Managed Services

What is HIPAA Hosting and why do I need it?

Economy-class hosting vs. first-class HIPAA hosting

A hard fact of the Internet is that you need machines to be part of it – either on your own or as a service. If you are in the healthcare field and don’t want to set up servers for your website or other services in your own datacenter, you need HIPAA hosting.

All hosting is not created equal. Because there is a disparity of security and other checks and balances from one system to another, standards were created to guide oversight of infrastructure and maintain proper protection of patient data. Those standards were developed by the US Health and Human Services Department (HHS), as directed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Hence, beyond simple web hosting, anyone who is aiming to secure healthcare records needs HIPAA compliant hosting, sometimes called simply HIPAA hosting.

“HIPAA recognizes all health care providers and their business associates as covered entities (CEs) and makes them responsible to safeguard the privacy and security of identifying information.” “Some CEs, particularly smaller sized CEs, don’t have the resources necessary to implement a system to handle and safeguard health data on their own, so they rely upon the services of HIPAA hosting.”

Jacco Blankenspoor of HIPAA HQ[i]

Any hosting provider can offer a service that is HIPAA compliant as determined by its own understanding of the healthcare law; in other words, there is no official federal certification process for these business associates. The vetting of the quality of HIPAA infrastructure that backs any hosted services must be determined by the healthcare covered entities that use their services.

The government also doesn’t recognize any third-party certification bodies. That allows free competition in developing credibility and proving it through legitimate independent parties. However, it also means it’s your responsibility to know the quality of the certification body and what exactly is included in their auditing process.

HIPAA final rule reshuffles the deck

Given those challenges, there is a positive for covered entities: Business associates (BAs) are now responsible for data in the same manner as covered entities (healthcare providers, plans, and data clearinghouses) are – after implementation of the Omnibus HIPAA Final Rule (often called just the Final Rule or Omnibus Rule; activated March 26, 2013).

Following passage of the rule, business associates “are liable for PHI uses and disclosures and HIPAA Security Rule compliance.” “Additionally, BAs with their subcontractors, while BAs – not covered entities – are also now responsible for responding to any noncompliant subcontractors.”

Elizabeth Snell of HealthIT Security[ii]

Health and Human Services additionally created a process through which randomly chosen covered entities would be audited for adherence to the all-important Security, Privacy, and Breach Notification Rules.

HIPAA & HITECH

HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) was an effort to keep the transition to digital health data as safe as possible. While HITECH describes how electronic health records can be shared, HIPAA assigns responsibility for data security to any organization or individual that accesses and uses electronic protected health information (ePHI).

Specific security methods are at your discretion, though, to an extent. “[T]he HHS allows entities to implement their own chosen methods,” said Blankenspoor. “However, there are best practices used in the industry that the HHS would expect entities to make use of, or show that they are able to implement a comparable or better system.”

What are examples of covered entities & business associates?

The term covered entity specifically includes all healthcare providers, plans, and data clearinghouses operating in the United States. Like their business associates – contracted through a business associate agreement, per HIPAA – covered entities have to independently meet all compliance rules.

Essentially, the covered entities are healthcare companies and agencies that are more directly healthcare-related. What are business associates? HIPAA hosting providers are one example. Others include medical billing services and shredding companies.

Jail possible for HIPAA violations

Like anything in business, a company might look at HIPAA and decide they are not going to invest in meeting its guidelines. Within the law, that refusal to comply is called willful neglect. Fines for this violation are $10,000-$50,000. The total a single company can be fined per year is $1.5 million. It’s also possible to be sentenced to jail time for willful neglect of HIPAA that results in sensitive data being exposed.

Top 10 HIPAA Fines by Settlement


Neglect isn’t always considered willful. It is sometimes categorized as reasonable cause. In these situations, 500 or more individual pieces of medical data have become exposed – resulting in $100-$50,000 fines for each violation. Note that these types of violations are never accompanied by jail time.

The HHS audit program

The random audits began with a pilot program that included 113 companies and other organizations. This pilot process allowed Health and Human Services to better understand best practices both for compliance and for non-compliance (i.e. how they should respond to violations).

