Atlantic.Net Blog

Is It Possible to Protect PHI in the Cloud?

Editorial Team
by Atlantic.Net (219posts) under HIPAA Compliant Cloud Storage

 Is It Possible to Protect PHI in the Cloud?

Protecting ePHI in the cloud

The number of organizations adopting virtualized environments continues to grow in many industries, including health care[I]. Virtualization enables network flexibility that most healthcare organizations could benefit from, but many are held back by a lack of clarity about what virtualization is, and how it relates to HIPAA cloud.

A virtual environment is one in which a software layer, called a “hypervisor,” has been added to a physical server.  An operating system can then be loaded onto the hypervisor layer to create a “virtual machine” (VM), which is a software-defined server, and as such can do some things not possible with physical, hardware-dependent servers.  The hypervisor layer can determine the precise size and location of the server VMs or “instances” loaded onto it since it provides separation from the physical limitations of each piece of hardware.  As we will explore below, this can benefit organizations through increased agility and automation.

HIPAA compliance can be particularly scary for organizations, due to the implications of a breach of security inherent in health care, the complexity of the regulations, and the severity of potential fines.  Timely access to medical information can be a matter of life and death, but ensuring that information is accessible, portable, and renewable only covers Title I of the Act.  Title II, covering health care fraud and abuse, along with the enforcement-strengthening HITECH Act[II], imposes security and privacy rules on health care providers and the companies that support them. Compliance failures can result in fines of up to $1.5 million[III], and data breaches, which are increasingly common in healthcare[IV], can be even more expensive, particularly when reputational harm is considered.

Fortunately, virtualized environments can not only be HIPAA-compliant quickly but can make compliance easier.

Differences between popular virtualization technology

There are different kinds of hypervisors, and the most appropriate for any given healthcare organization depends on the organization’s needs and other IT tools.  What is common to each one is that the isolation and abstraction of the VMs they create give them robust access, security, and privacy compliance capabilities. Each VM set up by the hypervisor is self-contained, and keeps its data isolated from any other VMs and their data.  An Introduction to Virtualization[V] offered by Intel Developer Zone puts it this way:

“Virtual machines are essentially isolated from one another in the same way that two physical machines would be on the same network. A virtual machine’s running operating system has no knowledge of other virtual machines running on the same machine.

This enables even VMs with different operating systems to run simultaneously on the same hardware.  The separation the hypervisor provides between the instance and the physical server makes the system “agile.”  It allows virtualized servers to be moved, for example, in the case of a hardware failure, which keeps whatever function is being “served” working. The hypervisor also manages the hardware resources available to it to run an organization’s VMs as efficiently as possible and to scale to maintain availability when demand on the network is high.

There are three hypervisors available to Atlantic.Net HIPAA cloud services customers: Proxmox, Hyper-V, and Cloud.


An open-source alternative based on the Linux Kernel Virtual Machine (KVM), Proxmox is managed with a web graphical user interface (GUI) and is known for solid performance and flexibility.  It works reliably with different operating systems, but also supports different storage options[VI], including Linux containers.  Any storage type used can be accessed only through the hypervisor layer, allowing access restrictions compliant with HIPAA’s Title II and HITECH rules.

HIPAA VM hypervisor

When set up in a server cluster or utilizing “shared” storage, Proxmox allows live migration of running machines.  This makes the system agile enough that maintenance or updates necessary to keep the virtual server compliant from a security perspective can be performed without downtime, preserving compliance with the availability rules of HIPAA’s Title I.  First released publicly in 2008, Proxmox is updated about every six months.  It is built to work flexibly with a variety of different products, rather than those from a particular company like Microsoft as is the case with Hyper-V, which could make Proxmox a better fit for some organizations.  Proxmox sometimes requires IT teams to use the command line, which for some, may not be ideal.


Microsoft’s Hyper-V is designed for Windows server and desktops, making it a popular choice for organizations that predominantly use Windows.  Unlike Proxmox, Hyper-V uses proprietary storage technologies[VII].  The separation and control of access through the hypervisor layer is very similar, however, as is support for live migration.  As with Proxmox, this keeps data in a securely isolated environment to maintain compliance with rules for fraud, abuse, and privacy, while also enabling the constant access and portability HIPAA compliant cloud computing requires.

Hyper-V includes “dynamic memory management,” a feature making it easy to scale up the number of virtual machines in use.  It also features Windows Active Directory for security and access management.  Organizations considering Hyper-V should be aware that it tends to work best with the latest version of Windows, though it also works with other operating systems, including Linux and FreeBSD[VIII].  Hyper-V was originally launched with Windows Server 2008, and Microsoft maintains it with frequent updates.


Atlantic.Net’s HIPAA Cloud environment is based on Linux KVM, much like Proxmox.  Data is therefore isolated in the same way, on an abstracted hardware layer available only via the hypervisor.

Cloud environments allow customers fine-grained control to pay only for the resources they use and scale up those resources to meet increases in demand.  It is, therefore, an efficient and economical solution for organizations with high variations in IT workload.  Atlantic.Net launched its first cloud servers in 2010 and has been steadily expanding the service since.

Software Secures Borders, Physical or Virtual

Just as the software borders between VMs are like the hardware boundaries between physical machines, the tools that secure a network against malicious traffic are similar.  Traffic should be controlled with a firewall, all the elements of the site should be secured with two-factor authentication, and off-site backups must be maintained to meet the Title I standard of accessibility.  Those and all of the other necessary features for HIPAA compliance in a server[IX] can be met with the appropriate implementation of any virtual environment from Atlantic.Net.

HIPAA HITECH Virtual Private Cloud

Regularly scheduled, automated backups are available or included with all Atlantic.Net virtualized HIPAA cloud environments, making continuous compliance not only possible but easier.  Healthcare organizations can also provide auditors with automatically generated logs of network traffic created by either KVM or Hyper-V, easily demonstrating the security and privacy necessary for Title II and HITECH compliance in HIPAA compliant cloud computing.

Every healthcare organization needs to follow security and compliance best practices, and partner with an IT provider they can trust to deliver compliant services, regardless of the network environment.  Fortunately, this means the flexibility, logging, automated backups, and other features of virtualized environments are an option for all.

If your organization has avoided or delayed moving HIPAA workloads to a virtualized environment out of compliance concerns, it is likely worth reconsidering the option. Contact our knowledgeable sales team today by phone 1.800.521.5881 or email [email protected] for information about HIPAA cloud storage services, including our HIPAA Cloud and Managed Cloud solutions, today!









Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom