This week on the HIPAA Insider Show, Adam and Gil peel back the layers of managed cloud hosting — demystifying what’s included at different levels of service. From server-level management like OS patching and automated backups, to application-level hosting like Managed WordPress, we’ll explore how these models impact HIPAA compliance, performance, and peace of mind.
Transcript
Adam Zeineddine
Hello, and welcome back to the HIPAA Insider show where we discuss all things compliance and cloud technology. Today we’re going to be talking about managed cloud hosting services and why not all managed offerings are created equal and what that really means when a provider says something is managed. So we’re going to break it down in two separate categories. We’re going to talk about server level management for cloud hosting and then application level management. Gil, could you explain briefly what server level and application level management says?
Gil Vidals
The server level management and then the application level management, and then within the application level management there could be different tiers. Go through all those today to help the audience decide if they are going to be relying on another company to help them with their WordPress. What kind of company, what level of service do they need? Sure. As you said, on the server side we have think about it as a server in the cloud and that server has an operating system and that has to be kept up to date. That’s a key responsibility of somebody. And I say of somebody, because that’s the whole point of this conversation. Whose responsibility is it? And that responsibility may fall on you, the audience, to do that. And if you have someone technical on your team, maybe that’s fine.
Gil Vidals
But if you don’t have anyone technical, or you do, but you don’t want to mess with it, then you need to find a hosting provider that says, oh no, we’ll do the operating system patching, will configure the firewall. We’ll have all our security tools like intrusion detection, SIEM tools, incident event management. Then who’s going to monitor the server? What if the server goes offline at three in the morning on a Saturday? Are you going to know or you’re not going to find out until Monday? When somebody says, hey, I try to order something and your site is down, who’s going to do the monitoring? Monitoring slips through the cracks a lot. So you’ll sign up for Web hosting and WordPress management and then nobody tells you or nobody knows when the site goes down. So that’s important. Somebody needs to monitor that.
Gil Vidals
And then who’s going to be responsible for the backups? Sometimes you can install a Backup plugin on WordPress yourself, but there’s no need to do that if the infrastructure provider is doing that on your behalf. It has to be clear who’s doing that. And then disaster recovery. What if the whole data center gets hit by a tornado or catches on fire? What’s the plan then? Is your data on your site just gone or is there A way to recover that. Those are the things that fall under. I say under the server, the infrastructure side of things. Adam.
Adam Zeineddine
Okay. And what services are included at the server level are really important when it comes to applications that need security. Like the industry that we’re in, HIPAA compliance, right?
Gil Vidals
Yeah, exactly. The HIPAA security rules or regulation, expect that you’re safeguarding your infrastructure where the EPHI is on, is residing on, and that requires that you’re doing timely patching of not just the server operating system, but also of the WordPress core and the plugins, and that you have things encrypted. When I say things, I mean the phi data, the critical data should be encrypted at rest. That you have backups and that you have logging. You need logging enabled so you can trace back and find out if, when something goes wrong, a potential hacker may be trying to break in. You want to see a trail, and that’s in the log. You want to be able to see that.
Adam Zeineddine
All right, let’s switch gears a little bit now. Let’s talk about the second part, application level management. There’s a lot of applications out there, so maybe we could, you know, choose a specific website management system or application to talk about as an example.
Gil Vidals
Sure. Do you have an idea? I mean, besides WordPress. You mean?
Adam Zeineddine
Yeah, we could do WordPress. Yeah, yeah, that would be good. A good one.
Gil Vidals
Yeah.
Adam Zeineddine
So commonly used.
Gil Vidals
Sure. WordPress is.2 thirds of the Internet web pages are designed in WordPress. That’s a great one to talk about. So on the application side, Adam, I think it’s important people realize that there’s different levels. For example, you might say, well, web designer takes care of the content. That’s pretty obvious. If you say, oh, we got a new web page, a new content, you’re not going to go to your HIPAA compliant hosting provider to be updating the content, the images and all of that. You’re going to go to your web designer to do that part. But what about the plugins? Say you have a plugin. Everything’s working day one, but by day 10 or day 30 or day 100, that plugin has a vulnerability that was discovered and the author has just published a fix for that. They patch their plugin.