“[Atlantic.Net’s] financial strength and proven track record are something we view with great confidence.”

Joseph Nompleggi, Vice President, Complete Healthcare Solutions

What is the HIPAA Security Rule?

In a nutshell, the Privacy Rule safeguards electronic health records. The Security Rule, however, is the especially pertinent one to HIPAA hosting because it sets more specific expectations for health data storage and transmission – i.e., the realm of ePHI (electronic Protected Health Information).

The HIPAA Security Rule is sectioned into Administrative Safeguards, Physical Safeguards, and Technological Safeguards. It has gradually become more prominent because of adaptations in the digital world and expansion of different, newer technological methods.

“The same standards for the privacy and confidentiality of healthcare data apply to PHI and ePHI,” advised Blankenspoor, “but the processes used to keep data private are much more complex and technical for electronic data files and ePHI than they are for paper files.”

Your Free & Easy HIPAA Hosting Checklist

When you look at hosting providers, you want to know how audit-ready the host is. The first step is reviewing components of compliance with this handy 15-piece HIPAA Hosting Checklist (which covers the basics but is obviously not substantive enough for a comprehensive evaluation):

Full data security, management, and training strategies, on file
“A system of developing unique user IDs and passwords and procedures for login, logout, decryption and emergencies” (Blankenspoor)
Policies developed to control access to physical buildings and electronic systems containing PHI (protected health information)
Guidelines for how data is stored, transferred, trashed, and reimplemented
Audits and logs of system use
Rules for data transmission in all possible scenarios (email, cloud, etc.).
Quality control for all data (destroyed, changed, backed-up, etc.)
Dynamic data availability
Distinction between web, database, and production servers
Antivirus
Management of OS (operating system) patching
Private IP (internet protocol) addresses
SSL certificate encryption of all PHI
Disaster recovery and backup plans
VPNs and private firewalls.


[i] https://www.hipaahq.com/hipaa-compliant-hosting-explained/

[ii] http://healthitsecurity.com/news/breaking-down-hipaa-rules-and-regulations-the-omnibus-rule

 


The Beginner’s Guide to HIPAA Compliance

Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is important to the covered entities and business associates that are expected by the federal government to follow the law. However, the requirements of HIPAA and its regulatory agency, the US Department of Health and Human Services (HHS), are not as rigid as they first may seem.

Why HIPAA?

The healthcare privacy and security law was written to encompass the broad array of organizations for which it was intended. For that reason, the HHS website notes that “there is no single standardized program that could appropriately train employees of all entities.”[i]

Nonetheless, training is a requirement of HIPAA, so it’s necessary to find a strong beginner’s guide that can be used to train your employees on the essentials of compliance. Most of what is available online through the federal government is either aggregations of disparate pieces of information or sizable PDFs, such as the Guide to Privacy and Security of Electronic Health Information[ii] – created by the Office of the National Coordinator for Health Information Technology (ONC). The former is a bit disorganized. While the latter can be great as course material, its 60+ pages are overkill for the purpose of an initial overview.

Read More


Fault Tolerance with Linux High Availability


IT downtime is expensive for any business.  Gartner[I] estimates that each minute of downtime costs $5,600 on average, with true costs depending on the vertical, the size of the company, and other factors.  The cost can be largely avoided, however, with systems designed for high availability and fault tolerance.

Definition: High Availability
Oracle[II] defines high availability as “computing environments configured to provide nearly full-time availability.”  A commonly held standard for high availability is “five nines,” or 99.999 percent uptime.

Not all service providers are able to meet this robust standard, which makes just over 5 minutes of downtime per year permissible.

For organizations that would approach the average downtime cost, achieving even higher availability than “five nines” is important to profitability, and even survival. Atlantic.net offers an industry-leading 100 percent network uptime guarantee, in part by leveraging Linux High Availability (Linux-HA).

