So you need HIPAA-compliant hosting, and you want to know what the basics to get started are. Before we delve into the details, it helps to know the different types of companies that are concerned with HIPAA, in order to understand your relationship with the hosting provider.

 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines two different types of organizations that must meet its parameters: covered entities and business associates. However, there is now a third type of organization that falls under HIPAA rules. Here is basic descriptive information for these categories from the National Institutes of Health (NIH)[i]:

Covered Entity
A health plan, healthcare provider, or healthcare data clearinghouse that transmits health information.
Business Associate
A person or organization that carries out tasks for a covered entity involving processing or storage of protected health information (PHI).
Hybrid Entity
A covered entity that conducts a combination of business tasks, some of which are related to HIPAA-protected data and some of which are not.

When you are looking for a HIPAA hosting provider, that could mean you fall into any of the above three categories, since all must be compliant (following release of the Omnibus HIPAA Final Rule[ii] on January 17, 2013). The hosting provider itself, to be clear, is a business associate, because it is a third-party company contracted by clients that must safeguard PHI.

What exactly are the basics you need for HIPAA hosting, though? Here are the key pieces:

Business associate agreement (BAA)

The first thing you need to make sure you have when you seek a HIPAA host is a business associate agreement. Here are the basic elements (broadly speaking) of a BAA, which help to delineate the responsibilities of the party within the contract:

  • Role of the business associate – The BAA should specifically state how the third-party will use the PHI, and/or how it will be disclosed.
  • Limitations – The agreement should further state that the third party will not use or disclose data in any other manner than that which is described.
  • Security expectations – Finally, it’s important for the contract to note that the business associate will implement and maintain comprehensive security mechanisms and processes so that use or disclosure to unauthorized entities does not occur.

Fully managed firewall

The HIPAA requirements are specific in terms of the need to protect data but do not directly mention firewalls (see HIPAA §164.312) [iii]. Although firewalls are not mentioned by name, it is reasonably understood within the guidelines that if the entity is web-connected, it will have software firewalls and a physical firewall in place.

The reason it is specifically important that a firewall is “fully managed” is that the implementation, monitoring, updating, and other firewall tasks are carried out entirely by the business associate.

Intrusion detection system

Another important component of a HIPAA hosting environment is an intrusion detection system (IDS). The concept of this security mechanism is relatively simple: monitor all traffic that enters and leaves a system, looking for any patterns that might point to efforts to compromise the network.

Many people get confused about the roles of a firewall and an IDS. How exactly are they different?  A firewall is essentially a barrier that is placed at the periphery, i.e. between networks. It will not look for unusual activity within the system. On the other hand, an IDS reviews possible breaches after they occur and sounds an alarm; additionally, it scans for malicious activity that starts internally.There are various types of intrusion detection system – similarly to the variation in firewalls. Common ways in which these systems are classified include the network intrusion detection system (NIDS), host intrusion detection system (HIDS), signature based, anomaly based, passive IDS, and reactive IDS.

The central challenge of the Internet is that you want to make services available, but all activity creates the potential for vulnerabilities. For instance, you might have to allow access to port 80 to serve a website or port 21 for FTP file server hosting:

“Each of these holes may be necessary from one standpoint, but they also represent possible vectors for malicious traffic to enter your network rather than being blocked by the firewall.”

Tony Bradley, CISSP, MCSE2k, MCSA, A+[iv]

Because of this challenge, the IDS plays a critical role.

Fully managed security layers

Another key element of HIPAA hosting, broadly speaking, is the oversight of security throughout all layers. In fulfilling these data protection responsibilities on your behalf, the host is acting as a managed security service provider (MSSP). The MSSP is contracted to watch and control certain security mechanisms and processes – at all layers, in the case of truly compliant HIPAA hosting.[v]

Anti-malware protection

You want to implement a business class anti-malware solution. What exactly is involved in this software? These tools are built to safeguard a system and keep unauthorized parties out of data that is sent or received by a network or contained within local storage.

For HIPAA hosting that’s truly compliant and addressing all possible sources of risk, you want numerous capabilities in defending against malware. Your anti-malware resources should feature an advanced antivirus system, as well as protection specifically designed to stop phishing and spyware. These services incorporate monitoring as well as continually evolving tactics to find Trojans, worms, rootkits, and any other malware.

Vulnerability scans

Vulnerability scanning assesses possible vulnerabilities that could be used for attacks on the network, so that any gaps in the defenses can be fixed. It is a form of self-review – looking very carefully at a system to objectively identify weaknesses.

The program looks at specific attributes of the target attack surface while referencing a database of security issues that have been found in certain ports and services, packet anomalies, and possible paths for exploits by script or malware.

VPN, encrypted backup & storage

The US Department of Health and Human Services (HHS) has stated, “A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”[vi] In order for those technologies to truly be safe, a primary method to protect data is through encryption – for storage, backups, and in transit.

One aspect of encryption is a VPN. In a VPN, you protect data flow via a public-key-encrypted or symmetric-key-encrypted tunnel – and the information is encrypted and decrypted on either side.

Log management system

Log management, at its basic level, is the organized administration and processing of information from a specific system, performed in an ongoing manner. Well, as you can imagine, log management is critical to HIPAA so that you can be sure exactly what is happening, as well as which users are doing what.

24/7 support

In terms of the needs your company will have as you grow and develop, the first concern is that you are getting high-quality, consistently impeccable help and advice. When there is trust that your host will be available to meet your needs 24/7, you both know that can get that support you need on an interpersonal level, as well as the support your network must have to maintain high-availability.

Are you in need of HIPAA hosting? At Atlantic.Net, in conjunction with our SSAE 16 Type II certified data center, our BAA shows that we’re willing to go beyond the minimum standards of compliance established in HIPAA.
Get a free consultation today!