So you need HIPAA-compliant hosting, and you want to know what the basics to get started are. Before we delve into the details, it helps to know the different types of companies that are concerned with HIPAA, in order to understand your relationship with the hosting provider.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines two different types of organizations that must meet its parameters: covered entities and business associates. However, there is now a third type of organization that falls under HIPAA rules. Here is basic descriptive information for these categories from the National Institutes of Health (NIH)[i]:
A health plan, healthcare provider, or healthcare data clearinghouse that transmits health information.
A person or organization that carries out tasks for a covered entity involving processing or storage of protected health information (PHI).
A covered entity that conducts a combination of business tasks, some of which are related to HIPAA-protected data and some of which are not.
When you are looking for a HIPAA hosting provider, that could mean you fall into any of the above three categories, since all must be compliant (following release of the Omnibus HIPAA Final Rule[ii] on January 17, 2013). The hosting provider itself, to be clear, is a business associate, because it is a third-party company contracted by clients that must safeguard PHI.
What exactly are the basics you need for HIPAA hosting, though? Here are the key pieces:
Business associate agreement (BAA)
The first thing you need to make sure you have when you seek a HIPAA host is a business associate agreement. Here are the basic elements (broadly speaking) of a BAA, which help to delineate the responsibilities of the party within the contract:
Role of the business associate – The BAA should specifically state how the third-party will use the PHI, and/or how it will be disclosed.
Limitations – The agreement should further state that the third party will not use or disclose data in any other manner than that which is described.
Security expectations – Finally, it’s important for the contract to note that the business associate will implement and maintain comprehensive security mechanisms and processes so that use or disclosure to unauthorized entities does not occur.
Fully managed firewall
The HIPAA requirements are specific in terms of the need to protect data but do not directly mention firewalls (see HIPAA §164.312) [iii]. Although firewalls are not mentioned by name, it is reasonably understood within the guidelines that if the entity is web-connected, it will have software firewalls and a physical firewall in place.
The reason it is specifically important that a firewall is “fully managed” is that the implementation, monitoring, updating, and other firewall tasks are carried out entirely by the business associate.
Intrusion detection system
Another important component of a HIPAA hosting environment is an intrusion detection system (IDS). The concept of this security mechanism is relatively simple: monitor all traffic that enters and leaves a system, looking for any patterns that might point to efforts to compromise the network.
Many people get confused about the roles of a firewall and an IDS. How exactly are they different? A firewall is essentially a barrier that is placed at the periphery, i.e. between networks. It will not look for unusual activity within the system. On the other hand, an IDS reviews possible breaches after they occur and sounds an alarm; additionally, it scans for malicious activity that starts internally.There are various types of intrusion detection system – similarly to the variation in firewalls. Common ways in which these systems are classified include the network intrusion detection system (NIDS), host intrusion detection system (HIDS), signature based, anomaly based, passive IDS, and reactive IDS.
The central challenge of the Internet is that you want to make services available, but all activity creates the potential for vulnerabilities. For instance, you might have to allow access to port 80 to serve a website or port 21 for FTP file server hosting:
“Each of these holes may be necessary from one standpoint, but they also represent possible vectors for malicious traffic to enter your network rather than being blocked by the firewall.”
Because of this challenge, the IDS plays a critical role.
Fully managed security layers
Another key element of HIPAA hosting, broadly speaking, is the oversight of security throughout all layers. In fulfilling these data protection responsibilities on your behalf, the host is acting as a managed security service provider (MSSP). The MSSP is contracted to watch and control certain security mechanisms and processes – at all layers, in the case of truly compliant HIPAA hosting.[v]
You want to implement a business class anti-malware solution. What exactly is involved in this software? These tools are built to safeguard a system and keep unauthorized parties out of data that is sent or received by a network or contained within local storage.
For HIPAA hosting that’s truly compliant and addressing all possible sources of risk, you want numerous capabilities in defending against malware. Your anti-malware resources should feature an advanced antivirus system, as well as protection specifically designed to stop phishing and spyware. These services incorporate monitoring as well as continually evolving tactics to find Trojans, worms, rootkits, and any other malware.
Vulnerability scanning assesses possible vulnerabilities that could be used for attacks on the network, so that any gaps in the defenses can be fixed. It is a form of self-review – looking very carefully at a system to objectively identify weaknesses.
The program looks at specific attributes of the target attack surface while referencing a database of security issues that have been found in certain ports and services, packet anomalies, and possible paths for exploits by script or malware.
VPN, encrypted backup & storage
The US Department of Health and Human Services (HHS) has stated, “A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”[vi] In order for those technologies to truly be safe, a primary method to protect data is through encryption – for storage, backups, and in transit.
One aspect of encryption is a VPN. In a VPN, you protect data flow via a public-key-encrypted or symmetric-key-encrypted tunnel – and the information is encrypted and decrypted on either side.
Log management system
Log management, at its basic level, is the organized administration and processing of information from a specific system, performed in an ongoing manner. Well, as you can imagine, log management is critical to HIPAA so that you can be sure exactly what is happening, as well as which users are doing what.
In terms of the needs your company will have as you grow and develop, the first concern is that you are getting high-quality, consistently impeccable help and advice. When there is trust that your host will be available to meet your needs 24/7, you both know that can get that support you need on an interpersonal level, as well as the support your network must have to maintain high-availability.
Are you in need of HIPAA hosting? At Atlantic.Net, in conjunction with our SSAE 16 Type II certified data center, our BAA shows that we’re willing to go beyond the minimum standards of compliance established in HIPAA. Get a free consultation today!
A famous speeches narrative essay requires one to really be illustrative, and thus you may need to pay attention to each one detail within the paper. Many people believe that the narrative composition may be a free flowing narrative, but that’s not true. Normally the thesis is situated in the very first section of the essay. The rest you’re able to depart for the expert custom article authors of ProfEssays, we comprehend how you can turn issues within your favor. The perfect choice is available in legal on line story papers companies supplying superior high quality custom narrative essays examples. Narrative documents are among the most average types of documents published by pupils of various academic degrees. In the event you effectively decide the aim of terminology article than you need to be sure the subject of language article should fit within the target. Students might find writing story article a problem as well as a tricky endeavor because of facets like they’re unable to utilize English vocabulary specially with regard to write a narrative composition. The students find it challenging to compose different styles of narrative documents because they don’t hold the perfect abilities.
Rather, you buy them in a discount relative to their face-value.
Our writers may be sure that your story papers are written in period. Also, we furnish story documents for any diploma of study. The narrative papers provide students the opportunity to realize that. A fantastic narrative papers writing firm should have these characteristics so that you can supply the finest story papers to students. Writing of academic papers needs loads of issues which should be considered. The student should have the ability reveal his or her emotions nicely when composing the documents. Finest quality businesses don’t usually offer you a complete Test article. It’s possible to obtain just about any Test article on the web for diverse subjects. You actually would not have to get An Example essay, because it really is completely free.
Her best-friends were a chihuahua , & a minpin.ears were loved by her, tug-of-war , fetch.
Most companies offer you the very first part of An Example article. Occasionally though, merely a portion of An Example essay might assist you. In instances similar to this, it genuinely is good to utilize some of the sample essay.