HIPAA Compliant Cloud Hosting: A Beginner’s Guide…
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources

… to life outside the Matrix

I know why you’re here, Neo. I know what you’ve been doing. I know why you hardly sleep, why you live alone, and why night after night, you sit at your computer. You’re looking for him…  It’s the question that drives us, Neo. It’s the question that brought you here. You know the question, just as I did.

— Trinity, The Matrix, 1999

In the classic sci-fi film The Matrix, the virtual world is a data-dripping reality that paints a glittering image of our actual selves.*  

Thomas Anderson (aka, Neo) can fly, fight, and twist away from bullets like nobody’s business. But in the “desert of the real” – as the character Morpheus calls the “unplugged self,” quoting Baudrillard – things can get a bit dicier. 

Like Neo, we too have our questions, our sleepless nights, and nagging fears. Zion is real and the world is a wonder, but life outside a simulated reality isn’t always a picnic.

Deny it, and you might hear the Architect’s voice: “Denial is the most predictable of all human responses.”

If we’re honest (take the red pill!), our healthcare records will reveal the struggle; but who are the “Agent Smiths” just waiting to hack them, and write a different story about our lives?  

Does my Healthcare Data Really Require HIPAA Compliant Hosting?

You don’t need to fully grasp The Matrix to know your personal data needs protection – or to question how secure you’ll be in the “virtual healthcare cloud.” 

As we saw last week, exploitation is real. Identities may be stolen, reputations and livelihoods damaged. Like the Sentinels that target Neo’s ship, the Nebuchadnezzar, real harms may come from those who would steal or ransom your sensitive data.

So if you’re new to HIPAA compliance – perhaps a fledgling developer, or a physician just opening a practice – you should be asking:

  • How should my patient’s data be protected? With that, a closely related question:
  • What actually is HIPAA Compliant Hosting, and how does it differ from traditional hosting?

Let’s explore the latter question first, which should help with the former.

Two Distinctions About HIPAA Compliant Hosting

1. Hosting requires infrastructure – think secure servers and storage, only virtualized in the cloud.  

Unlike a traditional hosting company, a HIPAA-compliant host will have a secure, third-party audited infrastructure, specially configured to handle the confidentiality, integrity, and availability of electronically protected health information (ePHI) both in transit and at rest.  

2. Unlike traditional hosting companies, a HIPAA-compliant host will provide you with a signed, legal Business Associates Agreement (BAA).

Essentially, a BAA outlines the responsibilities that each party will have in managing the PHI or EHR data. 

The BAA states that both parties will appropriately safeguard the protected health information being handled, and keep unauthorized users from accessing that PHI data.

What are the Seven Keys to Success for HIPAA Compliance?

Neo had Morpheus to show him the ropes; the Oracle was there for questions, too. It’s true: any journey into unknown territory goes better with an experienced guide. 

While a HIPAA-compliant host is indispensable for building the infrastructure – it’s technically difficult and expensive to do on your own, and server security is also complex -you’ll need a point person to ensure your organization is satisfying all HIPAA regulations. 

The first key is to:

1. Assign a Compliance Officer

Without a C.O., maintaining compliance will be a lot more challenging. And actually, HIPAA requires you to have one – whether an existing employee who will train for the role, or a new hire who comes with expertise.

What functions will the Compliance Officer handle? Here’s a summary:

  • Develop and maintain your HIPAA-compliant privacy program
  • Oversee the HIPAA training of your employees
  • Conduct a risk analysis
  • Create HIPAA-compliant procedures where needed, and monitor compliance with the program
  • Investigate and report any data breach incidents as required
  • Ensure the protection of your patients’ rights in accordance with federal/state laws
  • Keep up-to-date with pertinent state and federal laws

2. Identify which data needs protection (Where is your ePHI?)

In The Matrix, Neo was the key; knowing where he was and what he was doing was critical. The same applies to your sensitive data: you’ll want to know exactly where it is and how securely it is stored.

To do this requires first investigating where the sensitive data (ePHI) is throughout your organization, then applying the best protections. 

Basically, you’ll want to ask: How does ePHI travel in my organization? Have I included all the ePHI that we create, receive, maintain or transmit – including our website and from external sources such as vendors?

3. Take stock of your risks (A HIPAA Risk Analysis should be performed)

Another key in the Matrix was understanding the enemy. The ship known as the Nebuchadnezzar was always on the lookout for flying Sentinels (killer robots). It was crucial to identify where they might be lurking, so they could zap them (with EMP!) if encountered.  

Similarly, imagine taking a trip into unknown territory. You wouldn’t leave without first mapping the terrain you would need to cover. You’d look for potential danger spots; maybe an icy mountain pass, or hazardous sections of the road.

In the same way, taking stock of risks to data is crucial. You will be looking to answer: 

What are the human, natural, and environmental threats to information systems that contain electronically protected health information (e-PHI)? 

Note: This is a question you must revisit regularly (we suggest monthly), as systems change and threats can (and do) evolve quickly. 

You can’t sit back and click on “cruise control” on this one (or any of the steps for that matter) – for if left unaddressed, these risks will actually leave the door open for malicious actors to exploit your ePHI. 

And while there isn’t one exact way to do a risk analysis, you can find some guidance here.

4. Equip those who travel with you

You’ll soon discover, if you haven’t already, that HIPAA regulations are multi-faceted. One facet that shines especially brightly is about trustworthy people doing the right thing – each in their own sphere. 

As mentioned, staff training (with refresher training annually) will be necessary to help your people understand HIPAA requirements about patient privacy, as well as their own responsibilities to work securely. 

This includes everyone from network engineers and system administrators to employees on your network who might be tempted by a phishing email or other kinds of social engineering. As someone has rightly said, “your security solution is only as good as the people you have maintaining it.”

