This content is viewable by Everyone
Box: CipherCloud (.ccsecure) Encryption
Secure Box allows UCSF Box users to store restricted data while protecting UCSF and our patients, staff and students from data loss.
We launched CipherCloud on Monday, October 3, 2016. In November 2016 we began scanning files that were already on Box.
Note: We are only scanning for UCSF PHI. We are not scanning multimedia formats (e.g., image, video, audio files, scanned PDFs) or files over 400MB.
What is Secure Box?
With the implementation of CipherCloud, UCSF Box users will see the following changes.
Each UCSF Box user gets a Secure folder. UCSF Box users can use this folder to store any files they want, but restricted data must be stored in the Secure folder.
All files in the Secure folder are encrypted. A very lightweight CipherCloud agent is required to open these files.
Non-UCSF collaborators cannot access the Secure folder.
Scanning for PHI from APeX
The initial phase of CipherCloud scanning targets PHI from APeX using the same rules as our email data loss prevention (DLP) tool. When PHI is detected, the file is encrypted in place, and a PDF "marker file" of the same name as the encrypted file, explaining what actions were taken, is placed in the folder.
After the file is encrypted, the CipherCloud agent is required to open it. Non-UCSF collaborators will not be able to open these encrypted files.
Desktop agents are pushed to all computers supported by UCSF IT. You can also access the software from the UCSF software website. To find the CipherCloud agents on the website:
- Go to software.ucsf.edu and log in via MyAccess.
- Click on Other Software or search for CipherCloud.
The CipherCloud mobile app is available for iOS (iPhone and iPad) and Android. The Box app is also required.
iOS (iPhone and iPad) – from the iTunes app store:
Android – from Google Play:
Training and support
- Secure Box Information slides (PDF)
- UCSF CipherCloud Agent Install and User Guide (PDF)
- Support is handled through the IT Service Desk.
How does CipherCloud work?
- CipherCloud scans files for restricted data when they are uploaded to Box. If a file contains PHI from a UCSF patient, it is encrypted and can only be read using the CipherCloud agent.
- When you attempt to open an encrypted file, the CipherCloud agent on your system will: (1) log you into Box, (2) retrieve the encryption key from the CipherCloud server, and (3) make the document completely accessible to you.
- Encryption keys last 30 days. After 30 days, you must have an internet connection and a UCSF Box to decrypt a .ccsecure file.
What kinds of data are we scanning for?
- UCSF's data loss prevention (DLP) system is the scanning engine used to scan outbound emails and Box content. It is currently configured to scan for PHI that matches UCSF patient records in APeX.
- At this time, we are not scanning for PHI from UCSF Dentistry, BCHO or ZSFG medical records; however, we may do so at a future time. We also are not scanning multimedia file formats (e.g., images, video, audio, scanned PDFs).
- Store any multimedia files containing restricted data in your Secure folder.
- It's important that you put files with restricted data, regardless of size, in the Secure folder.
How are we identifying UCSF PHI?
- When it detects a change to a file (e.g., new, a file edit, change of collaborators), CipherCloud sends this data to the DLP system. The DLP scans the data for matches to UCSF's patient record index from APeX.
What kinds of data can and can't be put in a Secure folder?
- A Secure folder on Box will encrypt any data placed into that folder or a subfolder. This ensures that all types of restricted data will be protected.
When should I use my Secure folder?
- Use your Secure folder for anything, but note that items in your Secure folder cannot be shared outside of UCSF. Also keep in mind that you can't preview encrypted files.
When should I not use my Secure folder?
- You should not use your Secure folder when you want to share files with someone outside UCSF. There are also some uses for which Box is not a good solution. See the UCSF Box FAQ for more information.
What happens when you find UCSF PHI outside a Secure folder?
- The file that contains UCSF PHI will be encrypted. It can only be viewed from devices with the CipherCloud agent. External collaborators in the folder will not be able to access the file. Because of the CipherCloud encryption, you will not be able to preview the file within Box.
- There will also be a marker file with (1) a message explaining that the file has been encrypted because it has UCSF PHI and (2) an explanation of the steps to take to view it.
How long do encryption and decryption take on UCSF Box?
- The background process that scans for UCSF PHI and (1) encrypts files when it is found and (2) decrypts files when it is removed takes from 30 seconds to several minutes.
- Files opened on your computer with the CipherCloud agent should decrypt and encrypt in less than 15 seconds. If a file has not been encrypted (or decrypted) after 5 minutes, contact the IT Service Desk.
Is there a performance hit using the agent?
- When the agent is not actively encrypting or decrypting a file, there is no performance difference. During decryption and encryption, there is a very small delay; its length will depend on the size of the file.
How is the agent updated?
- The CipherCloud agent is distributed and updated by BigFix. It can also be downloaded from software.ucsf.edu.
Is there end-user training?
I'm an IT partner. Is there a Secure Box KnowledgeBase article in ServiceNow?
- Yes. See KB0018087, or search for CipherCloud or Secure Box.
You blocked my collaborator! Now what?!
- Box is not approved for sharing restricted information with collaborators outside UCSF. CipherCloud encrypts files containing UCSF PHI from UCSF's electronic medical record (EMR). Once a file is encrypted, only UCSF users with access to the folder can decrypt it.
What are my options if I need to share restricted data with a collaborator?
- MyResearch is designed to support multisite studies that involve non-UCSF collaborators. We are able to address researchers’ questions about (1) using MyResearch for multi-site studies and (2) sharing data with non-UCSF collaborators. Email questions to [email protected].
- Another option is to sponsor your collaborator as an affiliate with a UCSF login, permitting treatment as a UCSF user. A discounted Data Network Recharge rate applies to affiliates. See Data Network Recharge: FAQ for more information.
What happens if I try to open an encrypted file using the Box website or a third-party Box application?
- Box Preview will not work with a .ccsecure-encrypted file. Box will display a message that reads, "We're sorry, but we can't preview .ccsecure files."
- To view a .ccsecure-encrypted file, you can use Box Edit:
- Download the file to your computer with the CipherCloud agent.
- Open it on your mobile device with the CipherCloud app.
I don't store UCSF PHI on Box. Why was my file encrypted?
- Many people don't realize they have UCSF PHI. This is just one reason why it's so important to use a tool like CipherCloud. For more information about what PHI is and isn't, and your responsibilities when handling it, refer to the UCSF Privacy Office's Workforce Resources and Guidance page.
Can I edit encrypted files on my mobile device?
- You can access and edit encrypted files on your mobile device as long as you have the CipherCloud app installed.
- To edit a file once CipherCloud has opened it, use the Open in icon in the lower left to select an application that can open the file for editing. Note: Doing this will put an unencrypted copy of the file on your mobile device.
- As with all mobile applications, your ability to edit a file depends on which apps you have installed. You may only have the option on a mobile device to import or copy a file into an application to edit it. If so, we recommend editing on a computer instead. This will ensure that you are not saving unencrypted copies of restricted data on your mobile device.
What happens if I create a Box Note and add UCSF PHI?
- If you add PHI to a Box Note, the Box Note will be encrypted and become impossible to open. This is because, when CipherCloud decrypts a Box Note, it passes it back to the application that can open it. For Box Notes, this is the Box web application. Since this app is only able to open Box Notes directly, you will get an error message.
- Upshot: Once PHI is detected in a Box Note, it is impossible to open it. The only thing you can do is revert to the previous version.