Body
When you need to share sensitive information with a co-worker, consultant, or other collaborator, how do you share it? Your natural instinct may be to send the information in an email. Business email tools like Outlook generally have stronger security controls than common commercial email tools like Gmail. However, email remains one of the least secure methods for transferring information, and it should only be used for sending non-sensitive data. For example, basic directory information (including a student's name, Dartmouth email address, telephone number, etc.) is already publicly available and can safely be sent over email.
Any files containing confidential data, including personally identifiable information (PII) or protected health information (PHI), should NOT be sent over email. This includes education records protected by FERPA (Family Educational Rights and Privacy Act) or health records protected by HIPAA (Health Insurance Portability and Accountability). For more information, please refer to Data Privacy Laws.
Passwords should also be treated as sensitive information and should NEVER be sent over email or on a messaging platform like Slack or Teams, even in a personal message only to yourself. Doing this can lead to unauthorized users gaining access to your passwords, whether on purpose or by accident.
So, if you need to send sensitive information to another person or group, what should you do? First, you should confirm that the recipients are authorized to access such information. For example, there are specific trainings that people must complete before gaining access to HIPAA information. Data authorization requirements may differ depending on your team. If ever in doubt on whether someone is authorized to access data, ask a supervisor before sharing sensitive information with that person.
Once confirming that someone is authorized to access the information you need to share, there are a few different methods you could use to share sensitive data. This article goes into a few different methods for securely transferring files.
Cloud Storage Providers
Secure File Transfer Protocol (SFTP)
File-Level Encryption
The most common and simplest method for sharing files securely is by uploading them to a reputable cloud storage provider like Google Drive and SharePoint. These cloud storage services typically have built-in security controls to help protect files. For example, Google Drive’s security controls include encryption and options for restricting viewing privileges for a file so only certain people can see it.
In most cases, cloud storage providers are the most preferred method for file sharing at Dartmouth, due to its ease of access and collaboration features.
Secure File Transfer Protocol (SFTP) is a standard protocol that creates an encrypted connection between a server and a client over a computer network, preventing files from being intercepted. SFTP can handle larger file sizes and has faster transfer speeds than cloud storage providers. It is also useful for accessing and updating a website’s files and folders. Options for SFTP at Dartmouth include SSH Secure Shell for Windows and Fetch for Macs.
File-level encryption is a method of encrypting individual files or folders. When employing file-level encryption, it is important to select the right encryption method for your needs that includes a strong encryption algorithm and a secure encryption key.
Many file applications, including Microsoft Office and Adobe Reader, have built-in features to encrypt individual files. You can also encrypt a compressed zip folder containing multiple files. To do this, you can use the Encrypting File System (EFS) built into Microsoft Windows or the Disk Utility feature built into Mac devices. There are also a number of third-party programs for file-level encryption available for both Windows and Mac operating systems.
Encrypted files should always be protected with a strong password. The Dartmouth password policy calls for a minimum of 8 characters, which may consist of upper or lower case letters, numbers, or special characters, in any order.
However, a risk with file-level encryption is that, if you lose the password, the data in the file is most likely not recoverable. Ensure that you always securely share the encryption password with at least one other member of your department, and consider storing encryption passwords in a password manager like Bitlocker.