Best FTP servers to help with HIPAA compliance

File transfer protocol (FTP) isn’t known for its security. A survey found that file-sharing services, including FTP servers, account for 40 percent of accidental security breaches by employees, putting sensitive personal health information (PHI) at risk — and stressing the need for FTP servers that help with HIPAA compliance.

In the medical field, hackers have exploited FTP servers to gain access to patient records. In 2018, one breach compromised the data of 205,000 patients. Lest you think this only happens to large companies, the U.S. Federal Bureau of Investigation (FBI) released a warning to smaller healthcare offices about how cybercriminals are using FTP to access patient information.

The costs for these breaches can be steep. For healthcare practitioners, the average cost of a data breach is $429 per record — more than double what a breach in the financial industry (at $210 per record) costs. It’s not just a monetary hit; data breaches also cost healthcare providers the goodwill and trust of patients whose information is compromised.

To avoid issues and keep data safe, you need a secure FTP server, or SFTP, which uses a secure connection to transfer data. To enable HIPAA compliance, the provider needs to sign a business associate agreement (BAA) that protects you if the breach is their fault. Here are the best FTP servers that help with HIPAA compliance.

1. Files.com

Files.com (formerly BrickFTP) offers a Premier plan that includes SFTP, two-factor authentication to make it more difficult to guess a password, and encryption for data in transit and at rest. You can require users to set up two-factor authentication and permissions for specific folders.

You must contact the company for pricing information.

2. Cerberus FTP Server

With access controls, default 128-bit encryption, and full logging of all activity, Cerberus FTP Server is a solid choice for HIPAA compliance. If you’re looking for more security, you can enable FIPS 140-2 encryption, a set of encryption specifications that were set by the National Institute of Standards and Technology (NIST) for the U.S. federal government.

The Professional Edition, which has the FIPS 140-2 encryption option, starts at $1,499 per year. It includes an unlimited number of connections to the server, the ability to automatically ban users, and features to create users and groups.

3. Sharetru (formerly known as FTP Today)

The first sentence on Sharetru’s web page for HIPAA-friendly Sharetru is about how the service has every possible control to enable HIPAA compliance. Sharetru uses very strong 2,048-bit encryption to send files. You can encrypt stored files with AES 128-bit encryption to keep it safe on the server. Sharetru Today’s data centers are certified under ISO/IEC 27001:2013, an independent standard for mitigating information security risks.

Sharetru Today offers several different hosting options. The FTP option that helps with HIPAA compliance starts at $108 per month (when paid annually), with 10 GB of storage and unlimited users.

4. HIPAA Vault

Another option for an FTP server that helps with HIPAA compliance is HIPAA Vault. This SFTP server requires two-factor authentication to access files, which adds another step to log in and makes it harder for hackers to use “brute force” password guessers. It also lets you exclude certain IP addresses from accessing the server. You can encrypt data in transit and at rest.

Pricing for HIPAA Vault starts at $199 per month for 20 GB of storage. It includes up to 25 user accounts, two administrative users, and fully managed services to respond to critical alerts like potential breaches.

These are just four of the choices for an FTP server that helps with HIPAA compliance. It’s important to examine what each provider offers and make sure it has the features and access controls you need, in addition to complying with the HIPAA security rule.

Ultimately, the most important thing is to keep your patients’ PHI safe. Otherwise, you could end up dealing with hefty fines and the loss of their trust — something you can’t put a price tag on but will affect you for years to come.