HIPAA Compliance with HostedFTP

Hosted~FTP~ is HIPAA compliance verified by compliancy groupPlease click the icon to get our HIPAA compliance audit verification 

The evaluation standard § 164.308(a)(8) requires covered entities and Business Associates to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The Hosted~FTP~ HIPAA evaluation is performed by an external organization that provides evaluations/certification services that are qualified to provide the “HIPAA Seal of Compliance” which is the health care industry’s third-party HIPAA verification as there is no formal HIPAA compliance certification from the federal government or subsidiary regulatory agencies. The HIPAA Seal of Compliance has become the healthcare industry standard for verification. Federally-mandated HIPAA standards, regulated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), are fully addressed and incorporated into an effective, organization-wide compliance program.

The Hosted~FTP~ HIPAA compliance program evaluation process includes:

  • Annual completion of our HIPAA compliance program (see this link to request verification of our “HIPAA Seal of Compliance”)
  • a re-assessment of current threat, vulnerability and risk assessments when there is a significant environment change
  • tracking of known industry security issues and evaluation of evolving risk levels.
  • ongoing risk analyses, as required by the standard § 164.308(a)(8), to ensure our services meet changing security requirements
  • As part of our commitment to HIPPA compliance, Hosted~FTP~ will sign a BAA for customers with ET2 bundles and above

Hosted~FTP~ builds all of our application systems solely on top of the AWS cloud infrastructure and therefore shares the compliance responsibilities with AWS.

Hosted~FTP~ data location

When you subscribe to the Hosted~FTP~ services all data will then reside in the US at Amazon Web Services West Virginia location.

Hosted~FTP~ PHI data protection

The Hosted~FTP~ SaaS application has been designed to ensure that all protected health information (PHI) can be transmitted securely and stored in the Amazon Web Services securely. The data is 256 bit AES encrypted in transit, on arrival and at rest:

In transit

a) For transfers by web browsers, our website is secured by HTTPS with AES 256 b it encryption (certified by the US government for top secret information)

b) For transfers by FTP (i.e. FTP client programs, scripts, etc.) we support FTPS (FTP over TLS/SSL) with AES 256 bit encryption and  SFTP

On Arrival

Hosted~FTP~ encrypts the data as soon as it arrives at the Hosted~FTP~ Amazon cloud location and before any processing takes place to ensure that the data is never unprotected. This includes all data, credentials and file-names and folder names; a process that is unique to Hosted~FTP~.

At rest

Your files are encrypted with 256 bit AES encryption before they are saved to any disk. From there files are securely uploaded by HTTPS to Amazon S3 cloud storage, where Amazon encrypts the files a second time before they are stored.

Server Port lock-down & File integrity

Port lock-down

All Hosted~FTP~ servers are locked down completely except for the ports required to serve HTTP, HTTPS, FTP, and FTPS

File Integrity (chain of custody)

All files are fingerprinted with an MD5 hash that is stored with reference to the file. When the file(data) is retrieved the MD5 hash is recreated and compared against the original to establish proof that there has been no tampering.

Privacy and Intrusion protection

All Hosted~FTP~ accounts are only accessible by username and password; the account administrator grants sharing and login privileges to the users, contacts, folders and files in the account. SFTP supports both username/password and username/PKI key combination

Multi-Factor Authentication

Hosted~FTP~ has implemented 2-step verification using the Google Authenticator app on your mobile phone. This feature requires the user to present a valid 6-digit authentication code provided by their MFA mobile device app, in addition to their username and password, before they can sign in. For Hosted~FTP~ the 6 digit code is added after the username/email field on the login prompt i.e. username/email: ftp@hostedftp.com 162839 Password: password123

Password Complexity

Enterprise T2/T5/T10 accounts have an additional security level feature. Hosted~FTP~ provides a password policy setting on an account level affecting all users. The setting forces all users of the account to maintain a complex password level of difficulty chosen by the account administrator. Customize your password policy’s requirements on: minimum amount of characters, uppercase, lowercase, numerical, and non-alphanumeric characters. More info can be found here.

Restricted SaaS service

Hosted~FTP~ does not allow any user programs to execute at all; our clients can only use our service to upload, retrieve and provide email notifications by our secure email server.

Full audit trail of all activities

We provide logs of all user login activity and also upload/download activity for purposes of audit and tracking in each user account in the form of daily Excel and/or .CSV files stored in each account. The detailed logs track info such as: IP address, direction of transfers, method of protocol, date and time, and more. More info here.

IP Whitelisting

Enterprise T2/T5/T10 accounts have an additional security level feature. Hosted~FTP~ provides IP whitelisting at the account level as well as each individual user level. Once IP whitelisting is enabled the user must be coming from the IP addresses specified, otherwise they will experience login failures. IP addresses can be input individually or by CIDR address range. More info here.

Backup and recovery

We are 100% cloud, meaning that all of our infrastructure is hosted in the Amazon Cloud. “Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage. ” see this link for further details. Amazon has many processes and certifications to guarantee the safety and reliability of the files stored in S3. We adhere to all Amazon’s security best practices. Amazon redundantly stores files on multiple devices across multiple facilities in an Amazon S3 Region before we provide a SUCCESS to the user.

