HIPAA Compliant SFTP Server

If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server.

FTP is a convenient way of sending/receiving medical transcriptions, transmitting electronic medical records and test results, and for transferring files containing ePHI to cloud storage.  However, FTP communications are not secure and file transfers can easily be intercepted. Consequently, healthcare organizations and their business associates must avoid sending any protected health information over FTP. Doing so would be a violation of the HIPAA Security Rule.

HIPAA Security Standard §164.306 requires covered entities to ensure the confidentiality, integrity, and availability of ePHI is safeguarded at rest and in transit. In order to send ePHI securely, HIPAA-covered entities can use a secure FTP server.

A secure FTP server uses the Secure File Transfer Protocol rather than the generic file transfer protocol to send and receive files, utilizing a SSH connection to transmit and receive data from an authenticated host such as a remote cloud server.

sFTP Alone Does Not Guarantee HIPAA Compliance

There is a common misconception that by changing from FTP to sFTP, organizations are meeting the requirements of HIPAA, when that is not the case. The use of sFTP is important for HIPAA compliance, although it is still possible to use sFTP and still violate HIPAA Rules.

sFTP will ensure that communications are encrypted, but if the encryption and MAC algorithms are weak, the level of protection for transmitted files will not meet HIPAA standards. For example, both the DES or MD5 algorithms can be cracked, allowing transmitted files to be accessed.

While HIPAA does not specify the algorithms that should be used for stored and transmitted ePHI, covered entities should ensure the algorithms used meet NIST standards fort security. For instance, a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.

HIPAA also demands access controls be implemented to prevent unauthorised access/disclosures of ePHI. Covered entities should therefore use a sFTP server that is configured only to allow authorized individuals to access the server. Two-factor authentication should be used to verify the identity of the user, while source IP exclusion should be used to block access to the server from IP addresses not controlled by the covered entity.

The HIPAA Security Rule also requires an audit trail to be maintained and for logs of all activity related to ePHI to be monitored. Any service provider must maintain a log of all activity on the server. Regulators may request access to these logs during audits and data breach investigations and covered entities must have visibility into what is happening on any server used to store or transmit ePHI.

Service providers must also be prepared to sign a HIPAA-compliant business associate agreement (BAA). Without a BAA, there is no such thing as a HIPAA compliant sFTP server, regardless of the security protections in place to protect stored and transmitted data.

Penalties for Failing to Use a HIPAA Compliant SFTP Server

Fail to use a HIPAA compliant SFTP server and the consequences can be catastrophic. Not only will this provide an opportunity for hackers to gain access to sensitive data, if the Department of Health and Human Services’ Office for Civil Rights (OCR) discovers ePHI has been transferred over FTP and a HIPAA compliant sFTP server has not been used, a financial penalty could be issued.

The maximum fine for a single HIPAA violation is $1.5 million multiplied by the number of years that the violation has been allowed to persist.