Read More


HIPAA-Compliant Hosting Requirements Checklist

The core considerations of HIPAA for any companies working with electronic medical records are privacy and security. The HIPAA Privacy Rule and Security Rule are what you need to be concerned with if you are getting certified (unless you are a health insurance company or similarly provide healthcare plans), and they are the same HIPAA-Compliant hosting requirements you should consider in a web hosting company.

Below is 8-part checklist of HIPAA-Compliant hosting requirements. Despite being simple, it covers all the standard bases with enough detail for a general picture of what you need. Here are the nine elements you need for a HIPAA-Compliant hosting environment:

Read More


Can I be HIPAA-Compliant in a Cloud Hosting Environment?

The number of organizations adopting virtualized environments continues to grow in many industries, including health care[I]. Virtualization enables network flexibility that most healthcare organizations could benefit from, but many are held back by a lack of clarity about what virtualization is, and how it relates to compliance.

A virtual environment is one in which a software layer, called a “hypervisor,” has been added to a physical server.  An operating system can then be loaded onto the hypervisor layer to create a “virtual machine” (VM), which is a software-defined server, and as such can do some things not possible with physical, hardware-dependent servers.  The hypervisor layer can determine the precise size and location of the server VMs or “instances” loaded onto it since it provides separation from the physical limitations of each piece of hardware.  As we will explore below, this can benefit organizations through increased agility and automation.

HIPAA compliance can be particularly scary for organizations, due to the implications of a breach of security inherent in health care, the complexity of the regulations, and the severity of potential fines.  Timely access to medical information can be a matter of life and death, but ensuring that information is accessible, portable, and renewable only covers Title I of the Act.  Title II, covering health care fraud and abuse, along with the enforcement-strengthening HITECH Act[II], imposes security and privacy rules on health care providers and the companies that support them. Compliance failures can result in fines of up to $1.5 million[III], and data breaches, which are increasingly common in healthcare[IV], can be even more expensive, particularly when reputational harm is considered.

Fortunately, virtualized environments can not only be HIPAA-Compliant quickly but can make compliance easier.

Read More


What is a VPN and do I need one? Find out!

As we continue to rely more on technology, keeping our information safe is becoming increasingly difficult. With Wi-Fi being the standard form of network communication for most business professionals who are on the go, the need for secure data transmission has become even greater.  Public Wi-Fi locations like coffee shops, the airport, and even your home and office are not safe when sending and receiving data. According to idtheftcenter.org[i], in 2015 alone there were over 177 million cases of identity theft reported.

How do hackers access my data?

The two most popular ways of someone accessing your data over Wi-Fi are sniffing and rogue access points[ii].) Sniffing is when another user nearby captures the data your computer transmits over Wi-Fi, and then reassembles it to look for passwords or other unencrypted account information. The aptly named rogue access point is where someone will create a Wi-Fi hotspot that appears to be legitimate, like “Free Starbucks Wi-Fi,” or “Airport Public Wi-Fi,” and then waits for users to connect to it. Once the user is attached to the hacker’s hotspot, the users’ data transmission is all captured on the hacker’s machine. The hacker can then use specialized programs to reassemble the packet capture to reveal what the user(s) was looking at and if any sensitive information or passwords were used. One of the most effective solutions is to encrypt the traffic going between your infrastructure and your home computer/laptop, which is why VPNs were developed.

Read More


You Should Be Using RAID 10 to Safeguard Your Data

Utilization of RAID 10 in a server provides an increase of disk capabilities while simultaneously providing redundancy and preventing system failure.

What is RAID?

RAID is an acronym that stands for Redundant Array of Independent Disks or Redundant Array of Inexpensive Disks, depending on what specialist you ask. The term “independent” is arguably more appropriate, as RAID arrays may sometimes be made with extremely expensive disks.

In layman’s terms, RAID is a method of configuring two or more hard drives to work as a single unit with differing levels of redundancy and allowing better fault tolerance. “A fault-tolerant design enables a system to continue its intended operation, possibly at a reduced level, rather than failing completely, when some part of the system fails.”[i]

Read More


Ransomware: Malware That Makes You Pay

ransomware-title

What is ransomware?

