With the rising risk of a data breach, regulatory compliance is not optional. Avoid falling out of compliance with FERPA and HIPAA through proper encryption, user management, network protection, and the use of managed file transfer.
A data breach costs trust in your organization. While this is true of any industry, exposing patient or student information carries an even greater stigma. FERPA, HIPAA, and compliance in file transfer and storage are a necessity in healthcare and education.
Compliance is more important than ever as remote work increasingly takes file transfer outside the office. The risk of damaging fines and fees continues to climb.
Who Does HIPAA Apply To?
FERPA and HIPAA apply to two distinct groups. There is some overlap such as when schools store student information. Still, the Health Insurance Portability and Accountability Act, HIPAA, applies mainly to companies and organizations in the medical field.
Under the law, you need to secure any type of electronic, written, or oral patient information. Organizations must obfuscate protected health information, PHI, when sharing data.
- § 164.308(a)(5)(ii)(C): Asks organizations to implement log-in monitoring including attempts and discrepancies
- § 164.308 (a) (1) (ii) (B): Requires the implementation of security measures to reduce risk
- § 164.308(a)(1)(ii)(D): Requires procedures for regular review of information systems activity
- § 164.312(a)(2)(i): Requires systems to track and identify users
- § 164.312(a)(2)(iv) and (e)(2)(ii): Asks that healthcare organizations implement the strongest available encryption standards
- § 164.312(b): Requires organizations to implement software and procedural mechanisms to record activity in systems containing identifiable information
With file transfer services storing patient data for remote employees and firms offering analytics services, healthcare companies need to be mindful of these requirements. Fines for violations range from $100 to $50000, not to mention the potential damage to patient trust.
When to Follow FERPA
While HIPAA applies to healthcare, schools and educational institutions are covered by FERPA. All schools that receive funds from the US Department of Education and, by extension, those they interact with must follow the Federal Educational Rights and Privacy Act.
Certain types of personal identifying information, PII, such as grades cannot be made available to anyone with relatively few exceptions. Only teachers and officials with a legitimate educational interest, authorized auditors, and people or groups with express parental permission have legal access to this information.
Many states enacted stricter regulations on top of FERPA. Colorado requires any organization storing and transferring student data to create a plan for complying with the national law and submit compliance standards, audits, and breach procedures for review. At least 44 states enacted laws since 2013.
Does HIPAA Apply to Schools?
Even though schools are educational institutions, there are times when HIPAA applies. Schools may keep patient records related to physical activity, illness, and mental well-being.
All patient information is covered under HIPAA. Schools must take adequate steps to protect this data.
Is it Required to Follow HIPAA and FERPA Guidelines?
HIPAA contains a set of addressable and required activities. FERPA asks educational organizations to do everything in their power to protect student information. Neither law enacts specific standards; that gives them flexibility, but can also be confusing.
While the laws often ask that you do all that is reasonable to protect identifiable information, that does not mean you can ignore them. HIPAA requires you to create a reasonable alternative if you cannot comply with addressable parts of the statute. Equally as important, the average cost of a data breach in 2020 was $3.86 million while defunding and fines resulting from a lack of compliance.
Disclosure and File Transfer
Disclosure of personally identifiable information, both PII and PHI, occurs in numerous circumstances. It is not necessary to physically send or show an unqualified party personally-identifying information to be in violation of these laws. Ill-will is not even necessary.
Unencrypted transmissions disclose information over your network, overly broad user permissions lead to ineligible parties accessing damaging private data, and attackers targeting unprepared targets bring about dire consequences. Disclosure may be intentional or unintentional, malicious or accidental.
File transfer and storage are particularly vulnerable weak points. It is likely that analysts, teachers, and doctors will send documents throughout the course of their work. This introduces your data to networks, storage systems beyond your control, and many other unknowns.
Addressing these weak points requires finding a tool that allows you to implement user controls, encryption, monitoring, and auditing. Implement security at every step of the file transfer process to comply with FERPA and HIPAA guidelines.
Creating a Transfer Minded Action Plan
The best way to avoid a breach is to implement current best practices for security and user management. Every organization should create a transfer-minded security policy. There are many factors to consider when drafting this document.
Among the file-transfer and storage related topics are:
- Password standards
- Defining user groups and roles to limit access to information
- Encryption standards in storage and in transit
- Firewalls limiting access to certain devices and networks
- Network security for any cloud services
- Network and threat monitoring
- A framework for threat response
Digging into how data moves across your network helps you spot potential trouble spots before they are exploited. Make sure to trace every potential interaction before drafting a security policy.
With remote work taking off, file transfer no longer occurs within organizations but across many networks.