Hosted~FTP~ maintenance and AWS SLA standards

Hosted~FTP inherits the AWS infrastructure SLA with a commitment as noted below. Please see the links for further info.:

“AWS will use commercially reasonable efforts to make Amazon S3, EC2 and Amazon EBS each available with a Monthly Up-time Percentage (defined below) of at least (see below) in each case during any monthly billing cycle (the “Service Commitment�?)

http://aws.amazon.com/ec2/sla/  SLA is 99.95 %

http://aws.amazon.com/s3/sla/   SLA is 99.9%

Hosted~FTP~ has a reserved maintenance window on Saturday from 10 am to 12 PM.  The scheduled maintenance releases are typically infrequent and of short duration.

Amazon Web Services compliance & security standards

The AWS infrastructure follows HIPAA compliance. The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best-practices. Please review the following links

AWS Component SLA standards

  •  Amazon S3 is designed for 99.99% availability and 99.999999999% durability (see this link)
  • Amazon EBS volume data is replicated across multiple servers in an Availability Zone to prevent the loss of data from the failure of any single component. HFTP configures multi-availability zones for transparent recovery from any failures. (see this link)
  • Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, as configured by HostedFTP (HFTP) (see this link).
  • Amazon EC2 Service Level Agreement commitment is 99.95% availability for each Amazon EC2 Region. (see this link)

Reference links
http://aws.amazon.com/security/
http://aws.amazon.com/s3/
http://aws.amazon.com/ec2/
http://aws.amazon.com/rds/

