Re: File Hosting/Sharing Services [dropbox, mobile me, etc.]

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

If you go the route of a low-cost file sharing service, like DropBox, make sure to use a FIPS 140-2 validated 
encryption algorythm, since that would qualify for the safe harbor provision under HIPAA law. Here's a reference: 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

Google for Government claims to be FISMA compliant for $50.00 per user/year, so that could provide some plausible 
deniability...

Depending on what is being stored, other state laws may apply. For Massachusetts residents, if the data is compromized 
(in any state), the AG's office requires it to be reported, even in the presence of encryption. Their ratioalle is that 
at some point it will be computationally feasible to break the encryption.

Good Luck...

Dan

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd 
[chris.kidd () UTAH EDU]
Sent: Thursday, January 13, 2011 5:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] File Hosting/Sharing Services [dropbox, mobile me, etc.]

Is anyone aware of a free or low-cost file sharing service in which the host cannot access the files? I have a solo 
medical practitioner who needs to share files between her and a peer and they have very basic IT infrastructure.

What other options would you recommend in this case?

Thanks in advance.
Chris


Chris Kidd
Information Security and Privacy Office
University of Utah
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu<mailto:chris.kidd () utah edu>

http://www.secureit.utah.edu