Compliance
By using LiquidFiles, you will be able to send large files securely within the organization, to customers, contractors, accountants, patients, and anyone else you need to communicate with securely.
It will also help you achieve Policy Compliance for Sarbanes-Oxley, HIPAA, PCI and other standards by encrypting sensitive data in transit, provide cryptographically strong random access keys for accessing transmitted data, and achieve non-repudiation with download receipts of who download what, from where (even by mapped locations) and at what time.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the minimum standards that health care organizations must implement to protect the security, privacy and confidentiality of patient data that is transferred over the Internet. LiquidFiles will help you achieve HIPAA compliance. This statement deals primarily with §164.312 Technical safeguards.
Please see the table below for the technical safeguards outlined in §164.312 and how LiquidFiles satisfies each of them:
Safeguards | Statement |
---|---|
Access Control — §164.312(a) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). |
LiquidFiles supports dual email verification for accountless user authentication if desired, and requiring all users to have individual user accounts if desired. You can configure LiquidFiles to require all users to have individual accounts. You can further configure integration with strong two-factor authentication systems and Single Sign-on (SSO), using the industry standard SAML 2 protocol |
Audit controls — §164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
All access to the LiquidFiles system are written to a log for audit purposes. Furthermore, all activity users perform using the LiquidFiles system are logged. This includes creating, modifying and deleting users, sending messages, downloading files and messages. |
Integrity — §164.312(c) Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. |
LiquidFiles does not support changing files in transit. Access to delete files and messages are restricted with user authentication and audit logs exists to record details of any access and deletion of files and messages. |
Person or entity authentication — §164.312(d) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
LiquidFiles can implement both dual email verification to ensure that the user has access to the intended recipient email account to download any secure file. For stronger authentication, LiquidFiles support two-factor authentication with both access through smartphone apps, SMS and token authentication. |
Transmission security — §164.312(e) Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
LiquidFiles by default uses strong industry standard HTTPS connections with encryption up to 256 bit symmetric encryption in supported browsers and no less than 128 bit symmetric encryption when using legacy browsers. |
Sarbanes Oxley
The Sarbanes-Oxley Act of 2002 requires that public companies implement IT controls to assure the accuracy of company financial records. These controls must include IT processes that provide for the security of data, central management of user accounts and the ability to audit and report on both internal and external file transfers.
Sarbanes-Oxley does not define the specifics as to how these controls must be implemented, therefore many companies and SOX auditors have adopted the COBIT (Control Objectives for Information and Related Technology) standard for use in documenting, defining and evaluating internal controls. LiquidFiles satisfies many of these COBIT controls and assist you in meeting your Sarbanes-Oxley requirements as seen in the table below. Again, specifically the ones dealing with technical security in DS5 — Ensure Systems Security.
Control | Statements |
---|---|
DS5.3 — Identity Management | LiquidFiles can be configured so that all users require accounts to access the system to uniquely
identify each user. All accounts in LiquidFiles requires authentication. Users can be divided into
groups with separate access rights on a per group basis so that rights and responsibilities can be
matched to a users required access. LiquidFiles can easily be configured to authenticate users against central user repositories such as LDAP/Active Directory, or use the standardised SAML 2 authentication protocol. |
DS5.4 — User Account Management | LiquidFiles provides a web based interface to easily manage all local users in the system. For easier administration, LiquidFiles can integration with LDAP/Active Directory or SAML 2 based user repositories, including providing group based access. This will make management of accounts seamless as changes to a user or users groups will be automatically reflected in the users rights and access. |
DS5.9 — Malicious Software Prevention, Detection and Correction | LiquidFiles uses a built-in Anti-Virus scanner that is automatically updated. All files sent through LiquidFiles are scanned on default. Further checks can be implemented as required with the ability to execute custom scripts that verifies each file before users are permitted to download the file. |
DS5.10 — Network Security | LiquidFiles is installed secure-by-default with host based firewall configured to only permit required access. |
DS5.11 — Exchange of Sensitive Data |
LiquidFiles by default uses strong industry standard HTTPS connections with encryption up to 256 bit symmetric encryption in supported
browsers and no less than 128 bit symmetric encryption when using legacy browsers. Message links are generated using OpenSSL cryptographically strong random numbers with an entropy of 128 bits. The Filelinks in each message have another 128 bits and each individual download has it's own 128 bit random key, making the total entrophy 448 bits to guess a download link. Each transfer is logged and download receipts sent back to the sender with information on who download the files and when, where they where located (ip, reverse DNS and geographically) and what device was used to download the files. |
PCI DSS
The PCI Data Security Standard (PCI DSS) is the security standard for security management, policies, procedures, network architecture, software design and other critical protective measures for the payment process industry - including merchants, payment devices and services vendors, processors and financial institutions.
Control | Statements |
---|---|
Install and maintain a firewall configuration to protect cardholder data | LiquidFiles uses the built-in Linux firewall to only allow connections to functions on LiquidFiles that is required. |
Do not use vendor-supplied defaults for system passwords and other security parameters | LiquidFiles does not come with any default passwords. Console Access is disabled on default. |
Encrypt transmission of cardholder data across open, public networks | LiquidFiles by default uses strong industry standard HTTPS connections with encryption up to 256 bit symmetric encryption in supported browsers and no less than 128 bit symmetric encryption when using legacy browsers. |
Assign a unique ID to each person with computer access | LiquidFiles can easily be configured with a central user repository such as LDAP or Active Directory to facilitate user provisioning. |
Track and monitor all access to network resources and cardholder data | LiquidFiles logs all files that is being transmitted. Who sent them, who received them, when they where sent, when they where downloaded and from where where they downloaded. Even partial downloads are being logged. Syslog can be configured to send logs to a central location. |