Kiteworks | Your Private Content Network

Secure File Sharing and Governance Platfform

Free Trial Get A Demo
Home > Security and Compliance Blog > HIPAA Compliance > [HIPAA-compliant SFTP] Enterprise Servers and Solutions

[HIPAA-compliant SFTP] Enterprise Servers and Solutions

by Robert Dougherty updated August 21, 2022 HIPAA Compliance
Reading Time: 6 minutes

Looking for a HIPAA-compliant SFTP server? We will compare top compliant servers, the benefits of SFTP servers, and how to avoid HIPAA violation fines.

Using SFTP servers to be HIPAA-compliant is key. If your organization uses weak encryption in your SFTP servers, you run a higher risk of compliance violations. Your organization needs strong encryption standards and MAC algorithms to be compliant.

What Is SFTP and Why Is It Important for Enterprise Healthcare Applications?

SSH File Transfer Protocol (SFTP) is a secure protocol used to protect the transfer of large files over network connections.

SFTP is based on File Transfer Protocol (FTP), one of the earliest and most widely used file transfer methods in the world. FTP is a rather basic transfer method that makes transferring bulk files across networks fast and easy. However, FTP is inherently insecure.

Download HIPAA eBook

Secure file transfer protocol addresses some of the limitations of traditional FTP by adding security features to protect transmitted data:

  1. Secure Shell (SSH) encryption to protect data during transmission. SSH is an encryption standard that includes additional functionality above and beyond simple file transfer features.
  2. The reduction of necessary connections between computers. With FTP, your computer is opening several channels between the two machines to facilitate the file transfer. SSH FTP only utilizes one channel over a single port. This can make securing connections easier.
  3. Secure file transfer can be a critical part of necessary compliance requirements, including those for HIPAA, where unprotected data transfers are violations.

What Is a HIPAA-compliant SFTP Server?

A HIPAA-compliant SFTP server is an SFTP server that is configured to comply with the Health Insurance Portability and Accountability Act (HIPAA) requirements. This includes having security measures in place to protect sensitive patient data, such as encryption, authentication, access control, and logging. Additionally, a HIPAA-compliant SFTP server must also comply with other laws and regulations related to data security and privacy, such as the Family Educational Rights and Privacy Act (FERPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Security Features of HIPAA-compliant Servers

A HIPAA-compliant SFTP server must meet stringent security requirements to ensure PHI remains secure and confidential. These security requirements include:

  1. Data encryption: HIPAA-compliant SFTP servers must enable data encryption both in transit and at rest.
  2. Multi-factor authentication: Servers must enable multi-factor authentication to secure user access and prevent unauthorized access to protected health information (PHI).
  3. Firewall protection: Firewalls must be implemented to secure server access from malicious sources.
  4. Access control: Servers must implement access control mechanisms to control internal and external access to PHI.
  5. Audit logging: Servers must keep track of user access and activity for monitoring, auditing, and compliance purposes.
  6. Security patches: Regular security patching and updates are required to keep the server secure from security threats and vulnerabilities.

How Does SFTP Meet HIPAA Compliance Requirements?

First, it is important to note that SFTP is not HIPAA compliant in and of itself. It is possible to transfer data through SSH FTP and not meet HIPAA compliance.

The HIPAA Privacy Rule establishes that patient data must remain private and protected at rest and in transit, and not all secure file sharing meets that criteria. The Security Rule applies those rights through technical, physical, and administrative safeguards that protect data in the computer and analog systems of Covered Entities (CEs).

SFTP can be an important part of complying with the Security Rule. This rule calls for the encryption of PHI during transmission, which means that there must be an encryption standard in place that keeps that data private. SFT brings SSH encryption algorithms to the process of data transfer. While this is a good start, this form of file transfer “out of the box” is not fully compliant without some additional configuration. Some changes to standard SFTP to manage compliance include:

  1. Using old or outdated encryption algorithms. Older or non-compliant versions of SSH might use forms of encryption that have been breached, or simply provide little or no protection against modern hacking tools. An implementation using this information would fail to meet HIPAA requirements.
  2. Failing to manage access keys. SFTP functions with an implementation of encryption that uses secure keys to encrypt and decrypt data. Per the HIPAA Security Rule, CEs and Business Associates (BAs) must protect digital and physical access to encryption keys. If you are using SFTP but not protecting the keys used to secure ePHI, then you are not maintaining compliance.
  3. Allowing unauthorized outside access from the public internet to your intranet. The encryption of data doesn’t matter if anyone outside of your organization can tunnel into your servers to access data. If you aren’t controlling access, you aren’t compliant.
  4. Not configuring your logging and reporting. SFTP does allow you to log access and data changes, and HIPAA requires such logging for a variety of reasons. But, if you don’t configure your server to log properly, you could be violating key HIPAA requirements.

