File transfer protocol (FTP) isn’t known for its security. A survey found that file-sharing services, including FTP servers, account for 40 percent of accidental security breaches by employees, putting sensitive personal health information (PHI) at risk — and stressing the need for HIPAA-compliant FTP servers.
In the medical field, hackers have exploited FTP servers to gain access to patient records. In 2018, one breach compromised the data of 205,000 patients. Lest you think this only happens to large companies, the U.S. Federal Bureau of Investigation (FBI) released a warning to smaller healthcare offices about how cybercriminals are using FTP to access patient information.
The costs for these breaches can be steep. For healthcare practitioners, the average cost of a data breach is $429 per record — more than double what a breach in the financial industry (at $210 per record) costs. It’s not just a monetary hit; data breaches also cost healthcare providers the goodwill and trust of patients whose information is compromised.
To avoid issues and keep data safe, you need a secure FTP server, or SFTP, which uses a secure connection to transfer data. To be HIPAA compliant, the provider needs to sign a business associate agreement (BAA) that protects you if the breach is their fault. Here are the best HIPAA-compliant FTP servers.
Best HIPAA-compliant FTP servers
- Cerberus FTP Server
- FTP Today
- HIPAA Vault
Files.com (formerly BrickFTP) offers a Premier plan that includes SFTP, two-factor authentication to make it more difficult to guess a password, and encryption for data in transit and at rest. You can require users to set up two-factor authentication and permissions for specific folders.
Pricing for the Premier plan is $20 per month, per user, with a 25 user minimum. For that, you get 10 TB of usage, with additional usage priced at 10 cents per gigabyte. The plan also includes 10 hours per year of assistance with audit or vendor compliance programs.
2. Cerberus FTP Server
With access controls, default 128-bit encryption, and full logging of all activity, Cerberus FTP Server is a solid choice for HIPAA compliance. If you’re looking for more security, you can enable FIPS 140-2 encryption, a set of encryption specifications that were set by the National Institute of Standards and Technology (NIST) for the U.S. federal government.
The Professional Edition, which has the FIPS 140-2 encryption option, starts at $599 per year. It includes an unlimited number of connections to the server, the ability to automatically ban users, and features to create users and groups.
3. FTP Today
The first sentence on FTP Today’s web page for HIPAA-compliant FTP is about how the service has every possible control to ensure HIPAA compliance. FTP Today uses very strong 2,048-bit encryption to send files. You can encrypt stored files with AES 128-bit encryption to keep it safe on the server. FTP Today’s data centers are certified under ISO/IEC 27001:2013, an independent standard for mitigating information security risks.
FTP Today offers several different hosting options. The HIPAA-compliant FTP option starts at $270 per month (when paid annually), with 50 GB of storage and unlimited users. Additional storage can be purchased in 50 GB increments for an additional $50 per month.
4. HIPAA Vault
Another option for a HIPAA-compliant FTP server is HIPAA Vault. This SFTP server requires two-factor authentication to access files, which adds another step to log in and makes it harder for hackers to use “brute force” password guessers. It also lets you exclude certain IP addresses from accessing the server. You can encrypt data in transit and at rest.
Pricing for HIPAA Vault starts at $199 per month for 20 GB of storage. It includes up to 25 user accounts, two administrative users, and fully managed services to respond to critical alerts like potential breaches.
These are just four of the choices for a HIPAA-compliant FTP server. It’s important to examine what each provider offers and make sure it has the features and access controls you need, in addition to complying with the HIPAA security rule.
Ultimately, the most important thing is to keep your patients’ PHI safe. Otherwise, you could end up dealing with hefty fines and the loss of their trust — something you can’t put a price tag on but will affect you for years to come.