HIPAA Compliance Statement
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the minimum standards that health care organizations must implement to protect the security, privacy and confidentiality of patient data that is transferred over the Internet. This statement deals primarily with sections 142.308(c) and 142.308(d) of this Act.
HIPAA requires that all patient data that is transmitted over the Internet must be encrypted using industry standard 128-bit encryption algorithms. MFTExpress uses these algorithms as well as several other methods to ensure data security.
| Feature | Benefit |
|---|---|
| Physical Security | MFTExpress servers are stored in a secure data center with 24x7 network operations center and on-site security. Advanced fire protection, suppression and access detection systems prevent your server from physical damage or theft. |
| Information Security |
MFTExpress provides support for several industry standard secure file transfer protocols that exceed HIPAA information security requirements. These protocols include FTPS (FTP over SSL), SFTP (FTP over SSH) and HTTPS. Using these protocols all data and commands are encrypted between the client and server. For additional protection MFTExpress offers optional PGP encryption capabilities. Data may be automatically encrypted upon successful upload to the server. |
| Access Controls |
Each MFTExpress user is configured with it's own set of virtual directories and permissions. This ensures that users can only see the data they are given access to and not the data of other users. To prevent users from connecting using insecure protocols and violating HIPAA requirements all MFTExpress users are required to connect using a secure protocol such as FTPS (FTP over SSL), SFTP (FTP over SSH) or HTTPS. Access using non-secure protocols such as standard FTP or HTTP is not available. |
| Intrusion Detection | MFTExpress is configured to detect brute force password attacks and automatically block the client IP from future requests. In the event that an IP is blocked a MFTExpress system administrator is immediately notified via email to research the incident further. |
| Internal Auditing |
MFTExpress logs each and every session and the actions that occurred within that session. Log data is regularly backed up to a secure server. MFTExpress does not allow anonymous access, preventing users from connecting anonymously and ensuring that user access can be tightly monitored. |