Privacy & Security

How a $218K HIPAA fine could have been avoided with secure file transfer

'Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications'
By Deborah Galea
August 12, 2015
09:12 AM

A Massachusetts hospital was recently fined $218k for using a cloud-based file sharing service and violating HIPAA requirements. Although there was no evidence of an actual breach, the methods that the hospital's employees used for sharing the electronic protected health information were deemed risky enough to warrant a fine.

"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," said OCR Director Jocelyn Samuels in a statement issued on July 10. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

To date, OCR has imposed nearly $26.4 million fines for HIPAA privacy, security and breach notification violations.

Given that healthcare organizations must sometimes exchange sensitive patient data with external parties, how can they ensure that this is done safely, protecting patient privacy and complying with HIPAA requirements?

If no secure option is provided to employees, it is highly likely that they will resort to other, potentially unsafe methods to complete their tasks. Therefore it is important that healthcare organizations approve and implement a secure file transfer system that is easy to use and meets the high security requirements set by HIPAA.

Below, we discuss the five most important ways in which secure file transfer systems protect against data loss:

  • Encryption: A secure file transfer system ensures that files are encrypted in transit and at rest. By doing so, even if the system is hacked and data is potentially accessed, all files will still be encrypted. It is recommended to use AES-256 encryption for robust protection.
  • Authentication: User authentication ensures that only the intended recipient can download the file since they need to provide their credentials before accessing the file. This means that even if the notification email is intercepted, the file cannot be downloaded by anyone else.
  • Life cycle management: By automatically removing files from the system after a specific number of days or downloads, you can ensure that any sensitive files are only on the system for as long as they need to be, avoiding unnecessary exposure. With a secure file transfer system it is also possible to manually disable access to a particular file for particular recipients if necessary.
  • Auditing: A secure file transfer system includes audit logging to track who sent which files to whom and on which devices the files were downloaded. In addition, all user activity is tracked on the system, including logins, expiring files, sending contact invitations, etc. This information can be important when determining if there was a data breach and also to prove that certain file transfers did or did not take place for compliancy reasons.
  • Anti-malware: Exchanging files includes the inherent risk of introducing malware into the network and causing potential data breaches. Secure file transfer systems should include anti-malware protection to thoroughly scan files before they are uploaded to the system to avoid any infections.

Once your organization has selected and implemented a secure file transfer system, it is important to create an employee cyber security policy and provide regular trainings to ensure that employees understand when to use the system and how to implement it to ensure the highest protection of patient data.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Most Read

What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
South Korea to digitise medical image exchange system
ASTP intros 2024 draft Federal FHIR Action Plan
CrowdStrike all but assures Capitol Hill: Never again

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards