Protect sensitive data in Box

On this page:


Before you begin

At Indiana University, to store Restricted and some Critical institutional data, such as approved protected health information (PHI), in IU Box:

  1. Verify that your data are allowed in Box; see Types of data appropriate for IU Box accounts.
  2. Put the data in a folder owned by the appropriate account; see Request an IU Box account for use with sensitive data.
  3. Understand and implement the security measures listed below.
Note:
The following procedures and practices are necessary with Box Health Data Accounts or Box Entrusted Data Accounts, but many of them can be applied anytime you are collaborating in Box.

This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

Understand folder ownership

Although Box itself is a secure platform (for more, see Safety of files and data in enterprise Box), individual choices determine how secure a given piece of data is. Folder ownership and settings are key to the security of data in Box. When you log into Box for everyday work, you will interact with a variety of shared and private folders, each with its own level of security set by its owner. At Indiana University, institutional data must be owned by non-personal accounts (rather than individual user accounts), as this ensures that data will not move or be lost if an employee moves departments or leaves IU.

To maintain security, approved PHI may only be contained in a folder owned by a Box Health Data Account (BHDA), although you will interact with this data from within your own IU Box account. Restricted data stored in Box must be contained in a folder owned by a Box Entrusted Data Account (BEDA).

Configure folders to protect data

Visual indicators

There is no Box folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted data or approved PHI will appear alongside private folders and standard collaboration folders in each individual's Box account. Therefore, the folder owner or co-owner needs to give visual cues to the folder collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Box Health Data Accounts and Box Entrusted Data Accounts to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Box. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with and where sensitive data should be stored.

Folder icons

Folders in Box appear differently based on whether they are shared or private, hosted at IU or hosted externally, and synced or not synced. See the table below for examples. However, in order to see what account owns a given folder, you need to click the folder row and look at the Sharing tab in the right-hand pane (you may need to enlarge your browser window to see it). Keep in mind:

  • Do not put Restricted or Critical data in externally hosted folders.
  • Do not put Restricted or Critical data in a folder owned by an individual. This prevents exposure or loss of the data if an individual account owner leaves the university or changes departments. (Folders owned by BHDAs and BEDAs are, by their nature, not owned by individuals.)
  • See Sync for important guidelines about syncing. (Note that, in addition to the checkmark illustrated below for individual folders, you can also determine which folders you have synced by clicking Synced to Desktop in the left pane.)
Folder type Characteristics Appearance
Private
  • Hosted on IU Box
  • Only you have access.
Plain yellow folder icon
Private, synced
  • Hosted on IU Box
  • Only you have access.
  • You synchronize the contents of this folder or a subfolder to your local computer.
Plain yellow folder icon with checkmark to the right
Shared
  • Hosted on IU Box
  • Shared link
  • Description appears when hovering over the info icon.
Blue folder icon
Shared, synced, tagged
  • Hosted on IU Box
  • You synchronize the contents of this folder or a subfolder to your local computer.
Blue folder icon with tag below and checkmark to the right
External
  • Shared folder
  • Hosted externally to IU
Gray folder icon

Folder naming convention

The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the following naming conventions for all folders owned by Box Entrusted Data and Box Health Data Accounts (and only those folders). Only folder names need follow these conventions, not individual filenames. Complete and logical folder names will also help you and others use Box's search tool to find information. Folder and file names have a 255 character maximum.

Important:
Because collaborators added at a lower level only see the name of the folder at the level to which they're added, you must maintain these naming conventions for all subfolders as well. Additionally, you should never add a collaborator to a single file in a BHDA or BEDA-owned folder, as they will be unable to see the naming convention the folder that indicates the sensitivity of the file.
  • Box Entrusted Data Accounts: Folder names must begin with [Box Entrusted], (Box Entrusted), or {Box Entrusted}. Whichever option you choose, use it consistently for all folder names in the account. Example folder and sub-folder names for a review committee might be:
    • [Box Entrusted] Prof. John Doe Tenure Committee
      • [Box Entrusted] Prof. John Doe Tenure - Supporting Documents
  • Box Health Data Accounts: Folder names must begin with [Box Health], (Box Health), or {Box Health}. Whichever option you choose, use it consistently for all folder names in the account. An example folder name for a research project might be:
    • [Box Health] Jones Pancreatic Cancer Study Team
    Note:
    Box Health Data Accounts will be regularly audited to ensure this naming convention is followed. For Box Entrusted Data Accounts, co-owners are responsible for monitoring naming convention compliance.

