The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the minimum standards that health care organizations must implement to protect the security, privacy, and confidentiality of patient data that is transferred over the Internet.

Section §164.312 of this Act covers the technical details required by law, but in short HIPAA requires that all patient data that is transmitted over the Internet be encrypted using industry standard 128-bit encryption algorithms. By default, Cerberus FTP Server is configured to meet these encryption requirements and provides several other features to operate your own HIPAA compliant file transfer system.

However, a downloadable software product that you install and manage yourself like Cerberus can’t claim HIPAA compliance on its own. Cerberus has all of the security and access control you need to make sure it’s part of a HIPAA compliant installation, but it is up to the system administrator to configure Cerberus to ensure compliance.

Consult a HIPAA expert/auditor to be sure your particular setup and environment complies with HIPAA.

Transmission security — §164.312(e)

HIPAA Requirement

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Cerberus offers support for industry-standard secure file transfer protocols that exceed HIPAA information security requirements up to 256-bit encryption. These protocols include FTPS (FTP over SSL), SFTP (FTP over SSH) and HTTPS. Using these protocols, all data and commands are encrypted between the client and the server.

Access Control — §164.312(a)

A username and password are required for each account and each user can be configured with their own set of virtual directories and permissions. This ensures that users can only see the data they are given access to and not the data of other users.

Support for multiple types of authentication is also provided (Active Directory, LDAP and Local Accounts)

Cerberus also offers support for 2FA using TOTP (Time-based One-Time Password) and DUO, along with other access control feature such configurable automatic logoff and automatic disabling of a user account after a specified date.

To prevent users from connecting using insecure protocols and violating HIPAA requirements the server may be configured to require that users connect using a secure protocol such as FTPS (FTP over SSL), SFTP (FTP over SSH) or HTTPS.

Cerberus can also be configured to detect brute force password attacks and automatically disable the account or block the client IP from future requests. In the event that an account is disabled or an IP address is blocked by the server, the Enterprise edition may optionally be configured to notify a system administrator via email. This notification can help the administrator decide if they wish to investigate the incident further.

HIPAA Requirement

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).”

INFORMATION SYSTEM ACTIVITY REVIEW (R) – § 164.308(a)(1)(ii)(D)

HIPAA Requirement

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Cerberus logs each and every session and all activities that occurred during the session. Log data may be stored to a file for as long as the administrator requires. The Enterprise Edition of Cerberus has additional built-in reporting tools for obtaining information about server and client login activity.