One of the fastest and most damaging cyber security threats falls under a category called “ransomware.” Ransomware is malicious code that encrypts all the user’s files and is usually downloaded unknowingly. This type of malware gets its name from what it does when a user tries to open an infected file: it prompts the user to pay a ‘ransom’ within a timeframe to receive a decryption key, which would then allow you to decrypt your files.[1] Even if you choose to pay the ransom, there is no guarantee you will gain access to your data. In this article, we will explain steps you can take to protect and secure your environment.

The numbers

Ransomware is a real threat to any business that allows user access, as it depends on users to spread it. Different industries also have different risks, with healthcare usually opting to pay the ransom to protect patient data, while the education industry has the highest rate of infection.  Other lucrative targets include classified documents, financial documents, and intellectual property[2]. With names like Telecrypt, iRansom, FSociety, and CryptoLuck, the goal of ransomware is all the same for their creators: making money. According to Lavasoft, the CryptoWall 3 ransomware cost users $325 million just in 2015 alone.[3] As ransomware grows and evolves, they become even more costly. At the end of 2016, one of the most harmful ransomware is named “Cerber.” Not only does it lock your files from being accessed, but recent variations have incorporated the stealing of personal information and scripts that cause your machine to target other servers.[4]

Source: https://info.bitsighttech.com/bitsight-insights-ransomware Source: https://info.bitsighttech.com/bitsight-insights-ransomware

Read More


Intrusion Detection Systems Confront Cyber Security & Cyber Crime Risks

Responsible businesses with sensitive data know they need a firewall to control traffic and secure their networks. What seems less well known, however, is the role that complementary technologies play in a comprehensive approach to cybersecurity.  An Intrusion Detection System (IDS) enables organizations to take a proactive security stance, which is why Atlantic.Net offers one for its security-conscious customers.

Amid all the headline-grabbing data breaches of the past year, the vulnerability of companies in industries like health care may be overlooked.  Data breaches began costing healthcare firms over $5.5 billion annually shortly after HIPAA became law, according to the Ponemon Institute.

Once online criminals have found a profitable target, they tend to return to it with ever more sophisticated attacks.  A report recently indicated that over 75 percent of the healthcare industry had been infected with malware in the past year, and noted that a shocking majority of ransomware targets medical treatment centers.

Cliches like the typical hacker being a teenager living in his or her parent’s basement are persistent, and harmful because they misrepresent the situation to the potential victims of hacking.  The numbers clearly show that hacking is now predominantly committed by sophisticated criminal organizations. Utilizing an IDS is a proactive approach to meeting that threat.

An Intrusion Detection System, or IDS, is a software application that monitors the network and hosting environment and analyzes activity on it.  Any activity which is considered unusual is ranked according to how high risk it is considered based on information from global threat databases.

Read More


HIPPA Compliant Hosting Hangout with Gabriel Murphy

The hack of Anthem, the second largest health insurer in the United States, cast a huge spotlight on the protection of electronic medical records. Announced in February 2015, the breach compromised 78.8 million user accounts, all of which were stored unencrypted.

To put that number into perspective, the largest breach of 2014 (which, like Anthem, is widely believed to be the work of security researchers sponsored by the Chinese government) was that of Community Health Systems in Tennessee, an incident in which “only” 4.5 million patients were affected.

Although experts and consumers are concerned that health data should always be encrypted, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not explicitly require encryption. That is the topic of an article by Elizabeth Snell for HealthIT Security: “Should HIPAA Regulations Require Data Encryption?”

Snell argues that while insurers and other healthcare entities do not legally have to encrypt, “this does not mean that facilities can simply ignore this particular security measure because they find it time consuming or costly.” She details how legislators around the United States are working to pass measures so that encryption is no longer optional.

We explored the topic of HIPAA compliance in the first episode of our Google Hangout on Air (HOA) series (see the video above). The HOA featured Internet entrepreneur and development technologist Gabriel C. Murphy, who has cofounded four Internet companies and been a thought leader in the hosting industry since 1997.

Atlantic.Net is an industry leader in HIPPA Compliant Hosting with a full array of VPS Cloud Servers ready to deploy in under 30 seconds.