HIPAA Compliant File Sharing Risks in Healthcare
By Gil Vidals, , HIPAA Blog, Resources, sFTP

…and How a HIPAA Compliant File Sharing Solution Can Help

Are your medical file sharing practices HIPAA compliant? What does it mean to use HIPAA-compliant file sharing, anyway?

File management tools have certainly come a long way.

In the not-too-distant past, the “secure delivery” of your health records consisted of: 

  1. Placing copies carefully into an envelope and sealing it
  2. Dropping it into interoffice mail or a slot at the post-office/UPS, or
  3. Even trusting a guy on a bike to deliver it safely to your recipient. Then, sittin back and hope all goes well.

Of course, this method was fraught with vulnerabilities: any paper files or removable media such as CDs or USBs contained therein could be lost or intercepted – at any point on the journey. The bike courier might mistake the address. Even if you decided to hand-deliver yourself, you might misplace or lose it in-transit – not a HIPAA-compliant file sharing system in the slightest.

Before you deride our predecessors for being “so archaic”, consider this: today, less than one-quarter of healthcare workers surveyed use secure file transfer to share sensitive data, according to a recent study.

In fact, healthcare workers are 36% more likely than those working in financial services to share sensitive data using unsecured means. So why this continuing lack of security in healthcare?

No doubt, the tyranny of urgency and avoiding delays in file-sharing is a factor; creating tunnel vision, and blinding staff to larger corporate security or regulatory concerns such as HIPAA.

It’s a truth about human nature: we gravitate to the easiest means available to accomplish tasks; a majority of the healthcare workers in the survey mentioned above even admitted as much. 

What Are the Top 3 File Sharing Risks in Healthcare?

To illustrate, consider how the following three means of file-sharing are very much in use – and continue to pose significant risks to data exploitation and loss. These include unsecured email with attachments, insecure file-sharing apps, and flash drives.

Here are some of the most common HIPAA-compliant file transfer, document sharing, and medical file-sharing issues you and your team face every day.

1. Unsecured Email 

Susan Hinrichs, chief of engineering at SafelyFiled, describes a typical scenario in which the convenience of email can easily lead to lapses in security:

“Just the other day I received a design document from a client as an email attachment. [Regular] Email is not designed to be secure. Anyone with access to an intermediate mail server or with the ability to sniff network traffic between our mail servers would see this design document. If I needed to sign a non-disclosure agreement to see this information, they probably did not want random folks on the internet to see this information. Instead, senders should encrypt files and use secure file-sharing services.”

For healthcare, the risks of disclosing a patient’s personal information and violating HIPAA, incurring potential fines and loss of business reputation, makes secure email critical when including or attaching any protected health information.

Yet if staff feels they must “jump through hoops” to expedite a file-share, they’ll be less likely to have security concerns at the forefront of their mind when completing a task. A user-friendly, seamless solution is therefore critical.

2. Insecure Consumer File-sharing Apps

There are many risks of enabling file sharing on a network. A typical consumer file-sharing app on your employee’s phone might seem (to them) to be a convenient way to expedite a file-share – especially if they can avoid a potentially time-consuming call to the IT department.  

Once again, the “easier alternative” tends to win here. However, there’s simply no guarantee that the data – usually unencrypted – won’t be exploited on any of the numerous server stops it might make on its journey, or be opened by an unintended recipient. 

Yet these unsanctioned tools (call them “shadow software”) continue to be used by individual departments in companies – without clearance by IT or approval by administration – constituting a serious risk to corporate security. It behooves companies then to find a secure file-sharing solution, along with adequate training to help establish buy-in and appropriate use.

3. Flash Drives

While flash drives may seem to be a thing of the past, a number of factors continue to make them relevant to many users:

  • flash drive access is controlled by the user themselves, independent of a service provider or another department that might impose unwanted access controls.
  • the convenience factor. Flash drives require no internet connection.
  • the physical factor. While the cloud “feels intangible,” you can hold a flash drive in your hand. For many, this just “feels” more secure.

The risks of file sharing with flash drives is that they can be easily infected with malware. Once inserted into a networked PC’s USB port, if the flash drive is not properly scanned and autorun is enabled, it may infect the entire system.

The sFTP Alternative for HIPAA Compliant File Sharing

The fact is, any traditional storage that relies on your PC’s hard drive may be a target for hackers. Multiply that by the number of PCs in your company and you have an even wider attack surface, with each potentially compromised by phishing scams, poor workstation security, unauthorized employee access, and the like.   

On-site servers – despite their proximity – also depend on IT departments or even physician’s staff to manage all backups, updates, patching, mitigation, and maintenance. This, along with capital equipment expenditures and ongoing server maintenance can represent a costly scenario.

In contrast, HIPAA Vault’s fully-managed, secure file transfer solution for file syncing & sharing takes all these concerns off your plate. With sFTP, your important files and folders will actually be more secure than on your hard drive – and will enable efficient cloud collaboration and increased productivity with your team. 

Your medical files are encrypted at the click of a button before sharing externally, and in-transit and at-rest encryption protocols ensure complete privacy and confidentiality. sFTP also gives your team complete access control over files and folders from anywhere, while maintaining the ability to change permissions at any time.

Here’s what you’ll receive with sFTP:

  • A signed BAA
  • A secure web interface
  • Data transfer & loss protection (DLP)
  • SSL, at-rest encryption, & end-to-end encryption
  • Password protected, with Two-factor Authentication
  • User-management capabilities, with file access from anywhere
  • Granular permissions: read, edit, comment
  • HIPAA Vault’s renowned managed services with tier-less, dedicated live support, with less than 15-minute response times to critical alerts.

Above all, you’ll have peace of mind that your important patient files will reach their destination securely – without worrying about delivery mishaps, hackers, or hard drive failures.

Learn more about HIPAA compliant healthcare file sharing with HIPAA vault

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure hosting and email, HIPAA compliant WordPress, secure healthcare file sharing, and more.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.