"Not only is it encrypted but we integrate it with Active Directory," says Cook. There's a file-synchronization feature and it's possible to set timelines for documents, requiring them to be checked at specific intervals. CACHIE now uses this with 123 healthcare providers in Colorado to help them manage electronic patient files.
Boston-based Children's Hospital, the primary pediatric teaching hospital for Harvard Medical School, also had a file-sharing requirement, and it chose to go with the Biscom a few years ago. Scott Bolser, messaging and collaboration team leader at Children's Hospital, says at the time, the licensing arrangement for the Biscom Delivery Server was more attractive than comparable products from Accellion.
The Biscom software, which sits on a Windows server, supports encrypted file-sharing mainly among researchers that might need to send a 50MB radiology file, which falls way outside the normal 10- to 20-meg limits for e-mail messages. For those authorized to use Biscom, "they fill out a form and it looks like you're composing e-mail," he says. "But we have the file, not a cloud service."
Bolser says the integration with Active Directory and LDAP for internal users helps in security administration. Biscom is set up at Children's Hospital to allow users to register themselves and create a password, and it's used with outside partners on a sporadic basis when file-sharing needs arise. Biscom has a flexible licensing scheme that lets the hospital buy 500 licenses but revoke any of them when they're not in everyday use. And Children's Hospital IT staffers have administrative oversight to determine how any of the file-sharing takes place.
But can cloud-based file-sharing services suffice instead of the enterprise operating its own bulk file-sharing?
"Dropbox doesn't make the cut for enterprise-class security," says Gartner analyst John Pescatore, but he adds that other cloud file-sharing services, including Box, might under certain circumstances.
Enterprises, especially those with sensitive healthcare or financial data, must not only ensure the encryption they need is in place, but that the service provider can satisfy various regulatory requirements, he says.
For the government's HIPAA guidelines, for example, that would include having a so-called "business associate agreement." In addition, in general it needs to be clear how e-discovery can be done to satisfy any legal demands. Plus, if there's concern over where exactly data is held, the cloud provider is going to have to be transparent about that, Pescatore says. And when an employee leaves the company, you'll want to be sure you can de-provision them, which is generally more easily done with file-sharing products maintained on site.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.