HIPAA Compliant Hosting Is More Complicated Than You Think
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources, Security

You pride yourself on your DIY prowess: Broken toilet? “I can fix it!” Automate the house lights? “Easy!” Fix my Chromebook? “Why not?” 

“No challenge is too complex,” you say, “if you just boil it down.” 

You’d even wear the t-shirt: “Out of intense complexities, intense simplicities emerge.” – Winston Churchill 

(On the Chromebook fix, you’re glad to hear that the big Tech providers are getting into the DIY game too. Self-repair and recycling efforts – such as those offered by Google for Chromebook and Apple for Mac – are catching on).  

Still, it’s inevitable: one day, something will come along that’s bigger than you. More threatening. Potentially devastating. (Don’t believe it? Just wait.)

For Churchill – and the entire world – that was World War II. He may have “boiled things down” and responded valiantly: “We will defend our island…” – but that doesn’t mean the “getting there” part was simple. Far from it.

Indeed, the conflict was incredibly costly; a harrowing road, paved with blood and sacrifice. It required courage, faith, and far more than DIY. 

It needed allies.  

Thankfully, those allied powers did band together to “fight on the beaches… on the landing grounds… in the fields and in the streets,” vowing to “never surrender” freedom. In the end, the victory “V” sign was flashed.

Cyber War and HIPAA-Compliant Hosting

And yet, wars continue. “Every warrior’s boot rolled in blood” is destined for burning – but that day it is not yet.

In today’s world, cyber warfare has created a covert new front. Critical infrastructure has been in the crosshairs; healthcare’s sensitive data is also a prime target.

The complex question comes: how will you defend your island? Is protecting your healthcare patients as simple as a DIY solution?

The answer, as we’ll see, is “No.” Like Churchill, you’ll also need allies; cutting-edge cyber-defenses, and trained IT “boots on the ground,” in the form of a proven, HIPAA-compliant host (like HIPAA Vault).

There are at least three simple reasons for this – each with its own complexities:

1. Hackers will not rest; they continue to learn and evolve. Hackers know they can exploit healthcare (since lives depend on data integrity, and your systems need to be up and running, 24/7), so they do. They make it their aim to stay one step ahead of the security curve, in order to exploit your defenses.  

2. HIPAA-compliant hosting with data-loss protections for medical data is complex; configuring and maintaining your environment to prevail in this war takes specialized expertise. In addition, offloading this to experts to handle this for you will keep you more secure, and freer to concentrate on actually providing care! 

3. You likely have internal liabilities. Maybe it’s an untrained staff who needs cybersecurity awareness training, in order to recognize phishing attacks, etc. Or, God forbid, you may have an internal actor that knowingly or unknowingly compromises your data. 

But what constitutes effective HIPAA compliance, you wonder? 

Another complexity that will set in immediately is learning what true HIPAA compliance means. It’s not enough to find a HIPAA host and just assume that you are now compliant. Your own organization must become compliant.

So you do some digging, excited to discover that the Department of Health and Human Services (HHS, which oversees HIPAA regulations) has a document called “HIPAA Administrative Simplification” (italics added).

“Exactly what I need!” you think. Unfortunately, the simplification is 115 pages long.

Boiling that down (and this may be review for some of you), we see that HHS requires you to implement and maintain:

  1. The HIPAA Privacy Rule: 

Your patients deserve their privacy. The proper use and appropriate disclosure of electronically protected health information (ePHI) – as well as patient rights to access their data – is the focus of the Privacy Rule. 

Note that you’ll need to implement written privacy policies, provide regular HIPAA compliance training for staff, as well written notifications to patients which clarify these policies. 

  1. The HIPAA Security Rule:  

Your patients deserve effective security. The Security Rule contains regulations and safeguards for the protection of sensitive, electronically protected health information (ePHI) – without naming precise technologies since they change rapidly – for covered entities and business associates. 

Practically speaking, the HIPAA Security Rule is where the bulk of time and money will be spent. It requires three categories of safeguards to protect PHI data: Administrative, Physical, and Technical. 

Each category calls for specific requirements:

  • Administrative Safeguards are the set of policies and procedures that outline the acceptable conduct and behavior of employees interacting with PHI, as well as the security measures to prevent intentional or unintentional breaches of HIPAA regulations. This section calls for nine administrative safeguards:
  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements
  • Physical Safeguards are a set of regulations focusing on physical access to the hardware that contains PHI. The Physical Security section mandates facility access controls, workstation use, workstation security, and device and media controls.
  • Technical Safeguards refer to the technology that protects PHI and regulates access. Though certain technology is more suited to HIPAA data than others, the Security Rule does not dictate specific software solutions. 

A solution must have verifiable access controls, audit controls, integrity, authentication, and transmission security.

  1. The HIPAA Breach Notification Rule: 

Your patients need transparency; to trust that “a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.” 

