REED Folder User Guide

Link to section 'REED Folder Overview' of 'REED Folder Overview' REED Folder Overview

A REED Folder is a managed storage solution built on top of the Box.com cloud platform, for research projects requiring compliance with regulations or heightened security.

As with the community clusters or Research Data Depot, research labs requiring data storage for regulated research will be able to easily purchase REED Folders through the Purchase page on this site. For more information, please contact us at rcac-help@purdue.edu.

Link to section 'REED Folder Features' of 'REED Folder Overview' REED Folder Features

A REED Folder offers research groups in need of centralized data storage for regulated research unique features and benefits:

  • Available

    To any Purdue research group requiring data storage space for regulated research.

  • Accessible

    Easily accsssible through your web browser, and facilitates easy sharing with collaborators within Purdue and without.

  • Capable

    A REED folder facilitates joint work on shared files across your research group, avoiding the need for numerous copies of datasets across individuals' private storage. It is an ideal place to store a project's data and documents. A REED Folder can store unlimited data, with a maximum size of a single file up to 15 GB.

  • Controllable Access

    Access management is under your direct control, within the bounds of the appropriate data use agreements, IRB protocols, or technology control plans.

  • Data Retention

    All data kept in the REED Folder remains owned by the research group's lead faculty. Files kept in the project's REED folder remain with the research group, unaffected by turnover, and could head off potentially difficult disputes. Data is also retained and protected in alignment with the appropriate data security standards governing your research projects.

  • Never Purged

    A REED Folder is never subject to purging.

  • Reliable

    REED Folders are built on Purdue's centrally-managed Box.com service, which is a highly-available, secure cloud storage platform.

  • Restricted Data

    REED Folders are designed to align with the NIST SP 800-171 standard, and are approved for storing L3 projects requiring HIPAA-aligned storage. Compliance with additional regulations such as CUI, ITAR, EAR, or FERPA are under review.

Link to section 'REED Folder Hardware Details' of 'REED Folder Overview' REED Folder Hardware Details

REED Folders are built on Box.com, an enterprise-grade cloud platform for file storage and collaboration.

Frequently Asked Questions

Some common questions, errors, and problems are categorized below. Click the Expand Topics link in the upper right to see all entries at once. You can also use the search box above to search the user guide for any issues you are seeing.

Link to section 'About REED Folder' of 'About REED Folder' About REED Folder

What do I need to do before I access my REED Folder?

  • Anyone with access to data in scope of HIPAA must complete the required HIPAA training annually. A PI is responsible to ensure the training is completed annually.
  • Ensure you’re using BoilerKey
  • For limited data sets, a Data Security Plan and Data Use Agreement will be required. This process should be started by Sponsored Program Services
  • Ensure you understand the following policies and procedures specific to HIPAA.
  • If you are working with the IRB, ensure the process is completed prior to requesting access to REED Folder.

Does Purdue have a Business Associate Agreement with Box?

Box supports the HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. Customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must have an Enterprise or Elite account with Box and sign a HIPAA Business Associate Agreement (BAA).

  • Purdue University signed a Business Associate Agreement with Box, and Box accounts are Enterprise.
  • Box provides the ability to use O365 online office application to open and work with content. Purdue University has signed a Business Associate Agreement with Microsoft.
  • All other third-party service providers with our instance of Box Enterprise are not covered by a Business Associate Agreement (BAA).

Do not use third party party applications to process data considered Restricted via your Purdue managed Box account. Purdue University does not maintain a contractual agreement with the vendor, and the required security controls are not in place.

A Box Managed account is your Purdue managed Box account. A REED folder is a project folder created in secure folder structure within Box.

Who should I contact for an IT incident?

  • The incident should be reported as soon as it is discovered. Submit an incident request to abuse@purdue.edu
  • If you lost a device, your account can be logged out using a Box admin feature. Submit an incident request to abuse@purdue.edu

What is a Box Managed Account and REED Folder?

A Box Managed account is your Purdue managed Box account. A REED folder is a project folder created in secure folder structured within Box.

Link to section 'Logging In & Accounts' of 'Logging In & Accounts' Logging In & Accounts

Can I manage my Login Activity in Box?

In Box under your account settings, click the "Security" tab. You can review and remove sessions.

Link to section 'Data' of 'Data' Data

Can I integrate 3rd-Party Apps with my Box folder?

Third-Party Apps for Box

While official Box add-on applications are approved for use with Purdue Box.com folders, third-party apps have not been reviewed for impact to security and are not approved for use until a security review has been completed by IT Security and Policy. If the official Box apps cannot provide the functionality you need, you may request a security review of the third-party app you are considering by submitting an email including the app name and the functionality you are addressing with the app to itpolicyreq@purdue.edu.

How should I monitor access to my REED Folder?

The PI or Project Owner’s should follow the recommendations below:

  • Review Sharing tab monthly, to ensure only authorized people have access to the data
  • Review the Access Stats on files deemed restricted periodically to ensure the actions taken are appropriate.
  • Maintain a log of your actions, the log can be a spreadsheet or word document. The log should be stored outside of Box.

Can I use Unmanaged Box accounts, and other Cloud Storage Options?

Unmanaged (free and commercial) Box accounts and all other Cloud Storage options are not approved for storing or sharing sensitive or restricted data. Purdue University does not maintain a contractual agreement with the vendor, and the required security controls are not in place. Personal use of cloud storage can continue, however sensitive and restricted data must not be stored in the account. The table below will help you determine where to store your data.

