edit, consult with HTS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
Box for Office
Box for Office at IU (not to be confused with Box for Office Online) is a plug-in for Microsoft Office for Windows. It is approved for use with the sensitive data allowed in Box, including PHI. However, it is still important to follow these best practices when working with PHI through Box for Office:
- Always close the application you are editing in and log out of Box for Office before you leave or log off of your computer. This way, if access to your computer is compromised, the restricted data will remain protected.
- If you have any questions or concerns about the security of your data when using Box for Office, consult with HTS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
This is document bfpj in the Knowledge Base.
Last modified on 2021-02-26 10:56:16.