Section §164.312 of this Act covers the technical details required by law, but in short HIPAA requires that all patient data that is transmitted over the Internet be encrypted using industry standard 128-bit encryption algorithms. By default, Cerberus FTP Server is configured to meet these encryption requirements and provides several other features to operate your own HIPAA compliant file transfer system.
However, a downloadable software product that you install and manage yourself like Cerberus can’t claim HIPAA compliance on its own. Cerberus has all of the security and access control you need to make sure it’s part of a HIPAA compliant installation, but it is up to the system administrator to configure Cerberus to ensure compliance.
Consult a HIPAA expert/auditor to be sure your particular setup and environment complies with HIPAA.
Transmission security — §164.312(e)
HIPAA Requirement
“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Access Control — §164.312(a)
A username and password are required for each account and each user can be configured with their own set of virtual directories and permissions. This ensures that users can only see the data they are given access to and not the data of other users.
Support for multiple types of authentication is also provided (Active Directory, LDAP and Local Accounts)
Cerberus also offers support for 2FA using TOTP (Time-based One-Time Password) and DUO, along with other access control feature such configurable automatic logoff and automatic disabling of a user account after a specified date.
To prevent users from connecting using insecure protocols and violating HIPAA requirements the server may be configured to require that users connect using a secure protocol such as FTPS (FTP over SSL), SFTP (FTP over SSH) or HTTPS.
Cerberus can also be configured to detect brute force password attacks and automatically disable the account or block the client IP from future requests. In the event that an account is disabled or an IP address is blocked by the server, the Enterprise edition may optionally be configured to notify a system administrator via email. This notification can help the administrator decide if they wish to investigate the incident further.
HIPAA Requirement
“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).”
INFORMATION SYSTEM ACTIVITY REVIEW (R) – § 164.308(a)(1)(ii)(D)
HIPAA Requirement
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
