Healthcare File Sharing and HIPAA-Compliant Transfer
Cerberus FTP Server delivers secure, HIPAA-compliant file transfer for the healthcare industry through industry-leading encryption, detailed auditing, and fine-grained access permissions.
Learn how one health system – the Duke University School of Medicine – uses Cerberus to stay HIPAA-compliant while sharing protected health information with its medical school researchers.
What to Know About Healthcare File and Data Transfer
Two overarching laws regulate healthcare file transfer – the E.U. General Data Protection Act (GDPR)’s categorization of data concerning health and the U.S.’s Health Insurance Portability and Accountability Act (HIPAA). Below we have listed the core points of each as they relate to secure file transfer of personal health information:
E.U. General Data Protection Act
The GDPR’s Recital 35 defines health data as “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.”
While the regulation intentionally avoids specifying particular data security technologies or protocols in order to allow room for emerging technologies, when it comes to transfer of health data under the GDPR certain requirements are clear:
Health data must be processed/transferred via secure encryption.
Cerberus’s Professional and Enterprise editions provide the most robust file transfer encryption methods (including FIPS 140-2 encryption) and support for a variety of secure transfer protocols (SFTP, FTPS, HTTPS, SCP, etc.) to support your environment. You can compare editions at this link.
A health data processor must be able to trace what data was processed, at what time, and what information that data contained.
Our logging feature combined with the Event Manager feature in Cerberus’s Enterprise edition gives an administrator a complete view of all data processing activities with the ability to trigger and save reports based on server events.
Organizations must be able provide data protection officers and independent evaluators with an overview of their data security practices for review.
While this requirement extends beyond file transfer software, Cerberus FTP Server Enterprise edition’s Folder Manager feature allows administrators to create and customize their file retention policies to support data security.
U.S. HIPAA Security Rule
HIPAA’s Security Rule applies to all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). Covered Entities must comply with the four technical safeguards listed here.
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Cerberus’s Professional and Enterprise editions support the Access Control requirement by offering LDAP or Active Directory integration with the file-transfer server, as well as a customizable user database (compare editions here).
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Cerberus’s Enterprise edition provides detailed reports of client activity based on user names, dates ranges, and file access to meet the audit control requirement.
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Cerberus FTP Server Enterprise edition’s Folder Manager feature allows administrators to create and customize their file retention policies in order to comply with the HIPAA Integrity Controls requirement.
A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Our Professional and Enterprise editions provide the most robust file transfer encryption methods (including FIPS 140-2 encryption) and support for a variety of secure transfer protocols (SFTP, FTPS, HTTPS, SCP, etc.) to comply with the Security Rule’s Transmission Security requirement. You can compare editions at this link.
For more information:
Are you using Cerberus for secure healthcare file transfer?
We’d like to hear your story.