Some people believe that simply switching from FTP to SFTP will make their file transfers compliant to the HIPAA regulation. Well, that’s actually not enough. Whether you’re compliant or not strongly depends on how you configure your SFTP server’s security settings.
First of all it is important to understand that SFTP is not a stand-alone protocol, it is actually a subsystem of the SSH protocol, and therefore securing your SFTP file transfers means making sure that the SSH channel that’s around them is secure.
SSH is a very fine-grained protocol when it comes to security, in fact it features a very effective “security scheme negotiation” upon connection establishment. During such phase, the client and the server negotiate a range of supported encryption (protection) and MAC (verification) algorithms. If the server offers some weak algorithms during such phase, and if the client elects to use one of them, then the security level drops tremendously, and HIPAA compliance is gone. Continue reading