The HIPAA Vault Story – Cybersecurity Career Awareness Week
By Stephen Trout, , HIPAA Blog, Resources, Security

The following was adapted from a previous interview with HIPAA Vault CEO, Gil Vidals. 

Q. Gil, tell us about your own journey with cybersecurity. How did you first get involved with secure HIPAA hosting for healthcare?

GV: Back in the 80’s, in the early days of computers, I was a junior in high school and decided I wanted to make my own computer. I ordered all the parts – it must have cost my dad around $5,000! – and we built it. What’s funny is that it took two people to carry it, and the sides were made out of pinewood. That was my first computer. 

Later, after working with Morgan Stanley and their huge mainframe computers, I became fascinated with this thing called “the internet.” In those days there was a program called Winsock. You’d get a stack of 12 diskettes from Microsoft, put them into a Hayes modem – you know, 1200 baud – and it would start beeping and buzzing, and two minutes later you’d be connected to the internet. In 1994, AltaVista was the only search engine of the day, and so that’s where you went!

So I worked with SEO for a time, until one day a client of mine called and had a need for someone to host sensitive medical data. After I got my mind wrapped around HIPAA – the administrative controls, physical safeguards, and technical safeguards involved – we eventually launched a HIPAA and medical hosting service in 2010.

Q. So what sets HIPAA Vault apart from the competition?

GV: From the beginning, we were adept at open-source and so committed to offering value in both price and customer service. For example, our competitors were offering pricing at about $1500/mo. Competition heated up and they dropped it to $1000; now we have some who are competing between $500 and $1000, but we go as low as $349/mo. 

In addition to affordability, we insisted on personalized, dedicated customer service. This is especially prized by our healthcare customers, for the following reasons: 

One, we’re not sending people to an overseas support line or telling them “I understand you’re having this issue, our engineers will look at it tonight.” The customer usually has to wait until the next day to get a support ticket – which takes forever, especially when you’re talking to a  guy on the other side of the world. You can’t do that with healthcare. So we decided to keep a “made in the USA staff” in order to be more accessible. 

And two, we committed to a 15-minute (or less) response time, with first-call resolution. To help ensure this, we decided to not have any tier-one engineers, because too many times when I would call IT support companies, I’d get stuck in “tier-one land.” They’d say, “Oh, we need to escalate it,” and it’d go round and round. So when you call us, you’re immediately talking to tier two. 

This has been very successful for us and our clients – over 90% of the time we don’t need to escalate to another engineer. They’re on the phone once, and the problem is solved. Our clients love that – they’re buying pizzas for my staff – because they can’t believe they’re getting this kind of personalized support.

Third, I really take an interest in the life of my staff, and try to help them out any way I can. We aim for a healthy, fun environment, and so many of our guys have ended up staying around for years, and they get to know the clients by name. So when our clients call they say, “Oh, hi Joe, what’s going on today?” and that gives the client a warm fuzzy feeling – “This guy knows me, I’m not just another customer” – you know, ‘What’s your account number sir’? So that’s helpful.

Q: What would you say makes a strong cybersecurity model for HIPAA?

GV: We believe in a Security Model of Continuous Improvement, where we’re never resting on our laurels or sitting around saying, “Oh yeah, we’re great here with security.’ We’re always questioning our own security, thinking about how we can improve it and what will serve the client better. Ultimately this benefits patient health, since their data is highly available and protected.   

For example, we learned early never to keep our medical data sitting in a database server at the edge of the internet, where someone has a chance to get to it. So we separated and isolated the web server and database server, essentially putting the database server in a DMZ or demilitarized zone. It’s isolated, there’s no access to a public IP, you have to have a private IP to get to it. That was better, but we still wanted more security layers. 

So next we interjected a WAF – a web application firewall – in between the standard firewall and the webserver. We put an IP Reputation appliance in there too, which is focused on looking at basically a glorified blacklist; it knows from a list of millions and millions of IPs which ones are scanning for vulnerabilities, which IPs have hackers behind them, and so on. 

Then, we add more layers from there and introduce a VPN to segregate things even further by making sure that certain ports are completely isolated from public traffic. Additional improvements were added using our “secret sauce,” which incorporated more technology and made it even more secure. 

Ultimately, the moral here is, don’t ever think you’ve obtained the Holy Grail of security – you never really can – but you keep evolving in order to stay ahead of the bad guys. You keep listening to your staff, and those guys on the front line. They know. 

I continue to do a lot of research, attend webinars and do a lot of reading, and I’m always looking for the thing that we can test in-house, that we can bring into our company and test on a development server. Then we all meet and ask, “Hey, what do you guys think of this? Is this technology worthwhile?” So we’re constantly doing that – always R&D – and paying attention to the regulations.

That’s on our end. I always like to remind our clients that HIPAA is a business operations regulation that they must integrate into their corporate culture. It’s not just about their website. So for example:

Say your developer is working on his workstation developing your website code, and he has some patient information that he happens to pull up on his screen. He decides it’s lunchtime and he walks away and leaves his screens unlocked. Anyone walking by can peer in and say, “Hey look there’s someone’s x-ray or diagnosis right there on the screen!” That’s a big HIPAA violation. 

Your staff needs adequate training to be HIPAA aware, and you also need screen locks on workstations –  that’s basic. It’s vital to learn to recognize phishing attacks. Becoming certified can help you stay safe organizationally. 

That said, the HIPAA Vault story continues. We integrate security into all of our HIPAA-compliant solutions. From our secure hosting to compliant WordPress and email, we insist on features like access controls, two-factor authentication, and end-to-end encryption. We also utilize 24/7 scanning and blocking to add to our multi-layered security approach. 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.