January 11, 2017

    9 HIPAA-Compliant FTP Features for Secure Medical Data

    Every day, your healthcare facility deals with sensitive patient information. As employees manage files and share medical data, it is absolutely imperative to ensure the utmost in privacy and security. If you’re not able to keep patient health information safe, you’re at risk of facing serious penalties for HIPAA noncompliance.

    Advancements in technology and FTP software have made the sharing and storing of patient health information easier than ever before, but you must implement a solution that follows strict compliance regulations and makes security a top priority. With secure FTP, medical facilities can make sure that the technical safeguards required by HIPAA are met and protect themselves against paying thousands or millions of dollars in penalty fees.

    In order to maintain compliance with HIPAA, you must focus not only on network security, but also on the physical storage of your data. All file-sharing activities must be validated, and only people who expressly need access to a patient’s data to do their jobs should be granted that access. It is essential to remain vigilant about file transfers, using both at-rest and in-transit encryption to protect data security from all angles.

    Therefore, the following HIPAA-compliant FTP software features should be integral aspects of any solution your healthcare organization employs. Be sure to download Sharetru’s HIPAA Readiness Statement to get a full breakdown of these features in action.

    HIPAA-Compliant FTP Software: Defining 9 Important Features

    The Health Insurance Portability and Accountability Act of 1996 became effective April 14, 2001. All health care providers and any of their contractors who transmit protected health information in electronic form are subject to the requirements of the rule. The rule governs the use and disclosure of individually identifiable protected health information.

    The following list covers each of the technical safeguards that are either specifically required or that need to be addressed for HIPAA compliance, as well as the questions you should be asking to determine its security and compliance compatibility.

    1. Access Control: Unique User Identification

    “Assign a unique name and/or number for identifying and tracking user identity.”

    Ask: Can each user be assigned a unique login account?

    2. Access Control: Emergency Access Procedure

    “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

    Ask: Is data backed up to a disaster recovery system at a separate geo-location?

    3. Access Control: Automatic Logoff

    “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

    Ask: Are any idle connections automatically logged off within a maximum amount of inactivity minutes?

    4. Access Control: Encryption & Decryption

    “Implement a mechanism to encrypt and decrypt electronic protected health information.”

    Ask: Is encryption of data while at rest offered?

    5. Audit Controls

    “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

    Ask: Are detailed activity logs kept perpetually and able to be downloaded for offline archival?

    6. Integrity Policies

    “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

    Ask: Does the SFTP protocol provide checksum verification to automatically check data integrity?

    7. Person or Entity Authentication

    “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

    Ask: Are users authenticated by either a password or SSH key? Can each user be required to originate their connection from a specific IP address as a form of two-factor authentication?

    8. Transmission Security: Integrity Controls

    “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

    Ask: Is transmission protected by either SSL or SSH encryption, depending on the protocol?

    9. Transmission Security: Encryption

    “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

    Ask: Do controls allow for enforcing the use of encrypted transmission?

    FTP Site HIPAA Violations: Understanding the Consequences

    So, what happens if your FTP software does not integrate these features, and your healthcare facility is found to be in violation of HIPAA? Be sure that you fully understand the consequences, as they can significantly impact your organization.

    Under the ARRA, or the American Recovery and Reinvestment Act of 2009, a tiered civil penalty structure was put in place to govern what happens for all HIPAA violations, and the ramifications can be pretty severe depending on the circumstances.

    Consider the facts:

    • Even if you can prove beyond the shadow of a doubt that your organization did not know it was using file transfer services that were in violation of HIPAA, you could still be looking at a minimum penalty of $100 per violation and a maximum of $50,000 per violation with an annual maximum of $1.5 million.
    • If an oversight committee is able to prove that the HIPAA violation resulted due to reasonable cause and not due to willful neglect, the penalty increases to $1,000 per violation at a minimum.
    • Even if you are made aware that your business FTP site is not in HIPAA compliance and you take action to correct the issue immediately, you will still not be able to get out of any violations that incur. You could be looking at a minimum of $10,000 per violation with an annual maximum of $250,000 for any and all repeat violations that are discovered.

    Choosing a HIPAA-Compliant FTP Software

    While many of the FTP providers out there offer the necessary features to share information with anyone at anytime, they don’t do a whole lot in the way of protecting patient privacy in a way that complies with HIPAA regulations.

    You might be tempted to opt for consumer-grade, cloud-based storage providers, which are often ideal for home users or students who want to be able to access files from any computer with an Internet connection. But this type of solution will not enable your healthcare facility to maintain HIPAA compliance. In fact, it could actually put your entire organization in violation.

    To choose an FTP software solution that will safeguard your sensitive medical data and protect your organization, make sure you consult the features and questions outlined above. Sharetru, for example, provides every possible control for you to confidently state that you have a HIPAA-compliant FTP site. For more in-depth insight into how our software fulfills these requirements, download your free copy of the HIPAA Readiness Statement.

    Tag(s):

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts