[HIPAA Compliant SFTP] Enterprise Servers and Solutions
Looking for a HIPAA compliant SFTP server? We will compare top compliant servers, the benefits of SFTP servers, and how to avoid HIPAA violation fines.
Using SFTP servers to be HIPAA compliant is key. If your organization uses weak encryption in your SFTP servers, you run a higher risk of compliance violations. Your organization needs strong encryption standards and MAC algorithms to be compliant.
What Is SFTP and Why Is It Important for Enterprise Healthcare Applications?
SSH File Transfer Protocol (SFTP) is a secure protocol used to protect the transfer of large files over network connections.
SFTP is based on File Transfer Protocol (FTP), one of the earliest and most widely used file transfer methods in the world. FTP is a rather basic transfer method that makes transferring bulk files across networks fast and easy. However, FTP is inherently insecure.
Secure file transfer protocol addresses some of the limitations of traditional FTP by adding security features to protect transmitted data:
- Secure Shell (SSH) encryption to protect data during transmission. SSH is an encryption standard that includes additional functionality above and beyond simple file transfer features.
- The reduction of necessary connections between computers. With FTP, your computer is opening several channels between the two machines to facilitate the file transfer. SSH FTP only utilizes one channel over a single port. This can make securing connections easier.
- Secure file transfer can be a critical part of necessary compliance requirements, including those for HIPAA, where unprotected data transfers are violations.
How Does SFTP Meet HIPAA Compliance Requirements?
First, it is important to note that SFTP is not HIPAA compliant in and of itself. It is possible to transfer data through SSH FTP and not meet HIPAA compliance.
The HIPAA Privacy Rule establishes that patient data must remain private and protected at rest and in transit, and not all secure file sharing meets that criteria. The Security Rule applies those rights through technical, physical, and administrative safeguards that protect data in the computer and analog systems of Covered Entities (CEs).
SFTP can be an important part of complying with the Security Rule. This rule calls for the encryption of PHI during transmission, which means that there must be an encryption standard in place that keeps that data private. SFT brings SSH encryption algorithms to the process of data transfer. While this is a good start, this form of file transfer “out of the box” is not fully compliant without some additional configuration. Some changes to standard SFTP to manage compliance include:
- Using old or outdated encryption algorithms. Older or non-compliant versions of SSH might use forms of encryption that have been breached, or simply provide little or no protection against modern hacking tools. An implementation using this information would fail to meet HIPAA requirements.
- Failing to manage access keys. SFTP functions with an implementation of encryption that uses secure keys to encrypt and decrypt data. Per the HIPAA Security, CE’s, and Business Associates (BAs) must protect digital and physical access to these keys. If you are using SFTP but not protecting the keys used to secure ePHI, then you are not maintaining compliance.
- Allowing unauthorized outside access from the public Internet to your intranet. The encryption of data doesn’t matter if anyone outside of your organization can tunnel into your servers to access data. If you aren’t controlling access, you aren’t compliant.
- Not configuring your logging and reporting. SFTP does allow you to log access and data changes, and HIPAA requires such logging for a variety of reasons. But, if you don’t configure your server to log properly, you could be violating key HIPAA requirements.
Determine what configuration settings your SFTP implementation will need. If you’re working with a provider who offers HIPAA compliant SFTP, they will already have these settings in place.
What Are the Penalties for Not Using a HIPAA-Compliant SFTP Server?
CEs and BAs can face significant penalties for not meeting their obligations under HIPAA. A HIPAA violation is when an organization, whether accidentally or willfully, fails to meet their responsibility to protect patient privacy through the various safeguards they can implement. This doesn’t simply mean that an organization will feel repercussions when a breach occurs; penalties can be levied for failure to have safeguards in place.
Penalties come in different ranges based on the severity and timeframe of the violation:
- Tier 1 penalties are for unintended violations, where the CE was unaware and couldn’t reasonably be avoided.
- Tier 2 penalties include violations that the CE should have been aware of but couldn’t avoid, outside of willful neglect of HIPAA rules.
- Tier 3 penalties include violations that are due to willful neglect, but attempts have been made to correct the issue.
- Tier 4 penalties are due to willful neglect where no attempt has been made to fix the issue within a given time period.
Civil penalties for these tiers go up as the severity of the violation increases:
- Tier 1 can incur penalties of $100 to $50,000 per violation, with an annual maximum of $25,000.
- Tier 2 can incur penalties of $1,000 to $50,000 per violation, with an annual maximum of $100,000.
- Tier 3 can incur penalties of $10,000 to $50,000 per violation, with an annual maximum of $250,000.
- Tier 4 can incur penalties at a minimum of $50,000 per violation, with an annual maximum of $1.5 million.
Additionally, there are increasing criminal charges where criminality has been determined by the Department of Justice:
- Organizations that knowingly disclose PHI can be fined up to $50,000 and receive 1 year in jail for guilty parties.
- Organizations committing any form of fraud as part of that disclosure can face increased fines of up to $100,000 and 5 years in jail.
- Organizations disclosing or stealing data for profit, espionage, or commercial advantage can face fines up to $250,000 and 10 years in jail.
Top HIPAA-Compliant SFTP Server Providers
|Provider||Business Associate Agreement?||Features|
|Accellion||Yes||TLS or SSH encryption, AES-256, LDAP integration, SOC 2 attestations for physical safeguards, DLP integration, one-click audits, and reporting|
|HIPAA Vault||Yes||TLS or SSH encryption, AES-256 encryption, RSA Key Exchange, managed password policies|
|Files.com||Yes||TLS or SSH encryption, AES-256 encryption, two-factor authentication|
|Cerberus FTP Server||Yes||TLS or SSH encryption, AES-128 encryption, LDAP, Active Directory|
|FTP Today||Yes||AES-128, dedicated firewalls, SSH key authentication, geofencing, IP blacklisting|
HIPAA Vault includes security measures like two-factor authentication, IP exclusion, and both at-rest and in-transit encryption. Their introductory tier includes 20GB of storage for up to 25 users and managed services starting at $199 per month.
Files.com is a solid choice for HIPAA SFTP and storage, providing a use for up to 25 users at $20/mo. The platform also offers several connectivity integrations with other cloud and transfer tools like AWS, Dropbox, Microsoft Azure, and Google Cloud.
Cerberus FTP Server
Cerberus includes at-rest encryption at AES-128 and FIPS 140-2 encryption compliance mapped out by the National Institute of Standards and Technology (NIST). It also includes several file management and segmentation tools for managing larger storage environments and storing data securely.
FTP Today is an established file transfer provider with several tiers of service that offer plenty of features for those who want a complete solution. Pricing for HIPAA-compliant tiers starts at $100/mo for 25 years and 10GB of storage.
The Accellion Difference for SFTP Service
Accellion provides HIPAA-compliant SFTP as part of a larger ecosystem of file protection and management services built around priorities of security, compliance, and accessibility.
What does that mean for CEs looking for a compliant HIPAA SFTP solution? It means that, with Accellion, you get a secure content access and comprehensive view of your data, including a CISO Dashboard and real-time data inspection for Unified Visibility. Alongside that data visibility, you do not sacrifice critical security (including HIPAA-compliant technical, physical, and administrative safeguards) or overall HIPAA compliance.
Learn how Accellion is modernizing HIPAA-compliant enterprise SFTP.