Determine what configuration settings your SFTP implementation will need. If you’re working with a provider who offers HIPAA-compliant SFTP, they will already have these settings in place.

How to Configure SFTP to Ensure HIPAA Compliance

As we’ve already seen, SFTP by itself is not HIPAA compliant. Some of the ways to configure an SFTP server to become HIPAA compliant include:

  1. Use Strong Passwords/Authentication: Utilize strong passwords and two-factor authentication to protect SFTP connections from unauthorized access.
  2. Restrict Access: Carefully control who and which systems are granted access to the SFTP server.
  3. Monitor File Activity: Monitor and log file activity, such as file access, download, and uploads, to ensure compliance with HIPAA requirements.
  4. Harden the Server: Harden the SFTP server by patching, disabling unnecessary services, and properly configuring access control lists.
  5. Encrypt Data: Use encryption techniques, such as SSL/TLS encryption, to protect data in transit and at rest.
  6. Back Up Your Data: Make regular backups of your data and store them in a secure location.
  7. Use a Secure Logging System: Set up a secure logging system to record system activity, such as user logins, anonymous logins, and any successful or unsuccessful attempts to access the SFTP server.

What Are the Penalties for Not Using a HIPAA-compliant SFTP Server?

CEs and BAs can face significant penalties for not meeting their obligations under HIPAA. A HIPAA violation is when an organization, whether accidentally or willfully, fails to meet their responsibility to protect patient privacy through the various safeguards they can implement. This doesn’t simply mean that an organization will feel repercussions when a breach occurs; penalties can be levied for failure to have safeguards in place.

Penalties come in different ranges based on the severity and timeframe of the violation:

  • Tier 1 penalties are for unintended violations, where the CE was unaware and couldn’t reasonably be avoided.
  • Tier 2 penalties include violations that the CE should have been aware of but couldn’t avoid, outside of willful neglect of HIPAA rules.
  • Tier 3 penalties include violations that are due to willful neglect, but attempts have been made to correct the issue.
  • Tier 4 penalties are due to willful neglect where no attempt has been made to fix the issue within a given time period.

Civil penalties for these tiers go up as the severity of the violation increases:

  1. Tier 1 can incur penalties of $100 to $50,000 per violation, with an annual maximum of $25,000.
  2. Tier 2 can incur penalties of $1,000 to $50,000 per violation, with an annual maximum of $100,000.
  3. Tier 3 can incur penalties of $10,000 to $50,000 per violation, with an annual maximum of $250,000.
  4. Tier 4 can incur penalties at a minimum of $50,000 per violation, with an annual maximum of $1.5 million.

Additionally, there are increasing criminal charges where criminality has been determined by the Department of Justice:

  1. Organizations that knowingly disclose PHI can be fined up to $50,000 and receive 1 year in jail for guilty parties.
  2. Organizations committing any form of fraud as part of that disclosure can face increased fines of up to $100,000 and 5 years in jail.
  3. Organizations disclosing or stealing data for profit, espionage, or commercial advantage can face fines up to $250,000 and 10 years in jail.

Is My Hosting Provider Really HIPAA Compliant?

The only way to know for sure whether or not your hosting provider is HIPAA compliant is to ask them directly. Ask questions such as what physical, technical, and administrative safeguards they have in place to protect personally identifiable information and protected health information (PII/PHI). They should be able to provide detailed information about their security measures and policies. Additionally, you may want to get a third-party audit to ensure your hosting provider is meeting HIPAA compliance requirements.

The Kiteworks Difference for SFTP Service

Kiteworks provides HIPAA-compliant SFTP as part of a larger ecosystem of file protection and management services built around priorities of security, compliance, and accessibility.

What does that mean for CEs looking for a compliant HIPAA SFTP solution? It means that, with Kiteworks, you get a secure content access and comprehensive view of your data, including a CISO Dashboard and real-time data inspection for unified visibility. Alongside that data visibility, you do not sacrifice critical security (including HIPAA-compliant technical, physical, and administrative safeguards) or overall HIPAA compliance.

Schedule a custom demo to see how Kiteworks addresses HIPAA compliance.

Additional Resources

Tags: Cyber Security on Security Boulevard |

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

See Demo
Talk to a Rep

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

VOIR LA DÉMO
CONTACTER UN COMMERCIAL

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

DEMO ANSCHAUEN
MIT EINEM MITARBEITER SPRECHEN
Share
Tweet
Share
Get A Demo