White Paper
What is the Citrix ShareFile
Cloud for Healthcare?
Safeguarding protected health information in the cloud.
ShareFile.com
White Paper
ShareFile Cloud for Healthcare
This whitepaper outlines how companies and individuals can
use ShareFile to facilitate compliance with the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Security Rule,
which requires appropriate administrative, physical and technical
safeguards to ensure the confidentiality, integrity and security
of electronic protected health information (PHI). ShareFile offers
many features that help support customers’ compliance with the
Security Rule. Customers are ultimately responsible for ensuring
that the way in which they use ShareFile complies with HIPAA
and other applicable laws and regulations.
HIPAA’s Omnibus Final Rule specified a compliance deadline of Sept. 23, 2013. As a result,
entities that maintain and transmit PHI are
subject to enhanced compliance regulation. To
address these new requirements, ShareFile has
updated its architecture to provide greater data
segregation and security for customers in the
healthcare space.
Now, all customers who sign a Business
Associates Agreement (BAA) with ShareFile
will join a secure data storage enclave dedicated only for PHI. This storage enclave, the
ShareFile Cloud for Healthcare, enables covered
entities and their business associates to leverage the secure ShareFile platform to process,
maintain and store PHI. (Enterprise customers
who choose to use customer-managed
StorageZones for their ShareFile accounts
will not need to execute a BAA with Citrix, as
Citrix does not maintain access to the data
stored in their StorageZones and their
files are not hosted on Citrix servers.)
Technical safeguards
ShareFile provides multiple technical safeguards to support customer compliance
ShareFile.com
obligations under HIPAA. Many of these
controls are not configured by default, and
responsibility for implementing these safeguards, such as the ones outlined below,
often falls on customers.
Audit controls
Customers can use the tools provided within
ShareFile to review account activity, such as
account usage and access to files and folders.
Unique users and authentication
ShareFile lets customers create individual
user accounts based on unique email addresses. Customers are responsible for providing
unique accounts and logins to each end user.
Each user who logs into ShareFile is required
to use a unique email address for his or her
account. It is up to the customer to assign
unique accounts to their users. For easier
access and enhanced authentication security,
customers also can integrate with a SAML
2.0-compatible identity management solution
to enable single-sign-on.
Emergency account access
Account administrators on the customer
2
White Paper
side are the only people with total authorized
access to their ShareFile accounts. Customers
are responsible for assigning emergency access
to PHI stored in ShareFile in the event that the
account administrator is unavailable.
Session timeout
ShareFile gives customers the technical
ability to automatically log out a user after
a period of inactivity. Customers can configure
the length of this period of inactivity, and they
are responsible for enforcing an automatic
log-off period consistent with their internal
policies. ShareFile also provides a log-out
button, which lets users log out of a session
at will.
Encryption
ShareFile handles the encryption and decryption of all files, including those containing PHI.
Customers can, at their discretion, also encrypt
files prior to uploading. If a customer chooses
to do this, ShareFile will still automatically
encrypt files a second time. ShareFile uploads
and downloads files between the end user
and the storage tier directly over a Secure
Socket Layer (SSL) or Transport Layer Security
(TLS) encrypted segment using high-grade
encryption with no less than 128-bit key
strength. ShareFile supports SSL 3.0 and TLS,
which are the same encryption protocols and
algorithms used by e-commerce services and
online banking. ShareFile also stores all files at
rest using the Advanced Encryption Standard
(AES) with a 256-bit key. Additionally, customers
can configure multiple mobile device controls,
such as requiring users to enter a passcode to
encrypt ShareFile content on mobile devices.
Integrity controls
To help ensure that PHI has not been altered
or destroyed in transit or at rest, ShareFile uses
industry-accepted hashing algorithms to verify
file integrity during file upload and download.
ShareFile.com
ShareFile Cloud for Healthcare
Customers are encouraged to adopt and use
folder and file-naming policies and conventions
to further protect PHI stored in ShareFile.