Data Storage Breakdown
Classification Personal Box Folder REED Folder
Individually Identifiable Health Information No Determined by Review
Limited Data Set No Yes
De-Identified Data No Yes
De-Identified Data with Contractual Requirements No Yes

What is De-identified Data?

De-identified data is created by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. De-identified health information, as described in the Privacy Rule, is not PHI, and thus is not protected by the Privacy Rule however it could be subject to contractual requirements. Requests to store additional data types within scope of HIPAA should be sent to ITSP for review prior to uploading to Box Enterprise.

Should I use Box Drive if I work with Restricted Data?

Currently, ITaP does not recommend using Box Drive to work with restricted data. However, if you have a business need for Box Drive, contact IT Security and Policy so we can help you understand the risk and ensure you have the appropriate controls in place to protect the data.

Will Box Drive or Box Edit cache files on the local machine?

Box Drive does locally cache files that you have opened. Box Drive's cache size limit is based on your free disk space (50% of available space) and has a maximum limit of 25 GB. If you reach this limit, Box Drive begins removing files, starting with those files files that have gone the longest without your accessing them. Also, if a cached file has a new version created on Box, Box Drive discards the locally cached version. Do not open data in Box Drive containing restricted data. More details: Technical Information for Box Drive Administrators

Box Edit does download the file to a cache when you are modifying a file. The cache can be cleared. See: Clear Your Box Edit Cache

Can I use File Level Encryption with a REED Folder?

The data stored in REED folder is encrypted at rest, however file level encryption is a responsibility of the individual. Files can be encrypted prior to upload for added security measures. Do not use Windows EFS, the data will be uploaded without the encryption. Currently, we recommend using VeraCrypt.

Can I use FTP to access Box?

No, FTP is disabled.

What are the requirements for a laptop or desktop if I am working with Restricted data?

  • Encrypt hard drive using Whole Disk Encryption for all drives in the system
  • Must be a Purdue managed laptop or desktop
  • Must have software security updates applied every 30 days
  • Install anti-virus, anti-spyware software and ensure definitions are up to date and run regular scans; utilize an endpoint protection solution.
  • Require re-authentication after 15 minutes of inactivity
  • Enable host based firewall
  • Ensure only authorized software on systems is accessing, transmitting, storing sensitive or restricted information
  • Require Authentication from remote devices
  • Disable bluetooth on machines unless otherwise required.
  • Avoid the use of removable media unless required, in which case removable media must be encrypted.
  • Require Administrator privileges to install applications.

What is a Limited Data Set?

A limited data set is a separate legal concept under the privacy rule and is considered identifiable data. Specifically, a limited data set refers to PHI that has had the following 16 unique identifiers removed. A data use agreement is how covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes. A Data Use Agreement will continue to be required when working with limited data sets in Box.

Should I move restricted data to other folders outside of a REED Folder?

When storing data within scope of HIPAA, if must be stored in a REED Folder:

  • Do not move and or store the data in a folder hosted directly in your personal Box account.
  • Do not store the data outside of REED Folder unless you moving the data to a HIPAA aligned system and you have received approval from Purdue's IT Security and Policy group (ITSP).
  • Moving data may also require approval from campus offices and committees responsible for contractual compliance and research regulatory affairs.

What are the folder naming conventions and folder description requirements for a REED Folder?

All folders and subfolders must follow a naming convention. The text must be added manually. The folder name must begin with [L3 HIPAA]-Folder Name. The naming convention should be used on any folder hosted in REED Folder. This is important, to allow for auditing of the service. All folders containing restricted data, must add a banner to the folder by using the Box folder description.

"The folder contains restricted data in scope of HIPAA. Exercise caution when sharing restricted or sensitive data, individuals must be authorized to access the data. Never sync restricted or sensitive data to an unauthorized system."

It best that you project team work from root folder of the project. If you create a collaboration in a sub folder, be certain you add the banner text and naming convention to ensure the project team knows the folder contains restricted data.

As a best practice, you can add [P1 Public] to folder names that don’t contain restricted or sensitive data, this will help you managed the various data types you generate.

Can I delete my files permanently from Box?

Individuals can delete a file or folder, and the item will be placed in the Trash. Individuals will not be able to permanently delete the items. An automated process is in place to remove data older than 90 days. Once the item is purged, it can't be recovered using the built in Box tools.

What are the recommended permission levels?

Recommended permission levels
Role Permission Level
Project Team member who needs full control Editor
Project Team members who just needs to work within Box Viewer Uploader
Project Team member who needs Read/Download access Viewer
Partner who needs Read access Previewer
Partner who need to upload data Uploader

How do I host sensitive or restricted data in Box?

Storage of restricted data in Box is subject to review from Purdue's IT Security and Policy group (ITSP). Access may also require approval from campus offices and committees responsible for contractual compliance and research regulatory affairs.

Purdue’s managed Box environment can be used to store, de-identified data and limited data sets in scope of HIPAA for research. Fully identified data is subject to a security review and approval process.

All restricted data must be stored in a REED Folder. Do not use Box for an actual medical practice.

See the data map below for more details:

HIPAA data map

Helpful?

Thanks for letting us know.

Please don’t include any personal information in your comment. Maximum character limit is 250.
Characters left: 250
Thanks for your feedback.