How to run a HIPAA compliant SFTP server

Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.

First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.

SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone.

Therefore, in order to comply to the HIPAA regulation, you have to make sure your SFTP (SSH) server only offers strong cipher suites during the initial negotiation phase:

  • Avoid algorithms known for being “broken” (like DES)
  • Avoid bit-lengths lower or equal to 96 for encryption algorithms
  • Avoid known “broken” MAC algorithms (like MD5)
  • Avoid plain/unencrypted crypto schemes (obviously)

On top of that, to complicate things even more, the SFTP subsystem protocol comes in 7 different versions (numbered from 0 to 6), none of which is 100% standardized. You should configure your server to offer only the most stable and reliable versions of the protocol: SFTPv3, SFTPv5, SFTPv6.

If you’re using Server!, HIPAA compliance comes out of the box. It means that the moment you install it, the server comes with a default configuration that is already HIPAA compliant. You can see a screenshot of such configuration here below.