Atlantic.Net Blog

Best Practice for Creating a HIPAA-Compliant LEMP Stack

A LEMP stack is a collection of applications that work seamlessly together to create a powerful open-source web server. Unlike a LAMP Stack, which uses Apache, a LEMP Stack is powered by Nginx (pronounced Engine-Ex, hence the E in LEMP). 

Nginx is about 2.5x faster than Apache for high traffic websites with static content, so if you have a popular website that serves multiple concurrent connections, then Nginx is what you need. The stack is completely free, and Nginx has many additional modules built-in, including the popular reverse proxy.

Did you know?

Atlantic.Net has a 1-click application that spins up an Ubuntu LEMP stack in under 30 seconds.

Best Practice to Secure a HIPAA-Compliant LEMP Stack

Any LEMP stack that will host or process Protected Health Information (PHI) must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through a website or application.

Did you know?

You can automatically deploy a LEMP stack on the Atlantic Cloud Platform in less than 30 seconds using our 1-Click Applications. Visit for further information.

Linux – Hardening the Operating System 

If you are a relative newcomer to Linux, Atlantic.Net recommends you let our one-click LEMP application handle the deployment for you. However, if you want to take the plunge and try it yourself, here is what you need to do:

  • Update the operating system monthly
  • Utilize the built-in hard drive encryption tools

Did you know?

Two of the best filesystem encryption tools are eCryptfs and EncFS.

Two of the best block-level (disk) encryption tools are DMCrypt and VeraCrypt.

  • Only use very strong passwords, and never reuse passwords within the LEMP stack
  • Only use sFTP encryption to transfer files to and from the webserver
  • Update file permissions so that no user can change or modify files
  • Ensure no system services or applications run as the root user

Did you know?

You can set up a cron job to chownand chmodfiles every night as a scheduled task. This helps with preventing user error and correcting careless mistakes when updating web server files.

Nginx Best-Practice Tips

  • Ensure Nginx is updated regularly
  • Obfuscate Nginx server information from the public

Did you know?

You can mask server information on Nginx by adding this to the Nginx.conf file:

server_tokens off;

  • Enforce HTTP Strict Transport Security (HSTS on TLS) to add a layer of encryption in communications

Did you know?

Enforcing HTTP Strict Transport Security means using HTTPS. You can enforce it by adding this to your ssl.conf:

add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;

  • Disable deprecated SSL standards and weak cipher suites
  • Disable unwanted modules to reduce the attack surface
  • Enforce cross-site scripting (XSS) protection

Did you know?

XSS protection can be implemented by updating your ssl.conf file

add_header X-XSS-Protection “1; mode=block”;

MySQL Best Practice

The database is where many users will save protected health information. There are strict regulatory compliance rules regarding the masking and de-identification of data, as well as encryption.

  • Invoke MySQL Enterprise Data Masking and De-identification routines

Did you know?

A server-side plugin called data_masking can manage a SQL-Level API to perform masking and de-identification tasks on your data when it is used by an application.

  • Data must be encrypted at rest

Did you know?

Purekit for MariaDB is perfect for encrypting data at rest; it uses record layer encryption of the database, per-user encryption, and a zero-trust KMS.

  • Enable SELinux for mandatory access controls to protect the MySQL daemon
  • Implement MySQL plugins to authenticate users and restrict access by user, password, and approved IP address
  • Enable MySQL Enterprise Audit plugin to enable standard, policy-based monitoring and logging of connection and query activity executed on the 8MySQL servers

PHP Best Practice

PHP is a popular programming language used by websites to display enhanced content. PHP can either run as an Apache plugin or as a standalone CGI binary. No HIPAA legislation relates directly to PHP; instead, PHP must adhere to access and transmission security, and the browser connections must be secure.

  • Ensure PHP is kept up-to-date
  • Use PHP to hash and verify all passwords entered by users; BCrypt is included with PHP 7 onwards

Did you know?

Passwords can be hashed using the password_hash PHP function.

  • Use PHP to enforce a user registration system and prevent access to unauthorized users
  • Use PHP to protect against Cross-site scripting (XSS) and Request Forgery XSFR

Did you know?

You can protect against XSS and XSFR by sanitizing data input. The htmlspecialchars() and htmlentities functions prevent special characters that can hijack PHP code.

Ready to get started with setting up a HIPAA-Compliant LEMP Stack? Choose Atlantic.Net for a one-click LEMP installation that will set you well on your way to a HIPAA-Compliant LEMP Server – get started today!

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year