5. Document all training and assessments

Any good captain of a ship will have a ship’s log, as well as documented procedures. 

Should your company ever be audited, it will be key to have all your HIPAA training sessions and risk assessments documented. 

Again, the Compliance Officer should ensure that this happens. Have you included phishing training so your employees will recognize fraudulent emails designed to steal your credentials?

6. Document all emergency procedures and Rules for Breach Notifications

One piece of documentation you should be prepared to show is how you are prepared for an emergency situation. 

Basically, an auditor will want to know: In the event of a data breach, what is your plan, and how will you appropriate “first aid” in order to mitigate damages?

7. Control (and track) who accesses data

A key principle to control access to ePHI is that it should be as limited as possible, governed by application roles on a need-to-know basis. This is known as the ‘principle of least privileges.’ 

Tamper-detection techniques can be employed to send alerts when code is being modified or changed, and log all changes. Finally, be aware of any dashboard access to PHI that might possibly be available to every user.

With this foundation, we now turn to:

What are the 7 Keys to Implementing a HIPAA-Compliant Cloud?

1. Ensure the Use of Appropriate Physical and Technical Safeguards 

In accordance with the HIPAA Security Rule, your hosting company must maintain appropriate physical safeguards to help ensure the confidentiality, integrity, and security of PHI. Ask them if they have policies and procedures in place for your specific hosting plan. 

There should be safeguards to protect IT facilities [IT departments, data centers, etc.] and the equipment therein from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, security services, etc.

A HIPAA-compliant infrastructure must be also governed by technical controls which will authenticate user access to your hosting environment. 

They should have a system of developing unique user IDs and strong passwords, as well as procedures for login, logout, encryption/decryption, and emergencies. Once a determination is made regarding the appropriate access and permissions for your team, admins will set these unique user IDs.

2. Ensure Data Center Compliance 

HIPAA Vault’s customers can have peace of mind that our world-class data centers meet or exceed industry-standard certifications, including SSAE 16, NIST 800-53, and Service Organization Controls (SOC) audits 1, 2, and 3.

SOC 1 is used for the auditing of Internal Controls over Financial Reporting (ICFR) focusing on security and availability.

SOC 2 is used to audit the service organization in terms of relevancy for Security, Availability, Processing Integrity, Confidentiality, and Privacy (called the Trust Services Principles), to ensure systems have protection against unauthorized physical/logical access.

SOC 3 is used for the same auditing purposes as SOC 2 and includes auditing in accordance with the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations – to provide a summary Trust Services Report.

These audits, along with HIPAA and HITECH Omnibus standards, are used for assurance and validation that all service controls have been implemented and are functioning properly. 

Further, state-of-the-art security for medical data and HIPAA compliance is the primary reason HIPAA Vault became a Google Cloud Partner. 

Service continuity is ensured by Google’s “redundancy of everything” approach, ensuring that the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data.

In other words, your data is always available within a secondary system, should one system fail. Distributed, compliant data centers minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.

Google’s world-class data center compliance relies on the ISO 27001 certification, an internationally accepted and independently verified security standard composed of 114 controls, including:

  • Information security policies
  • Organization of information security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Logical security
  • Incident management

Physically, Google boasts 6 layers of state-of-the-art security for their data centers, and it’s impressive. Think of concentric circles, each with a different type of security inherent in the layer.

3. Ensure encryption, both in-transit and in storage  

Sensitive medical data needs strong, end-to-end privacy protections to preserve it should it ever fall into the wrong hands. Encryption is the “standard of care” for protecting health data; it does this by replacing your data with ciphertext, making it unreadable until decrypted. 

An integral part of managed services, HIPAA-compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers – and also “at rest” on their servers. 

The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

4. Ensure systems are monitored 24/7 to ensure consistent reliability and uptime 

Another way that a HIPAA-compliant host will maintain the high availability and integrity of data is by monitoring the health of each server, in addition to server security. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS. 

Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This aspect of managed services allows them to take action proactively and keep your system available and running smoothly.

5. Ensure regular vulnerability scans of servers, and mitigation of those vulnerabilities 

The HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it). 

In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure in order to ensure server security. 

6. Ensure off-site backups, and log retention

Ask your HIPAA web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location – at least 50 miles away or further. This helps prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. In this way, you preserve critical data integrity and availability.

A HIPAA Compliant Host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. Log retention of 6 years is a HIPAA mandate – and in accordance with HIPAA regulations, the host ideally should offer a streamlined approach to gathering these logs and searching through them. These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts.

7. Your HIPAA-compliant host should be an extension of your team

Last but not least, in addition to a robust, secure managed platform that includes all of the above, we think strong relationships are key (and we bet you do too). As critical as your environment is for being proactive and preventative in your care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. They should essentially act as an extension of your own company. 

For example, HIPAA Vault maintains a “tier-less” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring – with over 90% resolution the first time you call.

No phone trees or being kept on hold for long periods of time. Our proven managed services allow you to streamline your IT costs, effectively saving you money.

So there you have it: excellent preparation for life “outside of the matrix,” in the real world of HIPAA compliance.

If you have any questions about our HIPAA-compliant server hosting or any of our managed services, please feel free to give us a call! 760-394-6920.

* Since the emergence of social media, numerous comparisons to The Matrix and cynicism about certain online media platforms have become popular. We’re of the opinion that social media – when used well – is a helpful connection tool; you bring to it what is inside you.          

HIPAA Vault’s Managed Services for HIPAA compliance include less-than-15 minute response times for critical alerts, and 90% first call resolution. Our dedicated IT professionals handle everything from general support questions and maintenance, to more complex issues such as advanced firewall configurations and system monitoring. In this way, we simplify your business while providing peace of mind.