
Any service provider must maintain a log of all activity on the server. The HIPAA Security Rule also requires an audit trail to be maintained and for logs of all activity related to ePHI to be monitored. Two-factor authentication should be used to verify the identity of the user, while source IP exclusion should be used to block access to the server from IP addresses not controlled by the covered entity. Covered entities should therefore use a sFTP server that is configured only to allow authorized individuals to access the server. HIPAA also demands access controls be implemented to prevent unauthorised access/disclosures of ePHI. For instance, a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards. While HIPAA does not specify the algorithms that should be used for stored and transmitted ePHI, covered entities should ensure the algorithms used meet NIST standards fort security. For example, both the DES or MD5 algorithms can be cracked, allowing transmitted files to be accessed.
#Filezilla server sftp to cloud storage mac#
SFTP will ensure that communications are encrypted, but if the encryption and MAC algorithms are weak, the level of protection for transmitted files will not meet HIPAA standards.

The use of sFTP is important for HIPAA compliance, although it is still possible to use sFTP and still violate HIPAA Rules. There is a common misconception that by changing from FTP to sFTP, organizations are meeting the requirements of HIPAA, when that is not the case.

SFTP Alone Does Not Guarantee HIPAA Compliance In order to send ePHI securely, HIPAA-covered entities can use a secure FTP server.Ī secure FTP server uses the Secure File Transfer Protocol rather than the generic file transfer protocol to send and receive files, utilizing a SSH connection to transmit and receive data from an authenticated host such as a remote cloud server.

HIPAA Security Standard §164.306 requires covered entities to ensure the confidentiality, integrity, and availability of ePHI is safeguarded at rest and in transit. Doing so would be a violation of the HIPAA Security Rule. Consequently, healthcare organizations and their business associates must avoid sending any protected health information over FTP. However, FTP communications are not secure and file transfers can easily be intercepted. If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server.įTP is a convenient way of sending/receiving medical transcriptions, transmitting electronic medical records and test results, and for transferring files containing ePHI to cloud storage.
