At Cerberus, we often receive questions related to HIPAA compliance and HIPAA-compliant file transfer. In this post, we address a number of those questions so you can feel comfortable when working with patient data.
How Does HIPAA Govern Health Care Data Transfer?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the minimum standards that need to be met to ensure the confidentiality, privacy, and security of patient health care information in the United States. One of its most significant requirements is the HIPAA Security Rule, which establishes a national set of security standards for the electronic transmission of Personal Health Information.
Which Businesses/Industries Must Comply with HIPAA’s Security Rule?
HIPAA identifies a number of “covered entities” that fall under its regulation. These entities include health care providers, plans, and information clearinghouses. Crucially, any “business associate” of these covered entities must also comply with HIPAA patient data Security Rule.
You can learn if your organization must comply with HIPAA’s Security Rule at this link. In short though, if your organization handles protected health information, or PHI, in electronic format, then you must comply with HIPAA rules.
What is Protected Health Information?
Any information related to health status, the provision of care, and billing for that care that can be used to identify an individual is classified as Protected Health Information (PHI) or ePHI (if the information is stored electronically).
How Should You Configure Your FTP Server to Ensure HIPAA Compliance?
HIPAA’s Security Rule clearly defines the types of file and data transfer safeguards which must be in place for compliance. These include:
- Access Management: your FTP Server should limit access to ePHI based on user roles so that the minimum amount of access necessary is granted. Access should only be granted to authorized users. This can be done through Active Directory Integration or LDAP authentication.
- Audit Controls: Your FTP Server should be able to record and preserve system access and activity in order to identify any potential breaches (for example, by configuring FTP server file logging or keeping track of detailed FTP usage reports)
- Integrity Controls: HIPAA-governed organizations must make sure that their ePHI is not improperly modified or destroyed, which can be done by configuring event monitoring and file retention policies on your FTP server.
- Transmission Security: any Covered Entity or Business Associate must take steps to ensure that it protects against unauthorized access of ePHI being transmitted across an electronic network (such as by using SFTP for ePHI transfers).
Choosing the Right FTP Server for HIPAA Compliance
HIPAA was written to allow covered entities and their business associates the flexibility to choose their own solutions for secure ePHI file transfer. The Security Rule outline above will give you a starting point as you compare different servers. A HIPAA-compliant FTP Server must support:
- Integration with or authentication against your user database, along with different user roles
- The ability to create detailed logs and usage reports
- Support for file retention policies
- The latest file transfer encryption protocols
If you need to meet the above requirements, Cerberus FTP Server’s Enterprise Edition may be an ideal solution for you.
An approach which is growing in popularity is to use a DMZ Gateway, or an enhanced reverse proxy. The Gateway is software that you install on a server in the DMZ. A special control channel is then opened up from the private network into the DMZ at startup. Your trading partners connect to the Gateway, and the Gateway will send the session over the control channel to the FTP server on the private network. Files and user credentials stay in the private network, and no inbound ports are required.
And Happy New Year!
Hi. Do you have an example of appropriate gateway software or reverse proxy suitable for an internal Cerberus server, all in azure?