Passwords
ShareFile gives customers the technical ability
to set a unique password for each account.
ShareFile has password policy parameters
that include password expiration, history and
minimum length, and customers can configure
password complexity controls according to
their own internal policies. To take advantage
of the added security and convenience of single
sign-on, customers can use the tools provided
by ShareFile to integrate with identity management solutions that are compatible with
SAML 2.0.
Account lock out
By default, ShareFile locks out a user for five
minutes following five failed login attempts.
ShareFile configures these settings as account
preferences to satisfy customer requirements.
Customers are responsible for notifying
ShareFile of their preference if they require a
different lockout setting, such as lockout for
30 minutes after three failed attempts.
Administrative safeguards
To comply with the HIPAA Security Rule’s
administrative safeguards, both ShareFile and
covered entities are responsible for assessing
and minimizing the relative risks to PHI that is
transmitted and stored electronically.
Data backup and disaster recovery
ShareFile provides for disaster recovery
associated with its database, application and
file-storage tier. To prevent data loss in an
emergency, ShareFile maintains copies of
customer files. ShareFile’s datacenters provide
redundant physical and environmental controls,
including power and network connectivity.
3
White Paper
ShareFile Cloud for Healthcare
Testing and evaluation
To maintain compliance with the HIPAA
Security Rule, ShareFile conducts an internal
audit and/or engages an independent third
party to perform annual HIPAA-related risk
assessments. ShareFile has implemented procedures for periodic testing and revision of its
contingency plans, and ShareFile tests disaster
recovery and business continuity at least once
a year. ShareFile also assesses the relative criticality of specific applications and data as they
relate to ShareFile.
Physical safeguards
The ShareFile SaaS application and storage
tier are hosted by industry-leading providers
in geographically separate SSAE 16 accredited
datacenters. Measures are in place to prevent
unauthorized persons from gaining access
to data-processing equipment, such as telephones, database and application servers,
and related hardware, where PHI may be
processed or stored.
• securing data-processing equipment and
personal computers
• establishing and documenting access
authorizations for employees and third
parties
• placing regulations and restrictions on
card-keys
• restricting physical access to servers by using
electronically-locked doors and separate
cages within co-location facilities
• logging, monitoring, auditing and tracking all
access to datacenters where PHI is hosted via
electronic surveillance conducted by security
personnel
For suitable levels of redundancy, ShareFile
maintains multiple servers in its primary datacenter and deploys a mirrored environment at
a geographically separate datacenter.
For more information on the Citrix ShareFile
Cloud for Healthcare, contact us at 1-800-4413453 or email [email protected].
These measures include:
• establishing secure areas
• protecting and restricting access paths
ShareFile supports your HIPAA compliance and will provide and
sign a HIPAA Business Associate Agreement upon request.
Corporate Headquarters
Fort Lauderdale, FL, USA
India Development Center
Bangalore, India
Latin America Headquarters
Coral Gables, FL, USA
Silicon Valley Headquarters
Santa Clara, CA, USA
Online Division Headquarters
Santa Barbara, CA, USA
UK Development Center
Chalfont, United Kingdom
EMEA Headquarters
Schaffhausen, Switzerland
Pacific Headquarters
Hong Kong, China
About Citrix
Citrix (NASDAQ:CTXS) is a leader in virtualization, networking and cloud services to enable new ways for people to work better. Citrix
solutions help IT and service providers to build, manage and secure, virtual and mobile workspaces that seamlessly deliver apps, desktops,
data and services to anyone, on any device, over any network or cloud. This year Citrix is celebrating 25 years of innovation, making IT
simpler and people more productive with mobile workstyles. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more
than 330,000 organizations and by over 100 million people globally. Learn more at www.citrix.com.
Copyright ©2014-2015 Citrix Systems, Inc. All rights reserved. Citrix and ShareFile are trademarks of Citrix Systems, Inc. and/or one or
more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks are
the property of their respective owners.
03.10.15/PDF
ShareFile.com
4