LuxSci

If you are using FTP, you should really stop!

February 28, 2013 • By Erik Kangas • In Business Solutions, LuxSci Library: HIPAA, LuxSci Library: Security and Privacy

FTP, the “File Transfer Protocol” has been around almost since the inception of the Internet.  As anyone with a web site knows, it permits files to be easily uploaded to and downloaded from servers.  It is built into every kind of web site authoring software and even into most web browsers.

Unfortunately, FTP suffers from the same design flaw that pervades the basic usage of email services like POP, IMAP, and SMTP.  If used in its default form, all data sent between your computer and the server is sent unencrypted, in “plain text”.  This includes your username, your password, and all file data.

Essentially, if you are in a wifi hotspot, anyone there can likely get your username and password and read your files.   Similar things can happen even though your direct or or office network connections …. connecting via FTP is like walking down the hall with your username and password taped to your forehead.  Any one (or any hidden camera) can see it and use it.

So, what can you do

You can use “Secure FTP“.  This is FTP over an “Secure Shell” connection and it provides encryption for your files, your username, and your password.  It solves the inherent security issues with using regular FTP (just like use of SSL and TLS resolve the security issues inherent in regular POP, IMAP, SMTP, and WebMail).

Most modern web design programs now support SFTP in addition to FTP (e.g. Dreamweaver); many web browsers support browsing SFTP sites via add ons (e.g. the FireFTP add on for Mozilla FireFox); and there are many free SFTP programs for direct file uploading and downloading (e.g. FileZilla).

You should abandon FTP in favor of SFTP for your own safety.

FTP and SFTP and HIPAA

HIPAA demands that all possible ePHI is transmitted securely across the Internet and also demands that authentication credentials be protected.  This automatically makes FTP a “no go” for customers who require HIPAA compliance; they must use SFTP.  At LuxSci, all HIPAA accounts are restricted from using regular FTP (as well as any other unencrypted network service to access possible ePHI or which requires your username or password).

Erik Kangas

About Erik Kangas

With 30 years engaged in to both academic research and software architecture, Erik Kangas is the founder and Chief Technology Officer of LuxSci, playing a core role in building the company into the market leader for HIPAA compliant, secure healthcare communications solutions that it is today. An international lecturer on messaging security, Erik also advises and consults on email technology strategies and best practices, secure architectures, and HIPAA compliance. Erik holds undergraduate degrees in physics and mathematics from Case Western Reserve University, and a doctoral degree in computational biophysics from MIT.

Follow: LinkedIn