OCR must be notified when PHI is breached, whether a “minor breach” that affected fewer than 500 people or a “meaningful breach” of more than 500, which are made public on OCR’s Breach Notification Portal.

  1. The HIPAA Enforcement Rule: 

Your patients need enforcement. Another lengthy HHS document, 138 pages long, boils down to stating that the Office of Civil Rights (OCR) will conduct investigations of HIPAA complaints, perform compliance reviews, provide education, and levy financial penalties. 

The OCR is also actively submitting potential criminal violations of HIPAA to the Department of Justice for enforcement of the privacy and security rules. 

  1. The HIPAA Omnibus Rule: 

Your patients need to trust that all your data-handling partners are compliant. Also part of the above HHS document, the Omnibus Rule clarifies that a “business associate” – a person or entity who performs functions or activities with protected health information on behalf of a covered entity – is “directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” 

Business Associate Agreements (BAAs) are also defined, and provisions from The Health Information Technology for Economic and Clinical Health (HITECH) Act are included. 

The above is “broad-strokes simplification” for covered entities and business associates who must meet HIPAA IT compliance requirements – and we haven’t even gotten to what’s required for HIPAA-compliant hosting of patient data. 

As you’ll see, each step will be better implemented with an actual compliance program – one that searches for potential landmines (internal and external), and strengthens the defenses.

Again, In broad strokes, here’s a checklist with some great questions from HHS to get you started. It’s a good idea to keep them handy, and refer back to them regularly: 

A HIPAA Compliance Checklist:

1. Have you conducted the following six (6) required annual Audits/Assessments?

  • Security Risk Assessment
  • Privacy Standards Audit (Not required for BAs)
  • HITECH Subtitle D Privacy Audit
  • Security Standards Audit
  • Asset and Device Audit
  • Physical Site Audit

2. Have you identified all gaps uncovered in the audits above?

3. Have you created remediation plans to address deficiencies found in all six (6) Audits?

4. Have all staff members undergone annual HIPAA training?

5. Do you have Policies and Procedures relevant to the annual HIPAA Privacy, Security,

and Breach Notification Rules?

6. Have you identified all of your vendors and Business Associates?

7. Do you have a defined process for incidents or breaches?

Five Practical Tips for Creating A Culture of Compliance

1. Make compliance plans a priority now.

2. Know your fraud and abuse risk areas.

3. Manage your financial relationships.

4. Just because your competitor is doing something doesn’t mean you can or should.

Call 1-800-HHS-TIPS to report suspect practices.

5. When in doubt, ask for help.

(Here’s a handy pdf that includes the above to keep on hand.)

Putting into practice the above rules can be complicated. Again, allies can help. For example, Compliancy Group offers an excellent platform and coaching to help you with a strategic plan to become HIPAA compliant. 

A HIPAA-Compliant Hosting Environment

All of the above is a necessary preparation for “defending your island.” Next, you need to ensure a secure, HIPAA-compliant environment is in place for hosting your protected health information.  

And maybe, here is where the DIY temptation kicks in again. “I know something about hosting,” you think. “I can set this up myself… right? 

Actually, it’s not like the traditional hosting you know. Here’s a quick sketch of the key differences:

  • Unlike traditional hosting companies, a HIPAA-compliant host will provide you with a signed, legal Business Associates Agreement (BAA), promising to protect your ePHI in accordance with HIPAA regulations.
  • A HIPAA-compliant infrastructure is specially designed and configured to preserve the confidentiality, integrity, and availability of electronically protected health information (ePHI), both in transit and at rest. 
  • A HIPAA-compliant environment will be designed with segregated web and database servers, and layers of advanced security, including access controls to your environment: unique permissions, strong passwords, and multi-factor authentication…

That’s only a start. Once you begin looking into all the security requirements and technical configurations, the DIY prospect will suddenly seem both expensive and daunting. 

Who will monitor my environment 24/7, perform security scans and updates, and arrange for backups? As a healthcare provider, you simply won’t have the expertise – let alone the time which should rightly be dedicated to your patients.

Thankfully, you remember: “no man is an island.” You do need allies – after all, that’s how the war was won. 

With that said, we believe there are at least ten essentials that you should require of a HIPAA hosting provider (and we’ll explain each):

  • A proven, HIPAA-compliant infrastructure
  • A signed Business Associate Agreement (BAA)
  • Appropriate physical and technical safeguards
  • Encryption, both in transit and in storage
  • Systems are monitored 24/7 to ensure consistent reliability and uptime
  • Regular vulnerability scans of servers and mitigation of the vulnerabilities discovered 
  • Server hardening (securing with updates and patches) 
  • Off-site backups of your data
  • Log retention of 6 years – a HIPAA mandate
  • Strong relationships, dedicated support, and cost-effective

Let’s look at what each of these essentials provides you:

1. A proven HIPAA-compliant infrastructure

A HIPAA-compliant infrastructure will possess all the controls you need in your environment to preserve the confidentiality, integrity, and availability of protected health data – both in transit and at rest. This means that the data that passes through your website portals, your network, and your database servers will have an excellent chance of being kept safe from malicious attacks. 

