Secure Box allows UCSF Box users to store restricted data while protecting UCSF and our patients, staff and students from data loss.
Note: We are only scanning for UCSF PHI. We are not scanning multimedia formats (e.g., image, video or audio files, scanned PDFs) or files over 400MB.
What is Secure Box (CipherCloud)?
Each UCSF Box user gets a Secure folder. All files in the Secure folder are encrypted, and a very lightweight CipherCloud agent is required to open these files.
UCSF Box users can use this folder to store any files they want, but restricted data must be stored in the Secure folder. Non-UCSF collaborators cannot access the Secure folder.
Scanning for PHI from APeX
The initial phase of CipherCloud scanning targets PHI from APeX, using the same rules as our email data loss prevention tool. When PHI is detected, (1) the file is encrypted in place, and (2) a PDF "marker file" of the same name as the encrypted file is placed in the folder explaining what actions were taken.
After the file is encrypted, the CipherCloud agent is required to open it. Non-UCSF collaborators will not be able to open these encrypted files.
Desktop agents are pushed to all computers supported by UCSF IT. You can also download the software from the UCSF software website. To find the CipherCloud agents on the software website:
- Go to https://software.ucsf.edu and log in via MyAccess.
- Click on Other Software, or search for CipherCloud.
The CipherCloud mobile app is available for iOS (iPhone and iPad) and Android. It requires the Box app in order to function.
iOS (iPhone and iPad) from the iTunes app store:
Android from Google Play:
Training and support
Secure Box Information slides (PDF)
UCSF CipherCloud Agent Install and User Guide (PDF)
Support is handled through the UCSF IT Service Desk:
How does CipherCloud work?
- CipherCloud scans files for restricted data when they are uploaded to Box. If a file contains PHI from a UCSF patient, it is encrypted and can only be read using the CipherCloud agent.
- When you attempt to open an encrypted file, the CipherCloud agent on your system will (1) log you into Box and (2) retrieve the encryption key from the CipherCloud server.
- The key makes the document completely accessible to you. Encryption keys last 30 days, after which you must have an internet connection and a UCSF Box login to decrypt a .ccsecure file.
What kinds of data are we scanning for?
- UCSF's data loss prevention system, the scanning engine used to scan outbound emails and Box content, is currently configured to scan for PHI that matches UCSF patient records in APeX. We are not scanning for PHI from UCSF Dentistry, BCHO or ZSFG medical records, but we may do so in the future.
- In addition, we are not scanning multimedia file formats (e.g., images, video or audio files, scanned PDFs) or files over 400MB. Store any multimedia files containing restricted data, in your Secure folder. Important: Always put files with restricted data, regardless of size, in the Secure folder.
How are we identifying UCSF PHI?
- When CipherCloud detects a change to a file (e.g., new file upload, a file edit, change in collaborators), CipherCloud sends this data to the data loss prevention system (DLP). The DLP scans the data for matches to UCSF's patient record index from APeX.
What kinds of data can and can't be put in the Secure folder?
- The Secure folder on Box will encrypt any data placed into that folder or subfolder. This ensures that all types of restricted data are protected.
When should I use the Secure folder?
- Use the Secure folder for anything, but note that items in the Secure folder cannot be shared outside of UCSF. Keep in mind that you can't preview encrypted files.
When should I not use the Secure folder?
- You should not use the Secure folder when you want to share files with someone outside UCSF. In addition, there are some uses for which Box is not a good solution. See UCSF Box FAQ for more information.
What happens when you find UCSF PHI outside the Secure folder?
- The file that contains UCSF PHI will be encrypted and can only be viewed from devices with the CipherCloud agent. Any external collaborators in the folder will not be able to access the file.
- Because of the CipherCloud encryption, you will not be able to preview the file within Box. There will be a marker file with a message explaining that the file has been encrypted because it contains UCSF PHI. The marker file explains the steps to view it.
How long does encryption/decryption take on UCSF Box?
- The background process that scans for UCSF PHI encrypts files when PHI is found and decrypts files when it is removed. This process takes from 30 seconds to several minutes.
- Files opened on your computer with the CipherCloud agent should encrypt or decrypt in less than 15 seconds. If a file has not been encrypted/decrypted after 5 minutes, contact the IT Service Desk at 415-514-4100 or it.ucsf.edu.
You already told us not to use Box for restricted data. How has that changed?
- Effective October 3, 2016, you've been able to store restricted data (e.g., PHI, PII, PCI, FERPA) in the Box Secure folder. If you need to share restricted data with non-UCSF collaborators, please use MyResearch.
Is there a performance hit using the agent?
- There is no performance difference when the agent isn't actively encrypting or decrypting a file. During encryption and decryption, there is a very small delay, the length depending on the size of the file.
How is the agent updated?
Is there end-user training?
I'm an IT partner. Is there a Secure Box Knowledge Base article in ServiceNow?
- Yes: See KB0018087 or search for CipherCloud or Secure Box.
You blocked my collaborator! Now what?
- CipherCloud encrypts files containing UCSF PHI from UCSF's electronic medical record. After encryption, only UCSF users with access to the folder can decrypt the files. Box is not approved for sharing restricted information with collaborators outside of UCSF.
What are my options if I need to share restricted data with a collaborator?
- MyResearch is designed to support multisite studies that involve non-UCSF collaborators. We can address researchers’ questions about the use of MyResearch for multisite studies and about sharing data with non-UCSF collaborators. Please email firstname.lastname@example.org with any questions.
- Another option is to sponsor your collaborator as an affiliate. An affiliate receives use of a UCSF login and is treated as a UCSF user. A discounted Data Network Recharge rate applies to affiliates. See the Data Network Recharge: FAQ for more information.
What happens if I try to open an encrypted file via the Box website or use a third-party Box application?
- Box Preview will not work with a .ccsecure-encrypted file. Box will display a message that reads, "We're sorry, but we can't preview .ccsecure files."
To view the file, you can (1) use Box Edit, (2) download the file to your computer with the CipherCloud agent, or (3) open it on your mobile device with the CipherCloud app.
I don't store UCSF PHI on Box. Why was my file encrypted?
- Many people don't realize they have UCSF PHI, which is one reason it's so important to use a tool like CipherCloud. For more information about what PHI is and isn't, and your responsibilities when handling it, please refer to the UCSF Privacy Office's Workforce Resources and Guidance page.
Can I edit encrypted files on my mobile device?
- You can access encrypted files on your mobile device as long as you have the CipherCloud app installed. To edit a file once CipherCloud has opened it, tap the open in icon in the lower left. Select an application that can open the file for editing. Note: This will put an unencrypted copy of the file on your mobile device.
- As with all mobile applications, your ability to edit the file depends on which apps you have installed. If you have only the option to import or copy a file into an application to edit it, we recommend doing it from a computer instead. This will ensure that you're not saving unencrypted copies of restricted data on your mobile device.
What happens if I create a Box Note and add UCSF PHI?
- Once PHI is detected in a Box Note, it is impossible to open it; the only thing you can do is revert to the previous version. This is because, if you add PHI to a Box Note, the Box Note will be encrypted.
- Normally, when CipherCloud decrypts a Box Note, it then passes it back to the application that can open it. In this situation, however, the application for Box Notes is the Box web application, which can only open Box Notes directly. Therefore, you will get an error message.