A crucial first step to thwarting attacks is often to implement a firewall. Operating systems, routers, and other devices allow administrators to limit access to known IP addresses.
Using Network Security Groups and Virtual Networks in Azure
If your organization takes advantage of the benefits of the cloud, you need to understand how to implement IP-based protection remotely. Microsoft Azure uses security groups to protect applications against unwanted access.
Setting up security groups works much like creating an on-premises firewall. Make sure to add only trusted IP Addresses. Never allow all traffic. Limit activity between both Azure services and users.
In addition to security groups, you can implement virtual networks in the cloud. An Azure Virtual Network lets your services and users communicate securely in an isolated environment.
The same analogs apply to Amazon Web Services. A managed file transfer solution can help with encrypting data at rest and in motion. It’s an important part of any secure file transfer strategy to have the tools necessary to make sure data stay secure and compliant, even in the cloud. Progress MOVEit allows you to interact with S3 buckets. Protect these resources in the same way using an AWS Virtual Private Cloud and AWS Security Group.
Protecting Network Transmission
HIPAA and FERPA do not directly require the use of secure networking. However, with requirements for data protection and encryption, it is in your best interest to use at least an SSL certificate.
Man-in-the-middle attacks and spoofing allow hackers to pick off packets in transit. Never leave your data open to the public even if transmission occurs between known users. This is especially a problem when companies use FTP servers without proper authentication and encryption.
An encrypted file transfer service is a great way to protect your information. Many managed file transfer solutions go beyond the default capabilities of email and operating systems by automatically implementing best practices. MOVEit uses SSL to protect data in transit.
Best Way to Encrypt Files for Cloud Storage
Despite securing communications, your data is still vulnerable at rest. If an attacker gains access to your system, which can occur even when you implement strong security measures, data that is left unprotected falls prey to unwanted eyes.
The National Institute of Standards and Technology recommends using the AES-256 standard to keep stored data secure. MOVEit takes care of encryption on-premises and in the cloud, giving you peace of mind without additional legwork.
Once you define encryption standards and protect data over the network, the next step is to choose the right authentication mechanism. You need to ensure that the people accessing files are who they say they are.
Multi-factor authentication is a great way to improve organizational security. This requires identification through at least two different devices. The three factors that make this method effective are a pin or password the user knows, a secondary device in their possession, and a required interaction on the secondary device such as retrieving a code or voice recognition.
Limit Access to Specific Users
Even with authorization and data protection, unauthorized users can access records. This is a major issue when conforming to FERPA requirements as the law specifically addresses who may view student data.
Business-class file transfer services like MOVEit and even open-source tools like FileZilla allow you to create specific user groups. This feature enables you to limit access to folders to those with a legitimate interest in your data.
Monitor Logins and File Access
Once you deploy your information systems, a strategy for logging access to your file system is key to stopping a small breach before it becomes a torrent. Keeping a leger for logins and file access supports compliance audits and helps spot unusual usage.
Many file transfer services automatically store logs. Ensure that date stamps, usernames, and relevant files are included in each log item. While storing more information comes with extra costs, it helps your IT team discover and react to issues quickly.
In addition to data points, HIPAA requires you to store logs for six years. Compressed storage in AWS Glacier or your own cold storage can help minimize the cost of log storage.
With logging in place, you can stay on top of file system activity. There are two types of tools that help you spot an attack or problem early. Security monitoring tools such as Data Dog or Elasticsearch include anomaly detection while network monitoring tools like Progress WhatsUp Gold give you a broad overview of requests.
A combined approach involving vigilance and technology works in your favor to prevent unauthorized access. Watch your systems using a networking tool while setting up alerts in both to avoid picking through logs on your own.
Audit your Systems
Even if your initial strategy works well, security guidelines change over time. Since HIPAA and FERPA do not directly recommend standards, you need to stay on top of
Keep your file transfer service updated and use a third-party audit from companies such as Dash to avoid problems. Online compliance services check your systems regularly to help protect you from a data breach.
Making Use of the Cloud
There are many elements that come together to protect sensitive information. Hardware, software, and people all ensure that your systems are robust.
Eliminating complexity makes monitoring more effective. There are fewer parts that can fail in your system. Microsoft Azure and AWS allow you to outsource hardware management to services built for compliance. You can deploy MOVEit directly through the Azure marketplace or on AWS.
Staying Secure in the Data Age
FERPA, HIPAA, and compliance in file transfer and storage are not optional. Every organization must comply or risk a loss of trust and significant penalties in the event of a data breach. Using a managed file transfer service available on the cloud is a significant step that educational and healthcare-related institutions can take to avoiding a data breach.
When sharing files, make sure to pick a tool that is easy to manage, easy to audit, and easy to control. There are many possible ways to accidentally disclose personal information.