Since we focus so much on the healthcare industry, we regularly receive questions from HIPAA covered entities and their tech partners looking for compliant hosting services. We were recently contacted by a customer interested in encrypted storage, remote access, Web (Apache) and DB (MySQL) servers for a HIPAA-compliant report writer control system (RWCS).

Here is an excerpt of our interaction, sourced from the real transcripts. (Note: Anonymity is maintained, and any intellectual property or other sensitive details are omitted.)

Consultant:

Thank you for contacting Atlantic.Net. We need answers to the following questions in order to provide you with a formal proposal. It is possible that one of the packages on our website will meet your requirements based on the answers to our questions. In the meantime, I have attached our BAA and HIPAA audit for your review.

1 ) Do you require a Linux or Windows Platform?

2 ) How much Data Storage do you require, and will you be encrypting the data before it is stored?

3 ) How many internal users will be accessing the hosting platform?

4 ) Are you running both a Web / app server and a Database server? If you are, then HIPAA requires that they are hosted on separate servers. We accomplish this by creating separate Virtual Machines on the dedicated server.

5 ) Do you require any special software (eg, database software).

Client:

1 ) Linux

2 ) 100 GB of data storage. Files will not be encrypted prior to being written to disk.  Will an encrypted disk partition suffice in this case?

3 ) We have one administrator who would be accessing the systems directly, via command line.

4 ) We will be running both web (Apache) and DB servers (MySQL).  Separate virtual machines are fine.

5 ) No special software.  Standard Red Hat or CentOS Linux operating system, with the ability for our administrator to install software as needed.

Consultant:

You will require the SAS (FIPS) encrypted hard drives. The smallest ones are 1 TB in size and they require a RAID 1 Configuration with a hardware RAID card.

The Linux Cloud Hosting package for xxx per month that is on our website is the minimum HIPAA package we an offer. We can add some enhancements to it and still provide you with the same pricing. We will increase the RAM to 24 GB so that we have enough RAM to create the Web and DB VM’s. We will also add in cPanel w/ WHM for Linux at no extra charge to the Web VM. We can set up a Lamp Stack for you or you will have SSH access, and you install it yourself. If we install it, there is a one-time $xxx charge.

The formal pricing proposal is attached, as well as supporting documents. Here are highlights:

1 ) Fully Managed Hardware Firewall

2 ) ( 5 ) Managed “Encrypted” VPN’s

3 ) Intrusion Detection System

4 ) Fully Managed Daily Backup

5 ) Private Dedicated Server Platform

  • Linux CentOS 6.5 64-bit
  • 4 Virtual Core Processors
  • 24 GB of RAM
  • 1 TB of “Encrypted” RAID Storage
  • ( 2 ) Virtual Machines (Web and DB)

6 ) 10 TB of Monthly Data Transfer with a 100 Mbps Port

7 ) 100% Uptime SLA

8 ) cPanel w/ WHM

9 ) Trend Micro Deep Security

10 ) 24 X 7 X 365 Live Technical Support by email / chat / phone

11 ) Business Associate Agreement

12 ) HIPAA Audited Data Center with SSAE SOC 2 Certification

$ xxx per month on a 12 month agreement with no setup fee.

Client:

Thank you for the information. Just a few more questions…

1) For the VMs, what virtualization software do you use?  Can we have more VMs added to our server in the future?

2) For the Managed Firewall, what’s the typical support response time for getting firewall rules updated?  Is the “managed” firewall a HIPAA requirement, or can we self-manage?

3) For the IDS, how can we manage any exceptions that need to be considered (false positives, etc.)?

4) For the web VM, we do not require cPanel or WHM or the LAMP stack installed, just a base install of 64-bit CentOS. With that said, can we swap the cPanel/WHM add-on for a few more dedicated IP addresses?

Consultant:

Here are the answers to your questions:

1) We use KVM / Proxmox, and we will create the first 2 VM’s for you (and more if you want us to initially). We do not charge to create the VM’s at the time of the deployment, but after the deployment we charge $xxx per VM as a one-time charge. We also can hand the Hypervisor over to you, and you can create your own VM’s. If you plan on creating more VM’s we will change out the processor to an E3-1245 V2 Xeon 8-core processor and 32 GB of RAM at no extra charge. The processors we use can only hold 32 GB of RAM. The dedicated server can hold ( 2 ) more hard drives for future expansion because the RAID card is a 4-port card.

2) We can change firewall rules within 15 to 20 minutes of receiving the request, and we have 24 X 7 X 365 phone / email / chat support. The fully managed firewall is our requirement, and we will not allow customers to manage the firewalls.

3) You would work with our engineering department to manage this since the IDS is also managed by us.

4) We can do that, but the IP’s have to be justified, and I have attached the IP justification form. We can provide up to 32 IP’s but I cannot guarantee that the Justification will be approved. IPv4 IP’s are very tight.

Attached you will find an updated proposal and the IP Justification form.

Client:

We would be comfortable having full access to the Hypervisor once the two initial VMs are setup by your team.  On the IP addresses, I only need another 29.

Q: I have been with the same dedicated server provider for over 10 years, and switching to a new company will be a big move. Are there month-to-month terms or shorter (quarterly, etc…) that we could negotiate?

Consultant:

We can provide a month-to-month agreement, and the monthly pricing is $ xxx per month.

Client:

After discussions with my team, we have some modifications to our requirements for HIPAA-compliant hosting.  We will not need the self-encrypting disks as we will not be storing ePHI on the server. I will also not be storing any health information in a database. The database will only be used for user credentials.  So I would not necessarily need a separate virtual machine for the database. The server will act as an authentication point and a transit pipe for data, moving it from client to server (another server where the data will be stored at rest, not on your network).

I will still need the access control (VPN), IDS, Firewall and BAA options you proposed.  Would you mind letting me know what the pricing would be in this case?

Consultant:

The month-to-month pricing, based on your updated specs, would be $ xxx per month. You will still have the option of changing to the 12-month pricing at a future date.

Getting Your Questions Answered

Is your business in the healthcare industry? We know that finding a strong, truly 100% compliant host can be a huge headache. As you can see above, we can work with you to build a system with the technical requirements for a HIPAA-compliant server you need. Our extensive, state-of-the-art healthcare infrastructure has been comprehensively audited by a fully accredited independent third party.    We offer reliable SSD Cloud Servers with 100 percent uptime guarantee.