Secure file transfer protocol (SFTP), a component of the secure shell (SSH) protocol, is useful in maintaining compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SFTP uses encryption and algorithmic hash functions to protect information from unintended viewing or theft, and is considered a best-practice way to securely send files.
Like other standard protocols and technologies that are deployed to maintain HIPAA-compliant security, SFTP is not required specifically by the agency that regulates it, the Department of Health and Human Services. (The HHS regulates the law flexibly, allowing organizations to make their own specific decisions on means.) While you certainly do not have to use SFTP in order to stay compliant, it is a standard and straightforward way to meet the need for secure HIPAA file transfer.
Security’s centrality to healthcare compliance
HIPAA compliance is a major concern for any organizations that handle US citizens’ protected health information (PHI). While the law is focused in part on health insurance access (the “portability” part of the law), it is also fundamentally concerned with ensuring that all healthcare data of individuals is kept private and free from unauthorized access (the “accountability” part).
The Privacy Rule is focused on establishing patient rights and providing general mandates related to how confidentiality is to be maintained for all patient records and any other patient interaction. The Security Rule is focused on taking the rights expressed in the Privacy Rule and applying them to digital settings. In digital environments, PHI is called electronic protected health information (ePHI).
Implementing SFTP for HIPAA compliance
Any organization that is handling healthcare information – whether it is a healthcare covered entity or a third-party business associate (such as a HIPAA host), must meet HIPAA Security Standard §164.306. This law mandates that in all ePHI situations, whether the data is in motion or at rest, its integrity, availability, and confidentiality must be maintained. Proper protections must be implemented to be certain that those characteristics continue to apply to healthcare data at all times. In order to send ePHI securely, HIPAA-covered entities can use a secure FTP server (aka an SFTP or SSH server).
Healthcare organizations often need to send files that have ePHI to the cloud, such as test results, medical transcriptions, or other sensitive medical information. File transfer protocol (FTP) is the original protocol on which SFTP is based. An SFTP server should be used by an organization in order to abide by the Security Rule. SFTP is critical to use instead of FTP because the latter is in plain text.
How to configure SFTP to ensure compliance
Be aware that SFTP is not an immediate, readymade fix; it must be properly configured. You must be certain that you are properly protecting your secure shell stream first, per SFTP and SSH tip site SSH/SFTP Info. A variety of supported MAC and encryption algorithms are used to verify and safeguard the connection been server and client. The server might issue an algorithm that is low-security. You lose HIPAA compliance once the client device accepts a weak algorithm, since that effectively deteriorates your security.
The cipher suites that you use within your HIPAA SFTP server (i.e. HIPAA SSH server) must be carefully controlled. Do NOT:
- Use unencrypted or plain text cryptographic model,
- Use DES or other obsolete algorithms,
- Use MD5 or other outmoded MAC algorithms, or
- Use encryption algorithms with bit-lengths of 96 or below.
How SSH is used for HIPAA compliance, section by section
SSH, the organization that initially released the SSH protocol, noted that the protocol is used to allow for secure file transfer, application tunneling, and secure administrative login throughout the many different networked systems of healthcare enterprises. Guidance from SSH on how the technology can be used to comply with specific sections of the healthcare law is as follows:
- Workforce Security (§ 164.308(a)(3)) – Access to SSH keys, like any other access, must segregate duties. “We frequently see key-based access from test and development systems into production, which violates segregation of duties,” noted SSH.
- Information Access Management (§ 164.308(a)(4)) – In order to meet this requirement, make sure that you cannot tunnel from the Internet to your intranet. Ensure that access and identity management is applied to your SSH keys.
- Audit Controls (§ 164.312(b)) – When your SSH keys are configured correctly, you will be able to meet the access parameters necessary to comply with this section.
- Transmission Security (§ 164.312(e)(1)) – Through secure shell, you avoid man-in-the-middle attacks; encrypt all your data; and secure file transmission via the SFTP protocol.
Your HIPAA-compliant SFTP server
Are you in need of a secure healthcare environment to meet the needs of HIPAA and other healthcare law? A properly configured SFTP server helps; however, a healthcare-compliant setting goes far beyond any single component. At Atlantic.Net, our HIPAA Compliant Hosting is HIPAA and HITECH audited, as well as SOC 2 Type II and SOC 3 Type II certified. See our approach.