HIPAA Compliant File Sharing with FileCloud
The HIPAA Act of 1996 required the Secretary of HHS to promulgate regulations protecting the privacy and security of certain health information. These regulations are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule
The HIPAA Privacy, Security, and Breach Notification Rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains, or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity.
FileCloud helps you address three main concerns with which HIPAA is enforced
- Encryption of ePHI at Transmission and at rest.
- Record and Retain activity related to use of or access to ePHI
- Instances/ Policies for storing, processing or transmitting ePHI
HIPAA Focuses on safeguarding ePHI and FileCloud helps you get there by
- Ensuring confidentiality, integrity, and availability of ePHI
- Protect against anticipated threats and hazards to security and integrity
- Protect against use/disclosure of PHI that is not permitted
Sections of HIPAA
The Security Rule is separated into six main sections that each include several standards and implementation specifications that a covered entity must address. The six sections are listed below.
- Security standards: General Rules – includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications
- Administrative Safeguards – are defined in the Security Rule as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
- Physical Safeguards – are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
- Technical Safeguards – are defined as “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.”
- Organizational Requirements – includes standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans.
- Policies and Procedures and Documentation Requirements – requires the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule; maintenance of written (which may be electronic) documentation and/or records that includes policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability, and update requirements related to the documentation.
HIPAA on FileCloud
FileCloud offers you a shared responsibility model to adhere to HIPAA regulations. The Privacy Rule assures the confidentiality and the authorized uses and disclosures of all Protected Health Information in any form—oral, paper, and electronic. The Security Rule provides safeguards for the confidentiality, integrity, and availability of Electronic Protected Health Information (e-PHI), or a subset of that information as safeguarded by the Privacy Rule. The Security Rule is meant to complement the Privacy Rule in protecting e-PHI. The three core objectives of the rule are confidentiality, integrity, and availability. To achieve these objectives, the HIPAA Security Rule defines three types of safeguards: administrative, physical, and technical.
- Unique Use Authentication / Person or Entity Authentication
- Emergency Access Procedure
- Audit Controls
- Integrity Controls
- Automatic logoff users
- Encryption and Decryption
In this blog, we will focus mainly on technical safeguards and how FileCloud helps you meet these requirements
FileCloud allows access only to authorized users with the correct username/password. This is valid for internal users and external users (vendors, patients, contractors, etc.)
Furthermore, FileCloud supports two-factor authentication for an additional level of security. (Full accounts only)
No files should be allowed to be anonymously available, this requires that “Share Mode” is set to Private shares only.
In your admin portal – Go to Settings / Policies – In “all” your policy groups, change the “Share Mode” to “Allow Private Shares Only”
Emergency Access Procedure
FileCloud can be backed up by most third-party Backup Endpoint solutions. The need information required is a the backup database files that are created automatically every day.
Files are created at:
Additional to this, a backup of Managed Storage is required (all the files).
Check our backup instructions here.
FileCloud ServerLink (part of the Enterprise package) replicates the whole FileCloud installation including files, file indexes and audit trails in a remote server or in a branch office (hospitals). If one instance goes down, data can be accessed from duplicate FileCloud instance.
FileCloud support “High Availability” (HA) architecture, which helps customers to build redundancy across all layers of their infrastructure, ensures access to the records even when parts of the system go down due to disasters or technical issues.During emergency situations, Administrators can access any end-user files by resetting the user password or accessing files via the Admin portal
When using FileCloud Online – Enterprise, your system is completely backed up every day, and we keep these backups for three months, if something happens to your data, you can request that the backup from a certain date be restored.
Besides the backup of your site, your FileCloud site has additional protection mechanisms to save files deleted or edited.
All FileCloud activity is recorded in the Audit Records, these records can be viewed and exported from the Settings / Audit section.
All audit records are saved in the FileCloud database; if you have a SIEM server, FileCloud can integrate with this and send all transaction entries directly to your SIEM to send alerts and auditing to monitor and record all the activity.
FileCloud provides a Heuristic engine that ensures data integrity is protected against Ransomware attacks.
This will check the files when they are created/edited/deleted.
Additional protection for normal files operations:
FileCloud User Session Expiration ends a session after a predetermined time of inactivity. Administrators can configure the time based on their organization’s policies. Once a user session exceeds the inactivity period, the session expires, and the user is required to log in again.
Encryption and Decryption of Files
FileCloud ensures that information is fully encrypted with advanced AES 128 encryption when it is transmitted and stored. Only the correct user with the appropriate permissions and decryption key can decrypt the data.
Besides Data encryption, SSL certificates are in place to ensure that data transport is encrypted between the server and the end-user.
To protect login credentials, user passwords are hashed using the secure SHA-1 hash algorithm.
Enable Secure NIST Password
To enable secure NIST password go to Settings / Misc / Password and enable the feature “Disallow Commonly Used Password” and Save the settings.
At any time a password is created or updated, before the password is accepted, FileCloud Server checks the suggested password against the US NIST Password Guidelines list.
Healthcare activities of all kinds are strictly controlled by HIPAA (Health Insurance Portability and Accountability Act) regulations among others. For the American Pediatric Society and the Society for Pediatric Research, FileCloud offers HIPAA compliant audit trails. The audit records show which users acted in which way (access, modification, deletion, or other), on which data (includes files and folders), at what time (full timestamp), and through which device (web or mobile, for instance.) More than this, FileCloud also gives APS and SPR data leak prevention capabilities, such as remotely wiping or blocking devices to avoid illicit access, as well as seeing in real-time which devices are connected.