HIPAA-Compliant SFTP Server Requirements

If healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities need to use FTP to move protected health information (PHI), they need to make sure that the service provider employs a sFTP server that is HIPAA compliant.

FTP is a simple solution for sending or receiving medical transcriptions, transmitting electronic health records and test results, and transferring files that contain ePHI to the cloud. However, FTP communications aren’t secure and file transfers could very easily be intercepted. Therefore, healthcare providers and their business associates need to avoid sending PHI over FTP. Doing so would violate the HIPAA Security Rule.

According to the HIPAA Security Standard §164.306, covered entities need to safeguard the confidentiality, availability, and integrity of ePHI whether in transit or at rest. To send ePHI safely over FTP, a secure FTP server is a must.

A secure FTP server utilizes the Secure File Transfer Protocol instead of the standard file transfer protocol for sending and receiving files. It uses a SSH connection to transfer and receive information from an identified host, for example a remote cloud server.

Using sFTP Only Won’t Ensure HIPAA Compliance

Many organizations think that merely changing from FTP to sFTP would enable them to comply with HIPAA, but that is not so. Using sFTP is critical for HIPAA compliance; however, it is still possible to violate HIPAA Rules by using sFTP.

sFTP will guarantee the encryption of data but weak MAC algorithms would mean the degree of protection for file transmission would not meet HIPAA standards. For instance, it would be possible to access transmitted files if DES or MD5 algorithms are used as they can be easily cracked.

Although HIPAA doesn’t define the algorithms that must be utilized for transmitted and storing ePHI, covered entities should make sure the algorithms meet NIST standards for safety. For example, a sFTP server can utilize AES-256 symmetric cryptography for stored data and secure transmitted information utilizing a RSA 2048 bit key, the two of which satisfy HIPAA and NIST criteria.

HIPAA likewise requires access controls to be employed to avoid unauthorized ePHI access/disclosures. Covered entities need to therefore employ a sFTP server with configurations that allow only authorized persons to have server access. Two-factor authentication should be employed to validate user identity, and source IP exclusion should be utilized to prohibit server access from IP addresses that the covered entity does not control.

The HIPAA Security Rule additionally requires an audit trail and records of all activities associated with ePHI should be monitored. Any service provider needs to keep a log of all activities on the server. Privacy regulators may ask for these logs when performing audits and investigating data breaches. Covered entities should know what is occurring on any server that is used to store or transfer ePHI.

Service providers should also enter into a HIPAA-compliant business associate agreement (BAA) with a covered entity. An sFTP server won’t be considered HIPAA-compliant even if there are security protections in place if there’s no BAA.

Penalties for Not Using a SFTP Server that is HIPAA Compliant

Failure to use a HIPAA compliant SFTP server can have serious consequences. Hackers could potentially gain access to sensitive information and the Department of Health and Human Services’ Office for Civil Rights (OCR) could issue financial penalties should it be discovered that ePHI was transferred over FTP without using a HIPAA compliant sFTP server. The highest possible fine for one HIPAA violation is $1.5 million per year.