If FTP is needed to send transfer protected health information, healthcare suppliers, health plans, healthcare clearinghouses and business associates of HIPAA-covered groups must ensure their service provider uses a HIPAA compliant sFTP server.
FTP is a handy way of sending/receiving medical transcriptions, sending electronic medical records and test results, and for transferring files including ePHI to cloud storage. However, FTP communications are not safe and file transfers can easily be intercepted. Due to this, healthcare groups and their business associates must avoid sending any protected health information over FTP. Doing so would be a breach of the HIPAA Security Rule.
HIPAA Security Standard §164.306 requires covered groups to ensure the confidentiality, integrity, and availability of ePHI is safeguarded at rest and in transit. In order to share ePHI securely, HIPAA-covered groups can use a secure FTP server.
A secure FTP server uses the Secure File Transfer Protocol instead of the generic file transfer protocol to share and receive files, using a SSH connection to transmit and receive data from an authenticated host like a remote cloud server.
sFTP Alone Does Not Ensure HIPAA Compliance
There is a typical misconception that by changing from FTP to sFTP, organizations are adhering to the requirements of HIPAA, when that is not the case. The use of sFTP is important for HIPAA compliance, although it is still possible to use sFTP and still breach HIPAA Rules.
sFTP will ensure that communications are encrypted, but if the encryption and MAC algorithms are flimsy, the level of protection for transmitted files will not meet HIPAA standards. For instance, both the DES or MD5 algorithms can be cracked, allowing sent files to be accessed.
While HIPAA does not state the algorithms that should be used for stored and transmitted ePHI, covered groups should ensure the algorithms used meet NIST standards fort security. For example, a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect sent data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.
HIPAA also requires access controls be implemented to stop unauthorised access/disclosures of ePHI. Covered entities should therefore use a sFTP server that is set up only to allow authorized individuals to access the server. Two-factor authentication should be employed to verify the identity of the user, while source IP exclusion should be used to block access to the server from IP addresses not controlled by the covered group.
The HIPAA Security Rule also requires an audit trail to be managed and for logs of all activity related to ePHI to be reviewed. Any service provider must keep a log of all activity on the server. Regulators may ask for access to these logs during audits and data breach investigations and covered groups must have visibility into what is happening on any server used to store or send ePHI.
Service providers must also be ready to complete a HIPAA-compliant business associate agreement (BAA). Without a BAA, there is no such thing as a HIPAA compliant sFTP server, irrespective of the security protections in place to protect stored and transmitted data.
Fines for Failing to Implement a HIPAA Compliant SFTP Server
Failing to install a HIPAA compliant SFTP server and the consequences can be drastic. Not only will this allow hackers the chance to gain access to sensitive data, if the Department of Health and Human Services’ Office for Civil Rights (OCR) discovers ePHI has been sent via over FTP and a HIPAA compliant sFTP server has not been used, a fine could be issued.
The maximum fine for one HIPAA violation is $1.5 million multiplied by the amount of years that the violation has been allowed to continue.