They say you never know until it hits you. Whoever “they” are, they’ve got a point – especially if the “it” is failing to secure someone’s personal, protected health information (PHI). Once this sensitive data is divulged, the genie is out of the bottle – and the impact can be staggering.
Just ask Advocate Health System, past bearers of a $5.5 million fine from the Office of Civil Rights (OCR) for allowing 4 million records to be breached (in 3 separate occasions), back in 2013. Among the security lapses was an unencrypted laptop containing patient records, stolen from an employee’s car.
Even more than the costly, regulatory fines that may come with HIPAA violations, ($100 to $50,000 per incident, depending on your degree of negligence, such as failures to do risk assessments and encrypt devices), the real issue is your customer’s welfare. If their personal, protected health information is made public, it damages them personally. Not only will you have lost the trust of someone you’ve sworn to “do no harm to,” but they may even decide to take legal action against you for damages.
How to Heed This Wake-Up Call
Clearly, failing to protect PHI is no small matter, but what’s it have to do with your website? Everything. If you host or plan on hosting a website that will interact with patient information, then security is everything. Hackers have a lucrative business selling medical records, and they get better at stealing them all the time. So why make it easy for them?
It behooves you, then, to find a HIPAA web hosting specialist with trusted cybersecurity expertise, and also to verify that your host is following HIPAA guidelines. Preserving data confidentiality, integrity, and availability are the goals. Don’t wait to get a wake-up call that your site has been attacked; by then it may be too late.
But how does HIPAA hosting differ from traditional web hosting? There are some clear indicators, as a non-HIPAA web hosting specialist will likely NOT provide you one of the following (and ask them specifically if they can):
- A signed Business Associate Agreement (BAA)
- Monthly vulnerability scans of your servers and mitigation of the vulnerabilities discovered.
- Encryption of your data, both in transit and in storage.
- Server hardening
- Off-site backups
- Log retention of 6 years
Let’s briefly review these items one by one, so you can understand them better before discussing it with your prospective HIPAA Compliant host:
All HIPAA data handlers (covered entities) who host, receive, transmit or exchange ePHI are required to sign a Business Associates Agreement – a HIPAA-mandated, legal contract that confirms a patient’s data will be kept confidential, both in transit and storage on all servers. A signed BAA ensures that your hosting provider understands and accepts the liability of hosting PHI data. They are as liable as you are in protecting the data from unauthorized access.
Monthly Vulnerability Scans, and Mitigation
The HIPAA Compliant host should scan your HIPAA related servers at least once a month and provide a report to you whenever you ask for it. The purpose of the scan is to discover vulnerabilities in the hosting environment. In addition to providing the report, they should be involved in helping remediate the vulnerabilities that are related to the infrastructure. You can’t expect the HIPAA host to fix your application issues though (unless you hired them to write your app as well).
Encryption of Data, in Transit and in Storage
Sensitive medical data needs strong, end-to-end privacy protections, as required by HIPAA. As mentioned, numerous breaches have occurred because devices containing unencrypted ePHI – including mobile phones and laptops – have either been lost or stolen.
Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. This way, even if a device does fall into the wrong hands, the data will be unreadable. HIPAA compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide area network (WAN) between data centers – and also “at rest” on their servers. The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
Server hardening is the process of applying security measures to your servers. The HIPAA Compliant web host should harden your servers as part of their deployment process; ask them for a copy of their server hardening steps. Typically, these include:
- closing unneeded ports
- removing unnecessary programs
- adding security measures such as implementing an SSL certificate for your website
- ensuring all web forms on your site are encrypted
- establishing unique permissions and strong password policies
- and creating a security banner that is displayed to the user when they log in, warning them that your server is only for authorized users. (Ask the host to show you a copy of the banner as well).
Note too that when you are finished using a particular server that contained PHI, it can’t simply be powered off and made available to the web host’s next client. The server’s hard drives should not be used again until they have been wiped by several passes. The passes ensure that the data cannot be read by someone else. Ask your host what mechanism they use to wipe the hard drives and how many passes they make. (The right answer should be multiple passes. Exactly how many can vary, but the important point is that the web hosting company is at least aware of what you are talking about and has a policy that involves multiple passes.
Ask the web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location. A next door building is too close – it should be at least 50 miles away or further. Basically, you don’t want a natural disaster such as an earthquake to take out both your servers and the backups, and in this way you preserve critical data integrity and availability.
HIPAA rules require you to keep track of things like who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. This includes both failed and successful login attempts, to any areas where PHI data is kept. Logouts must also be kept, as this indicates when someone would no longer be accessing the information. System and network access to information is another log that must be stored as well.
According to HIPAA regulations, these logs must be kept for a minimum of six years. The most common types of documents that must be retained, under HIPAA regulations include Risk Assessments and Risk Analyses, Authorizations for the Disclosure of PHI, Disaster Recovery and Contingency Plans, Business Associate Agreements, Information Security and Privacy Policies, Employee Sanction Policies, Incident and Breach Notification Documentation, Complaint and Resolution Documentation, Physical Security Maintenance Records, Logs Recording Access to and Updating of PHI, Notice of Privacy practices (not applicable to health plans and clearinghouses), and IT Security System Reviews (including new procedures or technologies implemented).
Under HIPAA regulations, it’s vital that you are able to review and have access to these logs at any time. HIPAA Compliant Hosting Providers should offer a streamlined approach to gathering logs and searching through them.
Selecting a web host that actually follows the HIPAA guidelines is not the same thing as finding an inexpensive host that does a good job at hosting websites that don’t contain patient information. Hopefully, this article has given you some useful questions you can ask the web hosting providers you are considering for your project.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. We provide a secure infrastructure for healthcare websites, secure email, HIPAA compliant WordPress, and secure file sharing solutions.