Secure File Transfer in Healthcare

Healthcare is another industry significantly impacted by new privacy legislation. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to facilitate the flow of healthcare information while protecting confidential patient data from inappropriate access, disclosure, and use. HIPAA regulations define transaction codes and forms, privacy rights, information security, and identifiers for patients, providers, plans, and employers. HIPAA security requirements cover administrative policies and procedures, physical safeguards, technical services, and technical mechanisms. Technical services cover "data at rest". Technical mechanisms cover "data in motion", requiring entity authentication, access control, encryption, data integrity, event reporting, and alarms. SFTP is clearly a useful tool for implementing policies that comply with HIPAA security requirements.

Figure 6: Securing Patient Records in Healthcare

Figure 6 illustrates how SFTP can be used as a technical mechanism, protecting data in motion within a distributed healthcare system. Organizations affected by HIPAA include healthcare providers (physicians, hospitals), health plans (insurance companies, HMOs, Medicare), clearinghouses (billing services, claims processing companies), and any other business partner involved in the "chain of trust". In this example, Secure Shell MACs prevent message alteration. Secure Shell passwords and public-key authentication control file access, at user and group levels. Secure Shell encryption ensures the confidentiality of healthcare information. Server event logs provide the information needed to facilitate a security audit. HIPAA also mandates that physicians have fast emergency access to patient records generated by others. Secure electronic access through a standard protocol like SFTP complies with this requirement.