WHAT IS NIST? THE COMPLETE GUIDE TO THE NIST CYBERSECURITY FRAMEWORK
Explore this comprehensive guide on how the NIST Cybersecurity Framework can be applied to your organization.
How to Be HIPAA Compliant When Sharing Sensitive Files
Is your company subject to HIPAA compliance regulations? If you deal with healthcare data, the answer is yes. Maintaining HIPAA compliance is essential if you want to avoid steep fines, protect your business, and most importantly, protect the sensitive healthcare data belonging to your customers.
Learn more about HIPAA compliance and how to ensure sensitive data is protected.
HIPAA Compliant File Sharing Overview
What does HIPAA cover? HIPAA (The Health Insurance Portability and Accountability Act of 1996) was designed to keep PHI (Protected Health Information) secure. This can mean both physical and digital files that contain any sensitive health information. You may also hear digital healthcare data referred to as ePHI (electronic PHI).
PHI can include health records, healthcare bill payment information, or anything else that could be considered sensitive. Healthcare companies, contractors, and subcontractors that handle this information are required to protect it.
How is HIPAA-related information protected? Under HIPAA, there are three types of safeguards you need in place:
- Technical Safeguards - Technical safeguards include the steps taken to protect ePHI. The way sensitive healthcare files are stored, shared, accessed, and used is highly important to the overall protection of PHI. A number of security measures fall under this category, like having access controls available to your administrators, thorough authentication of users, and encrypting your data.
- Physical Safeguards - The way you protect physical access to your data is just as important as technical protections. Access to your building and physical files should be limited. You should also consider how your technology is physically accessed. This could mean increasing the protections for your servers, your employee workspaces, computers, laptops, and mobile devices.
- Administrative Safeguards - HIPAA defines its administrative safeguards as actions, policies, and procedures related to the management and maintenance of ePHI protection. This means the administrative efforts, including training and process establishment, used to protect data.
Steps You Can Take to Stay HIPAA Compliant
Now that you know a little more about HIPAA and the objective of protecting sensitive healthcare data, let’s look at some steps you can take to ensure you’re maintaining HIPAA compliant technical safeguards.
Encryption is a method of data protection that ensures only authorized parties can view sensitive files. While encryption doesn't prevent a hacker from trying to access your data, it does mean that your data will be protected in the event of a breach.
Because encryption is so important, consider adopting one or all of the following types of encryption:
- File Encryption - File-level encryption is a granular level of encryption, allowing you to protect data down to the specific file. Without user authorization, a specific file will not be available to view, download, edit, or delete. A key aspect of file encryption is that files are encrypted regardless of where they are stored. This means whether your file is stored on your hard drive or someone else's, it is protected.
- Virtual Disk Encryption - Do you use any cloud-based file storage or sharing services? If so, you need to ensure that these virtual disks are encrypted. Virtual encryption protects any digital file “container” like a cloud drive or solution.
- Full-Disk Encryption - Finally, you need to ensure that your physical hard drives are encrypted. Even files at rest could be at risk. Full disk encryption ensures that data on your computer is protected, so you mitigate the risk of stored files being compromised.
User Access Controls
User access management is a difficult aspect of data security unless you have the right tools in place. Who is accessing these files and why are they using them? These are two important questions you should ask yourself, as compliance efforts are ongoing. Here are a few ways to limit user access:
- Unique User IDs - Every user on your network or server should be granted a unique user ID. This ensures only authorized parties are accessing your solution, and also that that activity is easy to track on a user-to-user basis.
- Multi-Factor Authentication - Is the person logging into your solution actually who they claim to be, or are they a hacker in disguise trying to pretend they’re someone else? Multi-factor authentication uses features unique to a party to verify their identity. Usually, this is the combination of a password and a specific PIN (personal identification number). Other times, it could be a password or code sent via text or email account.
- Idle Logoff - When a user has been idle for long enough, their computer or device should automatically require a password re-entry prior to opening. This means even if a computer or device with sensitive EPI stored on it is left unattended, that data will be protected.
Common File Sharing Platforms and HIPAA Compliance
One of the best ways to ensure your sensitive files are safe is to choose a secure file sharing solution. Below are some common options companies use, but before you choose between these solutions, you should make sure you’re selecting one that is HIPAA compliant.
- Google Drive - Google Drive offers both free and paid enterprise file storage options, and it is a HIPAA compliant solution, given your employees do their part. Google encrypts all data uploaded to Google Drive. However, once these files are downloaded or shared, they are no longer encrypted. Employees can easily make mistakes when it comes to sensitive files sharing. Thus, you need a solution that has greater user controls than Google Drive offers.
- Dropbox - Dropbox, like Google Drive, can be HIPAA compliant as long as employees use it in HIPAA-compliant ways. That means ultimately, neither Dropbox or Google Drive are actually HIPAA compliant.
- WeTransfer - WeTransfer is a fairly simple-to-use file transfer solution designed for creative industries and file sharing. Although this solution, which offers a free version, is convenient, it is not HIPAA compliant.
- FTP Today - FTP Today offers a wide range of enterprise file sharing options, each with HIPAA compliance measures built into the solution. This makes it ideal for companies sharing sensitive healthcare-related data.
Keep Your Files HIPAA-Compliant
FTP Today is the only file sharing solution in the list that truly protects HIPAA-covered data. This solution has the needed protections built into its operations, ensuring that employee mistakes and nefarious motives don’t lead to data compromise. If you want to stay HIPAA compliant, adopting FTP Today is your best option.
There’s more to learn about being HIPAA compliant. Download this guide on the technical safeguards needed in a HIPAA compliant FTP site.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.