January 18, 2017

    Is Your SFTP Hosting Solution HIPAA Compliant?

    Can your healthcare facility afford to incur thousands -- or even millions -- of dollars in penalty fees caused by noncompliance with HIPAA regulations? Probably not. Yet, that’s the outcome you’re risking when you rely on SFTP hosting that’s not HIPAA compliant.

    As a governing regulatory body, HIPAA’s standards are designed to bring security and privacy up to speed with today’s increasingly digital world. Health records are no longer stored in an office filing cabinet, where a lock is all you’d need to keep the data protected. It's now stored digitally, which means that HIPAA has had to adapt. Do your digital file sharing and storage procedures fall in line with the HIPAA mandates that now govern this evolution in data handling?


    The bottom line: Compliance is no casual matter in the healthcare industry. Securing the privacy of protected health information must be taken seriously. Therefore, it’s critical to ensure that your SFTP hosting solution meets the relevant HIPAA requirements. Ask yourself whether your facility’s provider fulfills the directives set forth by the Health Insurance Portability and Accountability Act.

    The answer is yes if …

    Each user is assigned a unique login account.

    HIPAA dictates that you “assign a unique name and/or number for identifying and tracking user identity.” This means that every user of your SFTP hosting site must have their own identification attached to the account, allowing administrators to adequately track what that user is doing, what information they're accessing and more. Does your SFTP hosting provider uphold this HIPAA standard by enabling the site admin to assign a unique login account to each user?

    If you really want to take privacy and security to the next level, find an SFTP host that gives site administrators an unparalleled level of control over these unique user accounts as they are created. They should be able to specify permissions down to the folder, a capability that many of the lesser secure SFTP providers out there do not offer.

    Data is backed up to a disaster recovery system at a separate geo-location.

    According to HIPAA, your healthcare facility must “establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” With regard to SFTP, an emergency would be any type of system failure, including a complete data center failure due to a natural or unnatural disaster in the immediate vicinity of the data center location.

    The truth is that even when you have all the proper precautions in place, some things simply can’t be controlled. But your organization doesn’t have the luxury of allowing sensitive files and information to be compromised. If your facility winds up in one of these scenarios, it’s crucial to have a solid disaster recovery plan in place. If something should happen to your provider‘s network infrastructure, how quickly and with what level of difficulty could they restore your SFTP server to full operation?

    Your best option is to choose an SFTP provider that keeps backup copies of all live customer data in a disaster recovery location that is completely separated geographically from the production data center. That way, in the event of a facility loss, 100% of any protected health information stored in the production facility can be made available for emergency access in another facility across the country.

    Idle connections are logged off after 15 minutes of inactivity.

    Does your SFTP hosting solution “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity”? This is another one of HIPAA’s access control standards.

    Ensuring that user accounts are automatically logged off the site after certain periods of inactivity helps to prevent vulnerabilities caused by employees who may forget to log off. Your SFTP hosting provider should be able to automatically detect an idle connection and log the account user off after 15 minutes (for example) of inactivity.

    Users are authenticated by either a password or SSH key.

    HIPAA dictates the implementation of “procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” How does your SFTP hosting provider ensure that the individual accessing the site is really who they say they are?

    By default, all users should be required to authenticate their identity via a password. Or, for scripted connections, public keys should be managed on a per-user basis to facilitate secure, password-less authentication. Yet a third option would be for administrators to set whether or not a user with an SSH-key can also use password authentication. Whatever the case, it’s essential to make sure that your SFTP hosting solution has the capability to accurately verify each user’s identification before granting them access to the site’s files and information.

    Your transmission is protected by either SSL or SSH encryption.

    Your healthcare facility is required to “implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of” and to “implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

    These HIPAA standards are about maintaining transmission security. Does your SFTP host enable security measures to prevent electronically transmitted health records from being improperly modified without detection? And does it feature the ability to properly encrypt information when necessary? To address this level of compliance, you should opt for an SFTP solution that uses SSL and SSH encryption to protect all private health information during transmission. Encryption should be available for both files that are in transit and ones that are at rest on your SFTP server.

    Of course, these are just SOME of the ways that your SFTP hosting solution should be maintaining HIPAA compliance. There are additional standards to be aware of in order to safeguard your organization and eliminate the risk of noncompliance with HIPAA regulations. To uncover all of the necessary HIPAA-compliant SFTP hosting features and get a better understanding of how these features should be enforced by your provider, access your free HIPAA Readiness Statement today.

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts