How can you identify a HIPAA host? Usually, a host that claims to offer HIPAA compliance, but actually does not, will be missing one of the following items:

Offsite backups The data should be on media that is rotated periodically to a second location or synced daily to another data center. Most professionals prefer daily syncing of data since the backups are continuous. If media is rotated, the backups are necessarily older.

SEIM Keeping track of system and other logs is a requirement of HIPAA. This is the job of the Log Manager. HIPAA requires that the Log Manager (at minimum) allow the logs to be searched and should handle correlation. In this context, correlation refers to the ability to find data across multiple hosts or servers.

Host Intrusion Detection The host should have a system in place to check for common intrusion signs automatically. An example is OSSEC, a free and open-sourced HIDS (Host-Based Intrusion Detection System). OSSEC and others will check things like the Windows Registry (on Windows servers), log files for abnormalities, signs of a rootkit, and can be configured to respond automatically.

WAF (web application firewall) The host should also have a WAF to monitor the integrity of web applications such as login and contact forms. ModSecurity is an example of a WAF. This type of program will check for peculiarities in input/output of web applications and can be configured to block or remove suspicious code.

Two Factor Authentication The host must utilize 2-factor authentication. This means combining something you know (your password) with something you have (your phone). Wikid is a 2-factor authentication solution implemented by many HIPAA-compliant hosts.

HIPAA BAA This is an agreement between a “HIPAA Covered Entity” (hospital, doctor, or insurance provider) and the Business Associate (in this case the host). Obviously, if this agreement does not fulfill certain requirements, the host is not compliant.

VAS This is a vulnerability assessment scan. HIPAA requires that hosts undergo this type of assessment by a third-party (a known firm is ControlScan) to check for common vulnerabilities.

Password Management A HIPAA compliant host must also have a strong password management system in place. Frequently rotated, complex passwords are specified in HIPAA and must be retained in a secure way (a plain text file or spreadsheet is absolutely unacceptable).

If you make sure to keep these factors in mind, you can be sure that you are getting a fully-compliant HIPAA host, not just one that claims to be. For more information about HIPAA compliance, check out this link.