Overview

Secure Box allows UCSF Box users to store restricted data while protecting UCSF and our patients, staff and learners from data loss.

NOTE: We are only scanning for UCSF PHI; we are not scanning multimedia formats (e.g., image, video, audio files, scanned PDFs) or files over 400MB.

Secure Folder

Every UCSF Box user is given a Secure folder. UCSF Box users can use this folder to store any files they want, but restricted data must be stored in the Secure folder.

NOTE: Non-UCSF collaborators cannot access the Secure folder in Box.

• All files in the Secure folder are encrypted and the CipherCloud agent is required to open these files. When you attempt to open an encrypted file, the CipherCloud agent on your system will: (1) log you into Box, (2) retrieve the encryption key from the CipherCloud server, and (3) make the document completely accessible to you.
• Encryption keys last 30 days. After 30 days, you must have an internet connection and a UCSF Box to decrypt a .ccsecure file.

How are we identifying UCSF PHI?

• When a file change is detected (e.g., new, a file edit, or change of collaborators), CipherCloud sends this data to the DLP system, which looks for matches in UCSF's patient record index in APeX.

How long do encryption and decryption take on UCSF Box?

• The background process that scans for UCSF PHI and (1) encrypts files when it is found and (2) decrypts files when it is removed takes from 30 seconds to several minutes.
• Files opened on your computer with the CipherCloud agent should decrypt and encrypt in less than 15 seconds. If a file has not been encrypted (or decrypted) after 5 minutes, contact the IT Service Desk.

What are my options if I need to share restricted data with a collaborator?

• MyResearch is designed to support multisite studies that involve non-UCSF collaborators. We are able to address researchers’ questions about (1) using MyResearch for multi-site studies and (2) sharing data with non-UCSF collaborators. Email questions to [email protected].
• Another option is to sponsor your collaborator as an affiliate with a UCSF login, permitting treatment as a UCSF user. A discounted Data Network Recharge rate applies to affiliates. See Data Network Recharge: FAQ for more information.

What happens if I try to open an encrypted file using the Box website or a third-party Box application?

• Box Preview will not work with a .ccsecure-encrypted file. Box will display a message that reads, "We're sorry, but we can't preview .ccsecure files."

I don't store UCSF PHI on Box. Why was my file encrypted?

• Many people don't realize they have UCSF PHI. This is just one reason why it's so important to use a tool like CipherCloud. For more information about what PHI is and isn't, and your responsibilities when handling it, refer to the UCSF Privacy Office's Workforce Resources and Guidance page.
• If you believe your file was mistakenly encrypted, request a review by the IT Service Desk to determine if you experienced a false positive.

Scanning for PHI from APeX

CipherCloud scans target PHI from APeX using the same rules as our email data loss prevention (DLP) tool. When PHI is detected, the file is encrypted in place, and a PDF "marker file" of the same name as the encrypted file, explaining what actions were taken, is placed in the folder.

After the file is encrypted, the CipherCloud agent is required to open it. 

NOTE: Non-UCSF collaborators will not be able to open encrypted files.

FAQs

How does CipherCloud work?

• CipherCloud scans files for restricted data when they are uploaded to Box. If a file contains PHI (e.g., UCSF patient information), it is encrypted and can only be read using the CipherCloud agent.
• Encryption keys last 30 days. After 30 days, you must have an internet connection and a UCSF Box to decrypt a .ccsecure file.

What kinds of data are we scanning for?

• UCSF's data loss prevention (DLP) system scans outbound emails and Box content. It is currently configured to scan for PHI that matches UCSF patient records in APeX.
• Multimedia file formats (e.g., images, video, audio, scanned PDFs) will not be scanned but any multimedia files containing restricted data should be in your Secure folder.

When should I use my Secure folder?

• Use your Secure folder for anything, but note that items in your Secure folder cannot be shared outside of UCSF. Also keep in mind that you can't preview encrypted files. A Secure folder on Box will encrypt any data placed into that folder or a subfolder. This ensures that all types of restricted data will be protected.
• You should not use your Secure folder when you want to share files with someone outside UCSF.

What happens when you find UCSF PHI outside a Secure folder?

• The file that contains UCSF PHI will be encrypted and it can only be viewed from devices with the CipherCloud agent. External collaborators in the folder will not be able to access the file nor will you be able to preview the file within Box.

You blocked my collaborator! Now what?!

• Box is not approved for sharing restricted information with collaborators outside UCSF. CipherCloud encrypts files containing UCSF PHI from UCSF's electronic medical record (EMR). Once a file is encrypted, only UCSF users with access to the folder can decrypt it.

Can I edit encrypted files on my mobile device?

• You can access and edit encrypted files on your mobile device as long as you have the CipherCloud app installed.
• To edit a file once CipherCloud has opened it, use the Open in icon in the lower left to select an application that can open the file for editing. Note: Doing this will put an unencrypted copy of the file on your mobile device.
• As with all mobile applications, your ability to edit a file depends on which apps you have installed. You may only have the option on a mobile device to import or copy a file into an application to edit it. If so, we recommend editing on a computer instead. This will ensure that you are not saving unencrypted copies of restricted data on your mobile device.

What happens if I create a Box Note and add UCSF PHI?

• If you add PHI to a Box Note, the Box Note will be encrypted and become impossible to open. This is because, when CipherCloud decrypts a Box Note, it passes it back to the application that can open it. For Box Notes, this is the Box web application. Since this app is only able to open Box Notes directly, you will get an error message.
• Important: Once PHI is detected in a Box Note, it is impossible to open it. The only thing you can do is revert to the previous version.