Descriptions

Any file or folder in Box can have a brief description. A folder's description will appear at the top of the page when you're in the folder; in the folder list view, you can hover over the information icon to the right of a file or folder name or click the Details tab in the right-hand pane to see the description. UITS recommends using the description field to indicate the purpose or nature of an item to collaborators. You will have the option to add a description when creating or uploading an item. To add a description to an existing file or folder in Box, in the folder view, click the row of the item, and in the Details tab in the right pane, enter your text under "Description".

Tags

Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tags can be applied to files as well as folders. You must tag each item manually (tags do not automatically propagate to contents or subfolders), but you can select more than one item at the same level and tag them all at once.

Note:
Simply tagging a file as "sensitive", "Entrusted Data", or "Health Data" does not meet the requirements for storing sensitive data if the files are not stored in the appropriate account.

To apply tags:

  1. Right-click the file or folder and choose More Actions, and then Add or Edit Tags.
  2. In the pop-up window that opens, enter your tag.

Shared links are used primarily for distributing content; inviting others as collaborators is appropriate when others will be working with the content. However, for Box Health Data Accounts and Box Entrusted Data Accounts, you may use shared links only to share content with those who are already collaborators in the folder. For more about these two methods, see Share and collaborate on files with Box.

UITS recommends the following best practices for shared links in Box:

  • Unless there is a strong need to customize, use the default URL generated by Box (with a random numeric string) for your shared link, rather than using the Custom URL feature.

    Customized Box shared links (those beginning with https://iu.app.box.com/v/) that are set to open access (People with the link) and are not password protected are vulnerable to being guessed by computer algorithms.

  • Regardless of whether it is a default or custom shared link, if you share any data that should not be public and need to set the access level to People with the link, set a password on your link.
  • Whenever you create a shared link of any kind, consider how long the link will be necessary. If you can determine a time limit, set an expiration date to minimize future concerns about data exposure.

For information on how to access and set these controls, see:

Collaborator permission levels

To share data, invite others into the appropriate folder as collaborators. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.

  • UITS strongly recommends inviting collaborators at a level no higher than Viewer Uploader. Note that the default setting (Editor) is higher than this recommendation. Viewer Uploader is adequate for editing tasks, but does not allow Sync or content deletion. If you need higher permissions for your collaborators, consult with CAITS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
  • Box uses waterfall permissions; that is, collaborators will have the same permission level in subfolders as they do in the top folder. For details, see Share and collaborate on files with Box.
  • Never use single-file collaboration with Box Health Data or Box Entrusted Data Accounts. Collaboration must occur on the folder level only, as this is the level where the naming convention will tell collaborators that they are working with sensitive data. If you feel that your use case absolutely necessitates using single-file collaboration, you must consult with CAITS (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
Action Co-owner Editor Viewer Uploader Previewer Uploader Viewer Previewer Uploader
Download Yes Yes Yes No Yes No No
Comment Yes Yes Yes Yes Yes Yes No
Delete Yes Yes No No No No No
Create tasks Yes Yes Yes No Yes No No
Tag Yes Yes No No No No No
Invite people Yes Yes* No No No No No
Edit folder name Yes Yes No No No No No
Edit folder properties Yes No No No No No No
Preview Yes Yes Yes Yes Yes Yes No
Send view-only links Yes Yes Yes No Yes No No
Upload Yes Yes Yes Yes No No Yes
View items in folder Yes Yes Yes Yes Yes Yes Yes
Sync folder Yes Yes No No No No No
Set access permissions Yes Yes No No No No No
Restrict invitations Yes No No No No No No
View access stats Yes Yes No No No No No
Create/edit Box Notes Yes Yes Yes No No No No
View Box Notes Yes Yes Yes Yes Yes Yes No

* Disabled by default in Box Health Data Accounts and Box Entrusted Data Accounts.

Folder security settings

In both Box Health Data accounts and Box Entrusted Data acounts, the folders' security settings will be set for you by administrators. Do not change any of those settings without first consulting with CAITS support (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts). The settings will be as follows:

Collaboration

  • Invitation Restrictions:
    • Only Owners and Co-owners can send collaborator invites (checked): Restrict the ability to invite collaborators to only owners and co-owners. No other permission level will be able to invite collaborators. This is the single most important setting for securing your files and folders. Only individuals who own the content should decide who is able to access the content.
    • Restrict collaboration to within Indiana University (depends): This setting determines whether or not this folder and its content will allow collaborators outside of IU. This will vary by your department/project needs. It is your responsibility to share data with only those who should have access to the data.
    • Allow anyone who can access this folder from a shared link to join as a collaborator (unchecked): This option is only useful if you are sharing with "People with the link" or "People in your company." Do not check this for any folder containing Restricted or Critical data.
  • Commenting:
    • Disable commenting for this folder (unchecked): As sharing and collaboration is the goal of using Box, UITS does not recommend disabling the ability to comment on folders. Keep in mind that all roles (except Uploader) have the ability to view comments.
  • Shared Link Access:
    • Only collaborators can access this folder via shared links (checked): Shared links provide quick access directly to files and folders by only clicking the link. This setting limits access to shared links to those who already have access to the content as collaborators. This is an important access control for any folder you are trying to secure and monitor. Leave the option next to "For:" set to Files and Folders.

