How a $218K HIPAA fine could have been avoided with secure file transfer

'Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications'
By Deborah Galea
09:12 AM

A Massachusetts hospital was recently fined $218k for using a cloud-based file sharing service and violating HIPAA requirements. Although there was no evidence of an actual breach, the methods that the hospital's employees used for sharing the electronic protected health information were deemed risky enough to warrant a fine.

"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," said OCR Director Jocelyn Samuels in a statement issued on July 10. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

To date, OCR has imposed nearly $26.4 million fines for HIPAA privacy, security and breach notification violations.

Given that healthcare organizations must sometimes exchange sensitive patient data with external parties, how can they ensure that this is done safely, protecting patient privacy and complying with HIPAA requirements?

If no secure option is provided to employees, it is highly likely that they will resort to other, potentially unsafe methods to complete their tasks. Therefore it is important that healthcare organizations approve and implement a secure file transfer system that is easy to use and meets the high security requirements set by HIPAA.

Below, we discuss the five most important ways in which secure file transfer systems protect against data loss:

  • Encryption: A secure file transfer system ensures that files are encrypted in transit and at rest. By doing so, even if the system is hacked and data is potentially accessed, all files will still be encrypted. It is recommended to use AES-256 encryption for robust protection.
  • Authentication: User authentication ensures that only the intended recipient can download the file since they need to provide their credentials before accessing the file. This means that even if the notification email is intercepted, the file cannot be downloaded by anyone else.
  • Life cycle management: By automatically removing files from the system after a specific number of days or downloads, you can ensure that any sensitive files are only on the system for as long as they need to be, avoiding unnecessary exposure. With a secure file transfer system it is also possible to manually disable access to a particular file for particular recipients if necessary.
  • Auditing: A secure file transfer system includes audit logging to track who sent which files to whom and on which devices the files were downloaded. In addition, all user activity is tracked on the system, including logins, expiring files, sending contact invitations, etc. This information can be important when determining if there was a data breach and also to prove that certain file transfers did or did not take place for compliancy reasons.
  • Anti-malware: Exchanging files includes the inherent risk of introducing malware into the network and causing potential data breaches. Secure file transfer systems should include anti-malware protection to thoroughly scan files before they are uploaded to the system to avoid any infections.

Once your organization has selected and implemented a secure file transfer system, it is important to create an employee cyber security policy and provide regular trainings to ensure that employees understand when to use the system and how to implement it to ensure the highest protection of patient data.