HIPAA Compliance is a process, achieved on a moment-by-moment basis. How does the data center fit into that understanding?
First, a clarification. A HIPAA compliant hosting company will maintain compliance by securing the medical data and infrastructure that hosts that sensitive data for its clients.
Datacenter compliance, by contrast, depends on securing a physical facility that houses the essential machines (servers). Strict criteria must be met by the data center and verified by 3rd party auditors.
It goes without saying then that security must be embedded in the data center’s DNA, especially if healthcare data is in view.
HIPAA Vault’s customers can have peace of mind that our enterprise-level data center facilities meet or exceed industry-standard certifications, including SSAE 16, NIST 800-53, and Service Organization Controls (SOC) audits 1, 2, and 3.
SOC 1 is used for the auditing of Internal Controls over Financial Reporting (ICFR) focusing on security and availability.
SOC 2 is used to audit the service organization in terms of relevancy for Security, Availability, Processing Integrity, Confidentiality, and Privacy (called the Trust Services Principles), to ensure systems have protection against unauthorized physical/logical access.
SOC 3 is used for the same auditing purposes as SOC 2 and includes auditing in accordance with the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations – to provide a summary Trust Services Report.
These audits, along with HIPAA and HITECH Omnibus standards, are used for assurance and validation that all service controls have been implemented and are functioning properly.
Two Steps Further
Further, state-of-the-art security for medical data and HIPAA compliance is a primary reason HIPAA Vault became a Google Cloud Partner.
Service continuity is ensured by Google’s “redundancy of everything” approach, ensuring that the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data.
In other words, your data is always available within a secondary system, should one system fail. Distributed, compliant data centers minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.
Google’s world-class data center compliance relies on the ISO 27001 certification, an internationally accepted and independently verified security standard composed of 114 controls, including:
- Information security policies
- Organization of information security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Logical security
- Incident management
Physically, Google boasts 6 layers of state-of-the-art security for their data centers, and it’s impressive. Think of concentric circles, each with a different type of security inherent in the layer:
The physical property boundaries of the secure data center, surrounded by smart fences and thermal cameras and posted with signage.
The secure perimeter, including a security guard at the gate, roving security guards in cars, vehicle crash barriers that can stop a truck, and more.
The personnel ID check, with iris scan and single person door entry.
The Security Operation Center (SOC), with 24/7/365 monitoring. The “brain of the data center,” here staff monitors all camera activity and all data center operations.
The data center floor, where access is granted to as-needed, authorized technicians/ engineers only. All at-rest data is encrypted, with customers maintaining their own encryption keys. Even the technicians cannot “see” the data, and less than 1% of Google personnel will ever see this area in person.
The disk disposal/hard-drive destruction area, with special access granted to the machines that physically destroy drives that are no longer needed.
As we’ve written previously,
From an infrastructure perspective, Google’s “security by design” software, servers, internal machines, and secure data centers are all aimed at providing superior data protection with redundant systems and end-user privacy safeguards. Before and after each product launch, a privacy team oversees automated processes that audit data traffic.
The second step towards ensuring compliance comes with HIPAA Vault’s fully managed security, which works hand-in-hand with our secure data centers to keep your data safe. With everything from 24/7 system monitoring and managed anti-virus/malware prevention to security patching and logging, HIPAA Vault handles the day-to-day management of your infrastructure’s functions and security as a strategic method for improving your operations, as well as cutting expenses.
HIPAA Vault’s commitment to compliance standards for data centers and hosting helps your health practice to mitigate risk, and facilitate your excellent patient care every day. Using state-of-the-art data centers that are specifically designed with security in mind helps us meet that goal, and your patients thrive.
If you have any questions on HIPAA data security or any of the services we provide, please contact us! 760-290-3460.
HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.