I need HIPAA-compliant hosting. How do I get started?
So you need HIPAA-compliant hosting, and you want to know what the basics to get started are. Before we delve into the details, it helps to know the different types of companies that are concerned with HIPAA, in order to understand your relationship with the hosting provider.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines two different types of organizations that must meet its parameters: covered entities and business associates. However, there is now a third type of organization that falls under HIPAA rules. Here is basic descriptive information for these categories from the National Institutes of Health (NIH)[i]:
When you are looking for a HIPAA hosting provider, that could mean you fall into any of the above three categories, since all must be compliant (following release of the Omnibus HIPAA Final Rule[ii] on January 17, 2013). The hosting provider itself, to be clear, is a business associate, because it is a third-party company contracted by clients that must safeguard PHI.
What exactly are the basics you need for HIPAA hosting, though? Here are the key pieces:
Business associate agreement (BAA)
The first thing you need to make sure you have when you seek a HIPAA host is a business associate agreement. Here are the basic elements (broadly speaking) of a BAA, which help to delineate the responsibilities of the party within the contract:
- Role of the business associate – The BAA should specifically state how the third-party will use the PHI, and/or how it will be disclosed.
- Limitations – The agreement should further state that the third party will not use or disclose data in any other manner than that which is described.
- Security expectations – Finally, it’s important for the contract to note that the business associate will implement and maintain comprehensive security mechanisms and processes so that use or disclosure to unauthorized entities does not occur.
Fully managed firewall
The HIPAA requirements are specific in terms of the need to protect data but do not directly mention firewalls (see HIPAA §164.312) [iii]. Although firewalls are not mentioned by name, it is reasonably understood within the guidelines that if the entity is web-connected, it will have software firewalls and a physical firewall in place.
Intrusion detection system
Another important component of a HIPAA hosting environment is an intrusion detection system (IDS). The concept of this security mechanism is relatively simple: monitor all traffic that enters and leaves a system, looking for any patterns that might point to efforts to compromise the network.
Many people get confused about the roles of a firewall and an IDS. How exactly are they different? A firewall is essentially a barrier that is placed at the periphery, i.e. between networks. It will not look for unusual activity within the system. On the other hand, an IDS reviews possible breaches after they occur and sounds an alarm; additionally, it scans for malicious activity that starts internally.There are various types of intrusion detection system – similarly to the variation in firewalls. Common ways in which these systems are classified include the network intrusion detection system (NIDS), host intrusion detection system (HIDS), signature based, anomaly based, passive IDS, and reactive IDS.
The central challenge of the Internet is that you want to make services available, but all activity creates the potential for vulnerabilities. For instance, you might have to allow access to port 80 to serve a website or port 21 for FTP file server hosting:
“Each of these holes may be necessary from one standpoint, but they also represent possible vectors for malicious traffic to enter your network rather than being blocked by the firewall.”
Because of this challenge, the IDS plays a critical role.
Fully managed security layers
Another key element of HIPAA hosting, broadly speaking, is the oversight of security throughout all layers. In fulfilling these data protection responsibilities on your behalf, the host is acting as a managed security service provider (MSSP). The MSSP is contracted to watch and control certain security mechanisms and processes – at all layers, in the case of truly compliant HIPAA hosting.[v]
You want to implement a business class anti-malware solution. What exactly is involved in this software? These tools are built to safeguard a system and keep unauthorized parties out of data that is sent or received by a network or contained within local storage.
Vulnerability scanning assesses possible vulnerabilities that could be used for attacks on the network, so that any gaps in the defenses can be fixed. It is a form of self-review – looking very carefully at a system to objectively identify weaknesses.
VPN, encrypted backup & storage
The US Department of Health and Human Services (HHS) has stated, “A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”[vi] In order for those technologies to truly be safe, a primary method to protect data is through encryption – for storage, backups, and in transit.
Log management system
Log management, at its basic level, is the organized administration and processing of information from a specific system, performed in an ongoing manner. Well, as you can imagine, log management is critical to HIPAA so that you can be sure exactly what is happening, as well as which users are doing what.
In terms of the needs your company will have as you grow and develop, the first concern is that you are getting high-quality, consistently impeccable help and advice. When there is trust that your host will be available to meet your needs 24/7, you both know that can get that support you need on an interpersonal level, as well as the support your network must have to maintain high-availability.
Get a free consultation today!
Get a $250 Credit and Access to Our Free Tier!
Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year