Privacy

  • Collaborators:
    • Hide collaborators and their activity from non-owners (unchecked): UITS does not recommend hiding collaborators with Restricted or Critical data; it is more secure to know exactly who has access to files and folders.

Watermarking

  • Watermark Folder:
    • Enable watermarking for this folder (checked): Watermarking can help deter unauthorized re-sharing of sensitive information in your Box account. When you turn on watermarking for a file, it places a semi-transparent overlay of the current viewer's email address or IP address (depending on whether the viewer is logged in or not), as well as time of access across the document's contents. For more, see Watermarking Files.

Uploading

  • Email Uploads:
    • Allow uploads to this folder via email (unchecked): If anyone (you or your collaborators) were to send sensitive data via an unencrypted email message, the data would not be protected in transit. It is more secure to only allow uploads using the web interface or Box Drive.

Use Box with sensitive data

Everyone who interacts with sensitive data in Box, including owners, co-owners, and other collaborators, must help keep it secure. If you put sensitive data in Box, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.

Laptop and mobile device security

IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Box with sensitive data.

Box apps

Only a subset of official and third-party Box Apps are approved for use with institutional data. Apps not listed in the approved list may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's Box agreement. Also, certain apps are approved for use with most institutional data, but not approved for PHI; these may not be used with any data in Box Health Data Accounts.

See below for additional details about certain apps.

Box Sync

Note:
Box is beginning to phase out Box Sync, and IU has disabled the service for new accounts. UITS recommends that all Box Sync users transition to Box Drive as early as possible; see About Box Drive.

Syncing folders allows data to be transferred without a log trail, which presents a security risk for regulated data. In addition, having extra copies of data on a local device increases the risk of inappropriate access. Therefore:

  • Do not sync folders containing PHI or other sensitive university data unless it is required for your work.
  • Do not sync folders containing PHI or other sensitive university data onto a personally owned computer under any circumstances.
  • Unless your collaborators require Sync to perform their tasks, prevent them from syncing folders by inviting them at a permission level that does not allow it--that is, no higher than Viewer Uploader--as recommended above.
  • If you feel that Sync is necessary for you or your collaborators, consult with CAITS support (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts) before enabling it.

Also, be aware that tags and descriptions do not propagate via Sync.

Box Drive

Note:
Box is beginning to phase out Box Sync, and IU has disabled the service for new accounts. UITS recommends that all Box Sync users transition to Box Drive as early as possible; see About Box Drive.

You may use Box Drive to access protected health information (PHI) in Box Health Data Accounts (BHDAs) and Restricted institutional data in Box Entrusted Data Accounts (BEDAs) in online mode only; those folders must not be marked for offline availability. For more about Box Drive, see About Box Drive.

Back to top

Box Edit

Box Edit at IU is approved for use with the sensitive data allowed in Box, including PHI. However, it is still important to follow these best practices when working with PHI through Box Edit:

  • Always close the application you are editing in and log out of Box from your browser before you leave or log off of your computer. This way, if access to your computer is compromised, the restricted data will remain protected.
  • If you have any questions or concerns about the security of your data when using Box Edit, consult with CAITS support (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).

Box for Office

Box for Office at IU (not to be confused with Box for Office Online) is a plug-in for Microsoft Office for Windows. It is approved for use with the sensitive data allowed in Box, including PHI. However, it is still important to follow these best practices when working with PHI through Box for Office:

  • Always close the application you are editing in and log out of Box for Office before you leave or log off of your computer. This way, if access to your computer is compromised, the restricted data will remain protected.
  • If you have any questions or concerns about the security of your data when using Box for Office, consult with CAITS support (for Box Health Data accounts) or your departmental IT Pro (for Box Entrusted Data Accounts).
Note:
The information here is based on work done by Information and Technology Services at the University of Michigan.

This is document bfpj in the Knowledge Base.
Last modified on 2019-08-27 09:04:16.

Contact us

For help or to comment, email the UITS Support Center.