Getting Started
Signing up for a Free Trial
Basic steps to Setup
Purchasing your account
Choosing the right account type: Enterprise and SMB
Logging into your account
How to login with a Web Browser
How to Login to an FTP client via FTP
How to Login to an FTP Client via SFTP
Logging in by FTP URL with Username and Password
Reset and change your password
How to Update an Expired Password
Administrator Initial Setup
Account-level options
Force Secure Protocols only (FTPS/HTTPS/SFTP)
Enabling a Password Policy
Enabling CJIS Compliance Policy
Add IP whitelisting
Configuring Web Access
Configuring FTP/SFTP Access
Implementing Multiple Administrators
Branding
Adding branding to your account
Branding Contact Logins
Creating a Custom Subdomain (ftp.yourdomain.com)
Web Interface
Home Tab
Files Tab
Contacts Tab
Users Tab
Plugin Tab
Setup Tab
Adding a User or Contact
Adding a Contact by Email Address
Add a User by Email Address
Add a User by Username
Using Groups
Account setup PDF Guides (*.pdf)
Activated Account Limits
Shared Folders
Configuring for Restricted Shared Folders (FUSN)
Creating Folder Structures for Sharing
Detailed Steps to Sharing Files/Folders
Managing Shared Folder Privileges
Add real-time notifications to uploads/downloads
Audit logs and Real-time Reports
Using Real-time Reports
Example Report Filters
More Example Report Filters
Exporting a Report
Enable audit logs for logins, file transfers, and deletes
Accessing and viewing your audit logs
Steps to sharing the logs folder
Anonymous Access
Creating A Public Link
Anonymously Sharing Files and Folders
Transferring Files
Uploading Files by Web Browser
Uploading Files by FTP Client
Download your FTP/SFTP server files from any browser
Download files with an FTP client
Using the Send function to securely send files through a web-based link
Using the Send function from your Files tab
Managing Mail Events (Send and Receive function)
Drag & Drop
Hosted FTP Drag and Drop
Enabling Drag & Drop on Legacy IE Browsers
Website Plugin
Integrating the Upload Plugin into your Website and Business
Web Plugin Overview and Guide
Plugin Brand Customization
Embed the Plugin into Your Website
Adding Additional Security (CAPTCHA, Password)
Security and Compliance Info
Security Model Overview
Security Model Details
Multi-Factor Authentication
MFA Initial setup for a standard user by Admin
MFA by User (Multi-Factor Authentication)
MFA reset on managed user
MFA reset on a standard user
SSO
Configuring Single Sign-On (SSO) for your account
Configuring Okta with OpenID
Configuring AzureAD with OpenID
Enabling Single Sign-On (SSO) for user logins
Certificate & Host Key Info
SSL Certificate Info
Trusting the Hosted~FTP~ SSL Certificate
SSL Server Test
FTPS Host Keys
SFTP (RSA/DSA) Host Keys
Configuring PKI Support
Compliance Info
GDPR
WCAG 2.0
SOC2
CJIS
HIPAA
Bundle Features
Hosted~FTP~ vs. AWS Transfer Family
Group vs. Enterprise bundle features
Enterprise T1 vs. T2 Bundle Comparison
Enterprise T2 Plan Features
Different user types and function comparisons
Difference between users and contacts
Sync Feature
Configuring a Sync to SFTP Gateway
Configuring a Sync to S3 Gateway
Regular expressions with Sync feature
File Retention Policy
Configuring a File Retention Policy
File Retention Policy Examples
Account Management
Purchasing your account
Payments & Billing
Choosing a payment plan
Renewing an expired account
Changing a Bundle or Payment Plan
Changing Credit Card Information
Reviewing billing statements
Trial Account Limits
How is Storage Calculated?
Reviewing account resources and usage
Switching Account Bundles
Changing the Account Administrator
Administrator Access to User Accounts
Cancelling an Account
FTP/FTPS/SFTP Connections
Hosted~FTP~ IP Addresses
SFTP (RSA/DSA) Host Keys
Connect with Plain FTP
Connect with Secure FTPS/SFTP
Connecting with an FTP Client
FTP vs FTPS vs SFTP
Command Line (CLI)
How to connect to your remote site using the command line
How to login to SFTP with one line on Linux
Understanding FTP commands in the command line
Connecting through SFTP by Command Line (CMD)
Using PKI keys to connect to Hosted~FTP~ on linux
Importing PuttyGen PKI Keys to Linux
FTP/FTPeS command line error codes and their meaning
Windows Network Locations
Add Network Location Windows XP
Add Network Location Windows 10/8/7
MAC
Connecting from a Mac Computer Terminal
FileZilla
Using Filezilla with FTP/FTPS
Using FileZilla with SFTP
WebDrive
Connecting to WebDrive
Using WebDrive
WinSCP
Installing WinSCP
Uploading & Downloading with WinSCP
WinSCP Scripting
Executing WINSCP script from a saved site
Executing WINSCP script without a saved site
Transfer new and updated files only
Backup Scripts with WinSCP
Keep Folders up to date
AndFTP
Uploading & Downloading with AndFTP
Searching, Resume Support & Third-party Sharing with AndFTP
FTP, SFTP Use Cases in Industries
EDI document transfers
Integrating the Upload Plugin into your Website and Business
Accounting
Technology
Energy
Healthcare
Printing
Media
Analytics
Retail
Architecture
Finance
Legal
Construction
Education
Engineering
Insurance
Manufacturing
Real Estate
Call Center
Best Practices
Use Cases
Exporting EDI files to FTP for download
User Optimization
Create a Managed User
Giving a User Read-only Access
Giving a User Full Access
Default FTP Folder Destination
Set a 0GB Storage Quota
Deleting a User and Keeping their Files
Importing Multiple Users & Shared Folders
Importing Users in Bulk – Syntax and Definitions
Importing Restricted Shared Folders in Bulk – Syntax and Definitions
Detailed Steps and Example Templates for Importing
Exporting a User List
Combine multiple audit logs
Managing FTP Files and Storage in your Account
Moving Files from a User to an Administrator
Video Tutorials
QuickStart
FUSN
Branding
Web Interface
Home Tab
Files Tab
Web Plugin
AndFTP
AndFTP – Connecting, uploading and downloading
AndFTP – Searching, resume support and third-party sharing
WinSCP
WinSCP – Downloading, Installing and Understanding
WinSCP – Connecting with FTP, FTPS, SFTP, uploading and downloading
WinSCP Backup Script
CyberDuck
Cyberduck– Connecting with FTP,FTPS, SFTP, Uploading and Downloading
Cyberduck– Quick Look, Transfer Queue and Synchronizing
Cyberduck – Bookmarks, Editing and using Multiple Connections
FileZilla
FileZilla -Downloading, Installing and Understanding FileZilla
FileZilla – Connecting with FTP, FTPS, SFTP and uploading and downloading
FileZilla – Importing/Exporting Site Connections, Editing and Logs
FileZilla Tools – Bookmarking, Searching, using Multiple Connections
Our FTP Client Reviews
Desktop FTP Client Summary
Mobile FTP Client Summary
PSFTP Review : Our Rating 7.5/10
NetDrive Review: Our Rating 8.5/10
Filezilla Review: Our Rating 9/10
AndFTP Review:Our Rating 7.8/10
ES File Manager Review: Our Rating 5/10
FTP Ready Review:Our Rating 5/10
FTP On The Go Review:Our Rating 8/10
CyberDuck Review: Our Rating 9/10
Classic FTP Review: Our Rating 8/10
WebDrive Review: Our Rating 9.5/10
Fling FTP Review: Our Rating 9/10
SmartFTP Review: Our Rating 7/10
MultCloud Review: Our Rating 10/10
Troubleshooting
Hosted~FTP~ Quota Messages and Definitions
Error: QUOTA_USER_STORAGE or QUOTA_USER_BANDWIDTH
FTP/FTPeS command line error codes and their meaning
Troubleshooting FTP in the command line and common errors.
No matching host key found
Storage Quota Notification: Remedial action
Troubleshooting FTP in the command line and common errors.
Troubleshooting “Can’t verify publisher”
Troubleshooting Drag and Drop
Drag and Drop Troubleshooting for Mac
Troubleshooting FTP/SFTP client connection problems
Troubleshooting slow upload speeds on Windows
No matching host key found
File not visible to admin
File uploaded successfully but not visible in account
Usernames – Guidelines and Restrictions
Download Center
Contact Sales & Support
Joining GoToMeeting by Browser
Joining GoToMeeting by Client