Do you need a HIPAA Compliant FTP Site?
See what Technical Safeguard controls you need for your HIPAA compliance requirements.
SFTP Provider HIPAA Best Practices Explained
As a governing regulatory body, HIPAA includes a number of different requirements that are designed to bring it more up to speed with the increasingly digital world in which we now live. Health records are no longer stored in a filing cabinet in an office where a lock is all you would need to keep that data protected. It's being stored digitally, so HIPAA itself has had to adapt. When choosing an SFTP provider, you need to make sure not only that you're getting a partner that you can trust but one that will also allow you to maintain the specific level of compliance regarding electronic health information that HIPAA now requires.
The HIPAA Best Practices to Follow
Access Control Best Practices
Under the current version of HIPAA, unique user identification when it comes to an SFTP provider is officially required. This means that every user needs to have a unique name or number attached to the account, allowing administrators to adequately track what they're doing, what information they're accessing and more. FTP Today gives its customers the ability to assign a unique login account to each user by the site administrator, thus maintaining this particular level of HIPAA compliance.
FTP Today also elevates things to the next level by giving site administrators an unparalleled level of control over these unique user accounts as they are created. Permission can be specified down to the folder, which is something that many other SFTP providers like Brick FTP, Smart File, ExaVault and FTP Worldwide do not currently offer. Only Brick FTP offers user level protocol restrictions, but not nearly to the extent that FTP Today does.
Another access control best practice involves automatic logoff capabilities, which will see a user account automatically logged off the site after certain periods of inactivity. This helps prevent employees who may forget to log off leaving their account (and therefore the FTP site) vulnerable to anyone else in the area. FTP Today can automatically detect an idle connection and will log off an account after 15 minutes of inactivity.
Another important HIPAA best practice involves transmission security. HIPAA dictates that security measures must be in place to insure that electronically transmitted health records are not improperly modified without detection and that this information needs to be properly encrypted at all times. In order to address this level of compliance, FTP Today uses SSL and SSH encryption (which will vary depending on the circumstances) to protect all private health information during transmission.
FTP Today offers encryption for both files that are in transit and ones that are at rest on your SFTP server. FTP Worldwide is one example of a competing provider that does not offer at rest encryption in any way.
Emergency Access Procedure
HIPAA dictates that a covered entity or business associate “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” An emergency in the case of SFTP would be any type of system failure, including the worst case scenario of a complete data center failure, for example due to either a natural (or unnatural) disaster in the immediate vicinity of the data center location.
FTP Today is the only SFTP provider that keeps backup copies of all live customer data in a disaster recovery location that is completely separated geographically from the production data center. In the event of an facility loss, this means that 100% of any PHI stored in the production facility can be made available for emergency access in another facility across the country.
Want to be sure you're HIPAA compliant?
Download our HIPAA Readiness Statement today and see how FTP Today helps you maintain a HIPAA compliant site.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.