Having already identified the specific provisions in HIPAA affecting file transfer services and discussed the relevant standards and implementation specifications in the HIPAA regulation, we are now in the position to talk about the steps you need to take to achieve HIPAA compliant file transfers.
These are actually similar to the steps outlined by the HHS in the first paper of the Security Rule Educational Paper Series. However, just like when we discussed the relevant implementation specifications in Part II of this article, we've included additional information that would make them more applicable to file transfer systems.
Here are the steps now.
Step 1: Assess current security, risks and gaps in your file transfer system
First, you need to conduct risk analysis to identify existing vulnerabilities and potential threats. For example, one vulnerability still existing in traditional file transfer systems stems from the use of regular FTP. If you transfer ePHI data through FTP, that data is transmitted in clear text.
That means, possible human threats, which may include your competitors, disgruntled ex-employees, terrorists, thrill-seeking hackers, vendors, and even dissatisfied existing employees, can easily read your data when armed with a packet analyzer.
On the other hand, if your file transfer system uses more secure protocols like AS2, FTPS or SFTP, the risk levels can be significantly lower because external human threats who can only obtain ePHI by intercepting data outside your LAN (e.g. when moving through the Internet) will find it more difficult to succeed.
In most cases, the risk analysis you will be performing on your file transfer system will just be a part of a much larger risk analysis activity that you will be carrying out on all your electronic media involved in receiving, maintaining, or transmitting ePHI.
A comprehensive risk analysis activity will allow you to obtain the necessary information that will help you - or whoever calls the shots - make smart risk management decisions. In addition to enabling you to identify threats and vulnerabilities, a thorough risk analysis will also allow you to determine other relevant information such as the likelihood that a threat will occur, the potential impact of each threat occurrence, and the risk levels associated to the threats and vulnerabilities.
Taken together, all this information will help you determine which risks call for immediate mitigation actions or what security measures need to be implemented first if at all. Document the analysis and all relevant information obtained in this step. You will use them in step 2.
Step 2: Develop an implementation plan
Once you have the necessary background information, you can then proceed to develop the appropriate implementation plan. Review the implementation specifications discussed in Part II. For those implementation specifications marked Required, you must implement policies and procedures that will satisfy them.
Now, for each of those specifications marked Addressable, try to determine whether that specification is reasonable and appropriate in your organization. This is where the output of your risk analysis will come into play. Basically, this is how you should treat each addressable implementation specification:
Implement the specification if you find it reasonable and appropriate.
If you think it is not, document your reason and implement an equivalent security measure (if there is any) that you find reasonable and appropriate which would, at the same time, accomplish the same purpose.
Step 3: Implement solutions
Implement security measures based on your implementation plan. Deal with this exercise as a project. Meaning, you should be guided by a clearly defined scope, timeline, and budget. If you outsource the implementation activities of your security measures, bear in mind that the responsibility of ensuring compliance with the Security Rule still lies in your hands.
Step 4: Document your decisions
Again, document your decisions and the rationale behind them. It will make step 5 easier to carry out.
Step 5: Reassess security, risks, and gaps periodically
Remember that both risk analysis (Step 1) and risk management (Steps 2 to 4) are not one-time activities. It is expected that there will be changes in your environment. Threats, vulnerabilities, and their associated risks can evolve through time, so risk mitigation should adapt accordingly. Thus, you will need to continue evaluating and monitoring your security, risks, and gaps.
How JSCAPE MFT Server can help you provide HIPAA compliant file transfer services
JSCAPE MFT Server is no ordinary FTP server. Rather, it is a highly advanced managed file transfer solution equipped with enough security features to help you achieve HIPAA compliant file transfers. Let's take one more look at those HIPAA standards and implementation specifications that have an effect on file transfers. In addition to those, I'll also briefly point out the specific JSCAPE MFT Server features that meet those requirements.
Note: You might want to review those standards and implementation specifications in Part II of this article before proceeding.
Unique user identification - All users are required to login using a unique username.
Emergency Access Procedure - In case the server cannot be accessed remotely, admins can retrieve files straight from the server itself. To quickly recover from a disaster or any prolonged disruption, implement a backup procedure so that you would be able to access needed data at the soonest possible time.
Automatic Logoff - Each service offered by JSCAPE MFT Server comes with a timeout setting that will allow you to specify the maximum amount of time a client may remain inactive before the server automatically terminates his connection.
Each domain comes with a selection of log options, allowing you to specify where or how logs will be recorded. You can even view log data while a session is live or generate log reports to view log data later.
JSCAPE MFT Server's virtual file system will prevent users from gaining access to data that aren't theirs; OpenPGP encryption will prevent unauthorized users from making alterations to data even if they are able to gain access to the server; and Data Loss Prevention will prevent loss of data.
Person or Entity Authentication
You may choose from a wide variety of authentication protocols to authenticate users. Domain User Authentication, Database User Authentication, LDAP User Authentication, NTLM Authentication, PAM Authentication, and Phone Authentication are just some of the authentication protocols supported by JSCAPE MFT Server.
Integrity Controls - JSCAPE MFT Server comes with an Integrity Checksum feature that performs checksum verification, which verifies the integrity of files after each transfer. Better yet, if you transmit HIPAA EDI messages over AS2, you can take advantage of AS2's built-in electronic return receipt, MDN.
Encryption - Instead of using plain FTP, you may activate relatively more secure file transfer services like HTTPS (used by AS2), FTPS or SFTP, which encrypt data while in transit.
As you can see, every single HIPAA standard and specification requirement is easily satisfied by JSCAPE MFT Server.
Ensure HIPAA compliant file transfers