December 31, 2015

    SFTP Provider HIPAA Best Practices Explained

    As a governing regulatory body, HIPAA includes a number of different requirements that are designed to bring it more up to speed with the increasingly digital world in which we now live. Health records are no longer stored in a filing cabinet in an office where a lock is all you would need to keep that data protected. It's being stored digitally, so HIPAA itself has had to adapt. When choosing an SFTP provider, you need to make sure not only that you're getting a partner that you can trust but one that will also allow you to maintain the specific level of compliance regarding electronic health information that HIPAA now requires.

    The HIPAA Best Practices to Follow

    Access Control Best Practices

    Under the current version of HIPAA, unique user identification when it comes to an SFTP provider is officially required. This means that every user needs to have a unique name or number attached to the account, allowing administrators to adequately track what they're doing, what information they're accessing and more. Sharetru gives its customers the ability to assign a unique login account to each user by the site administrator, thus maintaining this particular level of HIPAA compliance.

    Sharetru also elevates things to the next level by giving site administrators an unparalleled level of control over these unique user accounts as they are created. Permission can be specified down to the folder, which is something that many other SFTP providers like Brick FTP, Smart File, ExaVault and FTP Worldwide do not currently offer. Only Brick FTP offers user level protocol restrictions, but not nearly to the extent that Sharetru does.

    Another access control best practice involves automatic logoff capabilities, which will see a user account automatically logged off the site after certain periods of inactivity. This helps prevent employees who may forget to log off leaving their account (and therefore the FTP site) vulnerable to anyone else in the area. Sharetru can automatically detect an idle connection and will log off an account after 15 minutes of inactivity.

    Transmission Security

    Another important HIPAA best practice involves transmission security. HIPAA dictates that security measures must be in place to insure that electronically transmitted health records are not improperly modified without detection and that this information needs to be properly encrypted at all times. In order to address this level of compliance, Sharetru uses SSL and SSH encryption (which will vary depending on the circumstances) to protect all private health information during transmission.

    Sharetru offers encryption for both files that are in transit and ones that are at rest on your SFTP server. FTP Worldwide is one example of a competing provider that does not offer at rest encryption in any way.

    Emergency Access Procedure

    HIPAA dictates that a covered entity or business associate “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” An emergency in the case of SFTP would be any type of system failure, including the worst case scenario of a complete data center failure, for example due to either a natural (or unnatural) disaster in the immediate vicinity of the data center location.

    Sharetru is the only SFTP provider that keeps backup copies of all live customer data in a disaster recovery location that is completely separated geographically from the production data center. In the event of an facility loss, this means that 100% of any PHI stored in the production facility can be made available for emergency access in another facility across the country.

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts