Every healthcare provider wants to avoid being the next data breach headline—and unfortunately, we have seen many incidents and their consequences in 2018 so far. The causes of these data breaches range from wrongly configured databases to successful malware attacks and unauthorized user access.
For those looking to avoid the pain, embarrassment, and fines that come with breached patient data, a secure file transfer solution might be the best way to strengthen your cybersecurity practices and secure your ePHI and EHR information against common vulnerabilities.
Use this article to find a secure file transfer solution for your healthcare file sharing needs.
Recent healthcare data breaches
Virtua Medical was fined by the New Jersey Attorney General in April 2018 for an incident that “breached the protected information of 1,654 patients in January 2016” (Healthcare IT News). Caused by a misconfigured database and lack of security controls, this breach and the events leading up to it violated HIPAA and cost them $418,000.
Sadly, this wasn’t the only healthcare organization to suffer a breach from misconfigured technology. Middletown Medical in New York recently discovered that 63,500 patient records “may have been breached due to a misconfigured radiology interface” (Healthcare IT News), and others are sure to follow in the coming months if security practices aren’t properly implemented or followed.
HIPAA Journal also recently published their Analysis of March 2018 Healthcare Data Breaches, which lists “unauthorized access/disclosure” as the top reason for March’s exposed records. This shows that, in healthcare, data breaches are more likely to be caused by careless employees and third-party vendors than by hackers.
Addressing your electronic health record security
As we continue to see a rise in breached EHRs and PHI, it’s important that organizations secure sensitive patient information in order to avoid the vulnerabilities, pitfalls, and user errors that can lead to painful security incidents. No one wants to be the next news headline, but without the cybersecurity tools necessary to support your escalating IT needs and compliance requirements, it may only be a matter of time.
If you’ve been tasked with finding a way to boost your security policies and mitigation strategies, you know the road is long. There are many solutions on the market that can encrypt your data, provide intensive controls to segment and restrict your users, track and audit your PHI file transfers, and improve your electronic health record security, but finding the right one for your organization can be overwhelming—especially if you aren’t sure what you’re looking for.
Do you need identification and access management? Security and integrity monitoring? Virus protection? Yes, yes, and yes (most likely), but if you want to avoid misconfigurations and potential exposure of confidential files, you’re probably looking for a managed file transfer (MFT) solution.
What is managed file transfer?
A managed file transfer (also referred to as secure file transfer) solution works to protect, streamline, and automate your data in transit and at rest, no matter where it resides. It promotes secure transfers inside and outside your network, both for batch and ad-hoc file transfers, and lets you track the details from a web-based interface or GUI.
Healthcare organizations and providers of all sizes use MFT to encrypt their EHR, PHI, and ePHI file sharing across floors, departments, offices, and locations. It can replace vulnerable FTP servers, manual scripts, and legacy PC tools that often have unseen risks attached and provides audit logs and reporting, as well as other feature benefits, that help organizations meet HIPAA and HITECH compliance for file transfers.
Finding an MFT healthcare vendor
In the market for a secure file transfer solution? Here are our tips for finding the right MFT healthcare vendor for your organization. Our list includes which features and benefits you should look for, what questions to ask the vendor, and any red flags you should avoid.
1. Things you want: MFT features for healthcare
While managed file transfer has features that support almost every industry, here are a few features your chosen vendor should offer with their MFT software:
Detailed audit logs and reporting
A solution that tracks where your ePHI, PHI, and EHRs are transmitted will help satisfy important HIPAA and HITECH requirements. Look for a vendor that automatically records and retains logins, transfer details, and errors, then allows you to use these audit logs to generate dashboards and management reports for easy review.
Open PGP encryption
Protect sensitive files with Open PGP encryption and key management. MFT software that supports the use of these encryption and authentication methods will help you establish cybersecurity protocols that secure your data whenever it’s in motion.
Look for a solution that has extensive security controls built into their MFT offering. These controls will help you manage user accounts, like employees and third-party vendors, and can be set up to lock users into specific directories or folder locations with granular permissions—lessening the real possibility of a healthcare breach from the inside.
2. Questions for vetting your chosen MFT vendor
Use these questions as a starting point when evaluating the knowledge and commitment of different managed file transfer vendors in your industry:
- Do other healthcare organizations use your solution? If so, would any of them be open to talking with me about their overall satisfaction?
- Do you have healthcare case studies you can send me?
- What resources on healthcare do you have (white papers, data sheets, guides, webinars) that I could read?
- How often do you update/enhance your product?
- What additional functionality and licensed modules do you offer in your product?
- What emphasis, if any, do you put on maintaining a solution that supports the healthcare industry?
- How will your product continue to allow us to maintain HIPAA and HITECH compliance?
- Do you offer professional services, like project consulting and training courses, to help me get the most out of my MFT solution?
3. Red flags? Avoid these MFT pitfalls and concerns
While a vendor might seem trustworthy, there are some warning signs you should be aware of when making your final decision.
Software labeled “HIPAA Certified”
Be careful when considering vendors who have labeled their MFT solution as certified: i.e. “HIPAA Certified.” Most compliance regulations, including HIPAA and HITECH, do not offer these certifications, so businesses cannot enforce their claim as legally true.
Furthermore, a vendor can never guarantee their product will make your organization compliant; they can only help you take steps toward compliance. The ultimate responsibility to become and remain compliant rests on you and your organization.
Contact the vendor’s support team during the evaluation stage, then pay special attention to their response time and the quality of answers you receive. Do they have resources to help you navigate what their product can do? Are there current customers you can talk to, to get a feel for their overall satisfaction? Do you feel the vendor is helpful and willing to support you through any trial, project, and question you might face?
Your relationship with the vendor you choose shouldn’t stop when you buy their software. If you aren’t feeling positive about their support and interest in your success, you may want to look elsewhere.
Negative software reviews
Before you approach a vendor, check third-party software review sites to see what real customers are saying about their product use, support, and overall satisfaction. Some trusted websites for software reviews include Capterra, Gartner Peer Insights, and G2.
A free healthcare MFT checklist? Swell!
Finally, we’ve put together a short checklist for healthcare organizations looking to invest in a secure file transfer solution. Use this to ensure you’re on the right track during your search.
- I can administer file transfers without having to install software on my devices.
- The solution has role-based administration that allows for separation of duties.
- The solution can help guarantee the delivery of file transfers.
- The solution has configurable error handling (auto-retry, send email alert, etc).
- The solution includes integrated key and certificate management tools.
- I can set password policies and expiration intervals for the product.
- The solution offers notifications for login failures and rejected files.
- I can generate activity reports for trading partners.
- I can authenticate server connections with passwords, SSH keys, and SSL certificates.
- I can track all user events and file activity.
- I can block brute-force and DoS attacks.
Related Reading: Get a more in-depth look at the MFT buying process with our Ultimate Buyer’s Guide to Secure Managed File Transfer.
Secure your PHI with GoAnywhere MFT
If you’re ready to start your MFT journey, try us out!
GoAnywhere MFT is a secure managed file transfer solution that supports healthcare providers like Covidien, US Oncology, Nemours Children’s Health System, and St. Vincent’s HealthCare in meeting HIPAA requirements and boosting security policies and practices. For over 20 years, we’ve helped these organizations and more find peace of mind and protection for their ePHI data—and we can do the same for you!
Explore which HIPAA and HITECH requirements we can help with or request a personalized demo of our solution. Either way, we’ll work with you to learn your challenges and find a way to overcome them.
Demo GoAnywhere Read Our HIPAA Datasheet