Are your ePHI file transfers secure enough?
The $218,400 fine in the US case of St. Elizabeth’s Medical Center, Massachusetts (SEMC) is only the latest reminder of the importance of ensuring file transfers are safe. In that case, the hospital’s handling of files was deemed so poor that the fine was levied even though there was no evidence of an actual breach.
The SEMC staff were using an Internet-based document sharing application to store electronic protected health information (ePHI) without having analyzed the associated risks. ePHI was also found on an employee’s personal laptop and flash drive.
IT departments know that employees not provided with a secure option to transfer files will likely find a workaround. And that solution might well be unsafe. The best way to improve security is for IT itself to bring in a secure file transfer system that:
1. Is easy for employees to use. (So they have no incentive to work around it.)
2. Meets regulatory requirements and industry best practice.
What qualities should a secure file transfer system have?
1. Encryption in transit and at rest
Files are not only vulnerable in transit. They can also be attacked while they are sitting on your system. Files at rest must be encrypted as well as the files that are moving.
2. Intended recipients only
Files are safer if intended recipients have to identify themselves before accessing the file. This way it does not matter if the email announcing the availability of the file is intercepted.
3. Think like a library
3a– Limit time
A file, like a library book, does not need to be available to the recipient forever. Set limits on how long a file is available for download.
3b– Know who has what
A best-practice secure file transfer system will include an audit trail showing not just who sent a file but to whom and onto what devices that file was moved. Log every action. This information helps identify breaches and gives certainty about what information was compromised if any.
4. Digital health warnings
When files, like people, move back and forth between different environments, it is more likely an infection will enter the population. Files should be thoroughly scanned for malware when they arrive on the system and before they are accessible.
5. A matter of policy
When your choice of secure file transfer system is made, incorporate the conditions of its use into a policy. This should not be just as a compliance checkbox exercise. It should be backed by regular training.