The evaluation standard § 164.308(a)(8) requires covered entities and Business Associates to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The Hosted~FTP~ HIPAA evaluation is performed by an external organization that provides evaluations/certification services that is qualified to provide the “HIPAA Seal of Compliance” which is the health care industry’s third party HIPAA verification as there is no formal HIPAA compliance certification from the federal government or subsidiary regulatory agencies. The HIPAA Seal of Compliance has become the healthcare industry standard for verification. Federally-mandated HIPAA standards, regulated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), are fully addressed and incorporated into an effective, organization-wide compliance program.
The Hosted~FTP~ HIPAA compliance program evaluation process includes:
Hosted~FTP~ builds all of our application systems solely on top of the AWS cloud infrastructure and therefore shares the compliance responsibilities with AWS.
When you subscribe to the Hosted~FTP~ services all data will then reside in the US at Amazon Web Services West Virginia location.
The Hosted~FTP~ SaaS application has been designed to ensure that all protected health information (PHI) can be transmitted securely and stored in the Amazon Web Services securely. The data is 256 bit AES encrypted in transit, on arrival and at rest:
a) For transfers by web browsers, our website is secured by HTTPS with AES 256 b it encryption (certified by the US government for top secret information)
b) For transfers by FTP (i.e. FTP client programs, scripts, etc.) we support FTPS (FTP over TLS/SSL) with AES 256 bit encryption and SFTP
Hosted~FTP~ encrypts the data as soon as it arrives at the Hosted~FTP~ Amazon cloud location and before any processing takes place to ensure that the data is never unprotected. This includes all data, credentials and file-names and folder names; a process that is unique to Hosted~FTP~.
Your files are encrypted with 256 bit AES encryption before they are saved to any disk. From there files are securely uploaded by HTTPS to Amazon S3 cloud storage, where Amazon encrypts the files a second time before they are stored.
All Hosted~FTP~ servers are locked down completely except for the ports required to serve HTTP, HTTPS, FTP, and FTPS
All files are fingerprinted with an MD5 hash that is stored with reference to the file. When the file(data) is retrieved the MD5 hash is recreated and compared against the original to establish proof that there has been no tampering.
All Hosted~FTP~ accounts are only accessible by username and password; the account administrator grants sharing and login privileges to the users, contacts, folders and files in the account. SFTP supports both username/password and username/PKI key combination
Hosted~FTP~ has implemented 2-step verification using the Google Authenticator app on your mobile phone. This feature requires the user to present a valid 6-digit authentication code provided by their MFA mobile device app, in addition to their username and password, before they can sign in. For Hosted~FTP~ the 6 digit code is added after the username/email field on the login prompt i.e. username/email: firstname.lastname@example.org 162839 Password: password123
Enterprise T2/T5/T10 accounts have an additional security level feature. Hosted~FTP~ provides a password policy setting on an account level affecting all users. The setting forces all users of the account to maintain a complex password level of difficulty chosen by the account administrator. Customize your password policy’s requirements on: minimum amount of characters, uppercase, lowercase, numerical, and non-alphanumeric characters. More info can be found here.
Hosted~FTP~ does not allow any user programs to execute at all; our clients can only use our service to upload, retrieve and provide email notifications by our secure email server.
We provide logs of all user login activity and also upload/download activity for purposes of audit and tracking in each user account in the form of daily Excel and/or .CSV files stored in each account. The detailed logs track info such as: IP address, direction of transfers, method of protocol, date and time, and more. More info here.
Enterprise T2/T5/T10 accounts have an additional security level feature. Hosted~FTP~ provides IP whitelisting at the account level as well as each individual user level. Once IP whitelisting is enabled the user must be coming from the IP addresses specified, otherwise they will experience login failures. IP addresses can be input individually or by CIDR address range. More info here.
We are 100% cloud, meaning that all of our infrastructure is hosted in the Amazon Cloud. “Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage. ” see this link for further details. Amazon has many processes and certifications to guarantee the safety and reliability of the files stored in S3. We adhere to all Amazon’s security best practices. Amazon redundantly stores files on multiple devices across multiple facilities in an Amazon S3 Region before we provide a SUCCESS to the user.
Hosted~FTP inherits the AWS infrastructure SLA with a commitment as noted below. Please see the links for further info.:
“AWS will use commercially reasonable efforts to make Amazon S3, EC2 and Amazon EBS each available with a Monthly Up-time Percentage (defined below) of at least (see below) in each case during any monthly billing cycle (the “Service Commitment�?)
http://aws.amazon.com/ec2/sla/ SLA is 99.95 %
http://aws.amazon.com/s3/sla/ SLA is 99.9%
Hosted~FTP~ has a reserved maintenance window on Saturday from 10 am to 12 PM. The scheduled maintenance releases are typically infrequent and of short duration.
The AWS infrastructure follows HIPAA compliance. The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best-practices. Please review the following links