An experienced host with proven managed security expertise will achieve this by providing everything from access controls (unique permissions, strong password requirements, multi-factor authentication) to specially configured firewalls, transport layer security, operating system security, malware prevention, segregated web and database servers, and more. 

2. A Signed Business Associates Agreement (BAA) – 

One thing that a traditional web hosting company will NOT provide you with is a signed, legal agreement (BAA) promising to protect your medical data. The reason for this is that they don’t have the infrastructure or expertise to do so. Yet this is exactly what is required of a HIPAA host. A BAA means they understand and accept liability to protect your data; if they don’t offer this, make sure you ask for one. 

3. Appropriate physical and technical safeguards – 

In accordance with the HIPAA Security Rule, your hosting company should maintain appropriate physical safeguards to help ensure the confidentiality, integrity, and security of PHI. Ask them if they have policies and procedures in place for this. There should be safeguards to protect IT facilities [IT departments, data centers, etc.] and the equipment therein from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, security services, etc.

A HIPAA-compliant infrastructure must be also governed by technical controls which will authenticate user access to your hosting environment. They should have a system for developing unique user IDs and passwords, as well as procedures for login, logout, encryption/decryption, and emergencies. Once a determination is made regarding the appropriate access and permissions for your team, admins will set these unique user IDs.

4. Encryption, both in-transit and in storage – 

Sensitive medical data needs strong, end-to-end privacy protections to preserve it should it ever fall into the wrong hands. Encryption is the “standard of care” for protecting health data; it does this by replacing your data with ciphertext, making it unreadable until decrypted. HIPAA-compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers – and also “at rest” on their servers. The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

5. Systems are monitored 24/7 to ensure consistent reliability and uptime – 

Another way that a HIPAA-compliant host will maintain the high availability and integrity of data is by monitoring the health of each server. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS. Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This allows them to take action proactively and keep your system available and running smoothly.

6. Regular vulnerability scans of servers and mitigation of the vulnerabilities discovered –

The HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it). In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure. 

7. Server hardening (securing with updates and patches) – 

Server hardening is the process of applying appropriate security measures to your servers. The HIPAA Compliant web host should harden your servers as part of their deployment process; ask them for a copy of their server hardening steps. Depending on the system involved (such as Windows or Linux) these steps may include:

  • servers housed in a secure data facility
  • removing any unnecessary programs from servers
  • establishing unique permissions and strong password policies
  • automating security patches and real-time updates
  • advanced security tools, including anti-DDoS management, custom IP Reputation, host-based and network Intrusion Detection (HIDS/NIDS), managed firewalls, and enterprise-grade monitoring 
  • creating a security banner that is displayed to the user when they log in, warning them that your server is only for authorized users. (Ask the host to show you a copy of the banner as well)

Note: When a particular server is no longer required, care should be taken to wipe its hard drives with several passes. This will help to ensure that the data cannot be read by someone else if the drives are used again. 

8. Off-site backups of your data –

Ask your HIPAA web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location – at least 50 miles away or further. This helps prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. In this way, you preserve critical data integrity and availability.

9. Log retention of 6 years (a HIPAA mandate) –

A HIPAA Compliant Host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. This is in accordance with HIPAA regulations, and the host ideally should offer a streamlined approach to gathering these logs and searching through them. These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts. 

According to regulations, these logs must be kept for a minimum of six years. It’s vital that you are able to review and have access to these logs at any time and ensure they are available for audit purposes. 

Note: Your own organization is also required under HIPAA to keep logs of Risk Assessments and Analyses, Authorizations for the Disclosure of PHI, Disaster Recovery and Contingency Plans, Information Security and Privacy Policies, Employee Sanction Policies, Incident and Breach Notification Documentation, and more. Be sure to review and comply with HIPAA regulations on log keeping. 

10. Strong relationships, dedicated support staff, and cost-effective solutions 

Last but not least, in addition to a robust, secure managed platform that includes all of the above, we think strong relationships are key (and we bet you do too). As critical as your environment is for being proactive and preventative in your care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. They should essentially act as an extension of your own company. 

For example, HIPAA Vault maintains a “tier-less” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring – with over 90% resolution the first time you call. No phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money.

Keep it Simple

Churchill was effective because he cut through the fog and held up a light. The enemy’s true colors were seen. They could not be allowed to prevail.

Protecting patients is also a noble cause; to do so, it’s important to identify and seek to thwart all enemies.  

“Complexity is your enemy. Any fool can make something complicated. It is hard to keep things simple.” (Richard Branson)

How true! Simplify your life today by choosing HIPAA-compliant hosting with HIPAA Vault!