Gil Vidals
Who’s going to apply that plugin? Somebody has to go in and apply that update. Whose responsibility is that then? What if the performance of your site is not what you want it to be? What if it’s running a tad slow? Is that your job? The designer’s job is that your infrastructure Provider. I mean, after all, maybe they’re just focused on HIPAA compliance. Are they really going to be doing the performance and optimization side? And then there’s the malware scanning. And also your secure certificate. Every site on the Internet needs a SSL certificate. What does that mean? That’s when you type HTTPs. The S is for security. That requires the installation of a, what’s called a security certificate. Without that certificate, your site’s not secure.
Gil Vidals
And so you have to be careful that it needs to be renewed, usually yearly, and a lot of people forget to renew it. Then a big ugly message is shown to your viewers that you would. Kind of embarrassing. You don’t want to see that. So you have to schedule that on a calendar or have somebody responsible for that. So as you can see, there’s a ton of moving parts. Yeah. And so it can get complicated and you have to really sit down and decide who’s handling, who’s responsible for all these different moving parts. And the key point here, I think Adam is not so much. Well, tell me, Gil, you know, you’re listing all this stuff, but who should do it? Well, in some sense it doesn’t matter as long as somebody does it.
Adam Zeineddine
Yeah.
Gil Vidals
And somebody’s responsible for. The key is as your business owner, you have to have a matrix. You have to know who is responsible. Because I guarantee you what will happen is if your certificate expires, your users are saying, hey, Tom, or hey, Sally, I went to your website and I got an ugly message saying something about security. You’re going to say to yourself, oh, my web designer. And I’m going to call him. He’s going to say, well, that’s not my job. Then you’re going to call the security guy, hey, what happened here? And he might say, well, I thought the hosting provider did that. Then the hosting provider says, no, that’s not our responsibility. That’s what happens if you don’t assign a role to us. Nobody’s going to do.
Gil Vidals
Has to be clearly defined as whose role that is, who’s going to take charge of that.
Adam Zeineddine
We’ve explained the server level service there and touched on the application level service. Again, Gil, if I understand it correctly, there’s different tiers to the application level service. Specifically, when we talk about WordPress, there could be certain services that the managed service provider handles and then other items that the developer manages.
Gil Vidals
Yeah, I think that’s a good thing to talk about, Adam, when you have decided to go with a particular infrastructure provider, you might call Them a web hosting provider. Or it could be a consultant even. Right? Some of you have consultants that you go to and they handle everything, and then they in turn hire a web hosting provider. But so now we’re talking about the application, right? We talked about the server and the security and the infrastructure. Now we’re talking about the application. So you have WordPress, it’s running. You have your beautiful logo, your beautiful website, your forms and all of that. But then the question is, what happens someday when you go to a page and this is 404 not found? Do you go to the infrastructure provider? Is that their job to try to figure out what happened to that page gone.
Gil Vidals
You may go to your designer. You have to again define who’s going to take that role. Sometimes it’s a team effort to find out. The web designer might say, look, I didn’t touch the site. I haven’t done anything with it. I don’t understand why that page is missing. And then the infrastructure provider, the web hosting provider, who’s an expert, might come back and help you with that. But they have to be reachable. And that’s another dimension that we haven’t talked about. But before we go into that, Adam, I just want to be clear. The first level of support is always what they call break, fix. Yeah, that’s a traditional first level. I call that level zero. Not even one. Level zero. Yeah, something went wrong. Your provider should be at your hosting provider.
Gil Vidals
Your MSP should be able to help you resolve that or at least diagnose the issue and tell you, oh, you need to get your designer involved or your security guy involved. After level zero breakfast, now you’re getting into the application. Like the next level is who’s responsible for updating the sign. Now, by updating, I don’t mean changing the words and the content. I mean maintaining the site. I mean upgrading this, the plugins, upgrading WordPress core, updating the certificate that we talked about, the secure certificate, HTTPs, that’s the next level. That’s level one and then level two.01 and then two. Level two would be, well, who’s going to be responsible for the performance of the site? So nothing’s broken? Nothing’s broken. Everything’s in place. But it’s not operating fast enough. It’s not fast enough. The performance is key.
Gil Vidals
Google will rank your site lower if it’s too slow. That’s another level. Who’s responsible for optimization work then? The fourth level was 012. I guess the third level, 0123, would be the content of your site, who’s responsible for hey, that image is huge. It’s too big. Somebody needs to shrink it. You know, maintaining the content. So that would typically fall with your web.
Adam Zeineddine
So there you have it. No matter where you are in your cloud journey, knowing the difference between managed models helps you make better and safer choices. So thanks for tuning in, and until next time, thanks for stopping.