Ten Essentials to Look for in a HIPAA Compliant Hosting Company
By Stephen Trout, , HIPAA Blog, HIPAA Hosting

Dear Healthcare Provider,

Have you ever realized that a HIPAA compliant hosting company can actually facilitate at least two important aspects of your patient care? 

Think about it; an effective HIPAA host promotes:

Proactive care –  By providing a highly responsive environment, a HIPAA host actually enables the high data availability and timely access of patient data and critical treatment information you depend on every day. Obviously, if you can’t access your patient data when you need it, it’s hard to provide good treatment.

Preventive care – By providing a highly secure environment, a HIPAA host also protects your patient data from being corrupted or held for ransom. Your patients will thank you that their private information wasn’t stolen, and/or advertised for the world to see. 

You probably caught this, but in case you missed it – the American Medical Association issued a recent statement emphasizing a truth we’ve been proclaiming for a number of years now: 

Cybersecurity Is a patient safety issue.

The AMA went on to say that all providers are now urged:

To protect against malicious software (“malware”), ensure that your software and computer and server operating systems are regularly patched and updated. Fact: As many as 85 percent of targeted attacks on computers are preventable. Install and update your anti-virus software! Fact: Nearly one million new pieces of malware are created each day.

Keeping your systems updated in this way may sound daunting, but know that we’re here to help. We know it’s no small thing to choose an experienced HIPAA hosting/managed security provider, and we’ll help you understand why. 

What’s at stake? As mentioned, not only your ability to provide patient care, but also your reputation as a trusted provider. An experienced HIPAA host will help you avoid devastating fines for violating HIPAA, and potential lawsuits from angry patients. They will also know the regulations of HIPAA compliance (unlike traditional hosting companies) and will patch and upgrade your systems while also providing all the important layers of security (anti-virus, firewalls, encryption) you need to protect your sensitive data in today’s world. 

So what should you look for in a proven HIPAA host?

With that said, we believe there are at least ten essentials that you should require of a HIPAA hosting provider (and we’ll explain each):

  1. A proven, HIPAA-compliant infrastructure
  2. A signed Business Associate Agreement (BAA)
  3. Appropriate physical and technical safeguards
  4. Encryption, both in transit and in storage
  5. Systems monitored 24/7 to ensure consistent reliability and uptime
  6. Regular vulnerability scans of servers and mitigation of the vulnerabilities discovered 
  7. Server hardening (securing with updates and patches) 
  8. Off-site backups of your data
  9. Log retention of 6 years – a HIPAA mandate
  10. Strong relationships, dedicated support, and cost-effective

Let’s look at what each of these essentials provides you:

1. A proven HIPAA compliant infrastructure

A HIPAA-compliant infrastructure will possess all the controls you need in your environment to preserve the confidentiality, integrity, and availability of protected health data – both in transit and at rest. This means that the data that passes through your website portals, your network, and your database servers will have an excellent chance of being kept safe from malicious attacks. 

An experienced host with proven managed security expertise will achieve this by providing everything from access controls (unique permissions, strong password requirements, multi-factor authentication) to specially configured firewalls, transport layer security, operating system security, malware prevention, segregated web and database servers, and more. 

2. A Signed Business Associates Agreement (BAA) – 

One thing that a traditional web hosting company will NOT provide you with is a signed, legal agreement (BAA) promising to protect your medical data. The reason for this is that they don’t have the infrastructure or expertise to do so. Yet this is exactly what is required of a HIPAA host. A BAA means they understand and accept liability to protect your data; if they don’t offer this, make sure you ask for one. 

3. Appropriate physical and technical safeguards – 

In accordance with the HIPAA Security Rule, your hosting company should maintain appropriate physical safeguards to help ensure the confidentiality, integrity, and security of PHI. Ask them if they have policies and procedures in place for this. There should be safeguards to protect IT facilities [IT departments, data centers, etc.] and the equipment therein from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, security services, etc.

A HIPAA-compliant infrastructure must be also governed by technical controls which will authenticate user access to your hosting environment. They should have a system of developing unique user IDs and passwords, as well as procedures for login, logout, encryption/decryption, and emergencies. Once a determination is made regarding the appropriate access and permissions for your team, admins will set these unique user IDs.

4. Encryption, both in-transit and in storage – 

Sensitive medical data needs strong, end-to-end privacy protections to preserve it should it ever fall into the wrong hands. Encryption is the “standard of care” for protecting health data; it does this by replacing your data with ciphertext, making it unreadable until decrypted. HIPAA compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers – and also “at rest” on their servers. The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

5. Systems are monitored 24/7 to ensure consistent reliability and uptime – 

Another way that a HIPAA compliant host will maintain the high availability and integrity of data is by monitoring the health of each server. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS. Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This allows them to take action proactively and keep your system available and running smoothly.

6. Regular vulnerability scans of servers, and mitigation of the vulnerabilities discovered –

The HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it). In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure. 

7. Server hardening (securing with updates and patches) – 

Server hardening is the process of applying appropriate security measures to your servers. The HIPAA Compliant web host should harden your servers as part of their deployment process; ask them for a copy of their server hardening steps. Depending on the system involved (such as Windows or Linux) these steps may include:

  • servers housed in a secure data facility
  • removing any unnecessary programs from servers
  • establishing unique permissions and strong password policies
  • automating security patches and real-time updates
  • advanced security tools, including anti-DDoS management, custom IP Reputation, host-based and network Intrusion Detection (HIDS/NIDS), managed firewalls, enterprise-grade monitoring 
  • creating a security banner that is displayed to the user when they log in, warning them that your server is only for authorized users. (Ask the host to show you a copy of the banner as well)

Note: When a particular server is no longer required, care should be taken to wipe its hard drives with several passes. This will help to ensure that the data cannot be read by someone else if the drives are used again. 

8. Off-site backups of your data –

Ask your HIPAA web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location – at least 50 miles away or further. This helps prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. In this way, you preserve critical data integrity and availability.

9. Log retention of 6 years (a HIPAA mandate) –

A HIPAA Compliant Host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. This is in accordance with HIPAA regulations, and the host ideally should offer a streamlined approach to gathering these logs and searching through them. These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts. 

According to regulations, these logs must be kept for a minimum of six years. It’s vital that you are able to review and have access to these logs at any time and ensure they are available for audit purposes. 

Note: Your own organization is also required under HIPAA to keep logs of Risk Assessments and Analyses, Authorizations for the Disclosure of PHI, Disaster Recovery and Contingency Plans, Information Security and Privacy Policies, Employee Sanction Policies, Incident and Breach Notification Documentation, and more. Be sure to review and comply with HIPAA regulations on log keeping. 

10. Strong relationships, dedicated support staff, and cost-effective solutions 

Last but not least, in addition to a robust, secure managed platform that includes all of the above, we think strong relationships are key (and we bet you do too). As critical as your environment is for being proactive and preventative in your care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. They should essentially act as an extension of your own company. 

For example, HIPAA Vault maintains a “tierless” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring – with over 90% resolution the first time you call. No phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money. 

Summary –

The above essentials are an excellent summary of what you should require of a HIPAA compliant host. As part of our managed services, HIPAA Vault provides our customers with a way to independently verify that their health data is in compliance with HIPAA cloud standards. The HIPAA Vault ‘HIPAA Cloud Compliance Program’ helps organizations know that they are maintaining HIPAA compliance with their Managed Cloud Infrastructure and following a specific program of compliance that includes the above-listed requirements – including encryption, audits, system updates, and much more.

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.