HIPAA compliant hosting requirements: easy, solution-oriented checklist

The core considerations of HIPAA for any companies working with electronic medical records are privacy and security. The HIPAA Privacy Rule and Security Rule are what you need to be concerned with if you are getting certified (unless you are a health insurance company or similarly provide healthcare plans), and they are the same HIPAA-Compliant hosting requirements you should consider in a web hosting company.

Below is an 8-part checklist of HIPAA Compliant Hosting requirements.

Despite being simple, it covers all the standard bases with enough detail for a general picture of what you need. Here are the eight elements you need for a HIPAA-Compliant hosting environment:

HIPAA-Compliant Firewall

Firewall

Essentially, you need to have firewalls fully implemented on your site. There are three basic types of firewalls: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically, an infrastructure has a combination of hardware and software firewalls, along with ones specifically designed for web applications, because apps create their own unique challenges and have become such a frequent target for intrusions.  Making sure that technology is system-wide is one of the HIPAA compliant server requirements.

What is a firewall?

Firewall is actually a kind of broad term. It refers to a hardware or software system (i.e., physical component or an app) that is used to secure a network, via a set of rules that control the traffic that’s entering and exiting it.
The hardware/software distinction is just one way to categorize firewalls, though. As indicated in the US Department of Commerce’s NIST firewall guidelines (Special Publication 800-41), and as expanded by TechTarget, five primary types of firewalls are application-level gateways (proxies), circuit-level gateways, multilayer inspection firewalls, packet-filtering firewalls, and stateful inspection firewalls.


HIPAA-Compliant Encrypted VPN

Encrypted VPN

The VPN needs to be encrypted, and you want it to be strong. Not all VPNs are the same, so do your homework.

What is an encrypted VPN?

An encrypted VPN is technology that essentially creates a tunnel between two devices (typically the server and the client). The data is encrypted entering the tunnel and decrypted as it exits it.

There are a couple of standard encryption protocols for VPNs other than SSL, IPsec (Internet Protocol Security) and GRE (generic routing encapsulation). GRE gives you a framework with which you’re able to package and transport via IP.


HIPAA-Compliant Offsite Backups

Offsite backups

You want to have your data backed up in an external location. This requirement is a reasonable way to ensure all the EMRs are safe. Note how many of these requirements are probably already in place for your company. Very little is required additionally to the security parameters that most enterprises and many SMBs already have up and running. Again, hosting services must meet this and the other HIPAA compliant hosting requirements as well.

What are offsite backups?

Offsite backups are a security tactic and disaster recovery technique that means data, and in some cases software, is being stored at a remote location from the company. Offsite backups are also called offsite data backups or offsite data protection – albeit, the latter really denoting the safeguards of the external environment. Offsite backups are simply a distribution or diversification method to prevent total loss of your valuable PHI (protected health information).


HIPAA-Compliant MultiFactor Authentication

Multifactor authentication

On all parts of your site (from the administrative control panel associated with the server to your CMS to the operating system running throughout the network), you need MFA ( multifactor authentication). Multifactor authentication is simple and fast to establish, similar to the other HIPAA compliant server requirements. You just go into the control panels for each of your various systems and make the configuration changes. Be aware that you need to get everyone prepared for this change so your business continuity is intact: everyone should be able to access the system throughout. You just need everyone’s phone numbers if you’re using mobile as the second point of contact. Plus, make sure they have an MFA app installed before making the transition if you are using an authenticator tool. Many of the systems you’ll see will be based on Google Authenticator, which will require everyone to have that app installed on their cell phones; though there are plenty of other brands you can choose.

What is MFA?

Multifactor authentication, which goes by MFA, is a security check that uses two different forms of authentication to confirm the identity of the user. MFA is a stronger evolution of SFA (single-factor authentication), which only authenticates in one manner, usually via a password matching the username provided.


HIPAA-Compliant Private Hosted Environment

Private Hosted Environment

You cannot have a platform that shares resources with any other entities if you want to achieve HIPAA compliant server requirements. Working with a hosting provider with experience related to properly privatizing your infrastructure obviously helps.

What is a private hosted environment?

What’s meant by a private hosted environment is your servers are reserved solely for your use. That’s the key point, so it could refer to Atlantic.Net’s Cloud Hosting or dedicated hosting servers.

In a private hosted environment, the data is all in its own place, so it is not being shared or intermingled with the information of other apps or hosting users.


HIPAA-Compliant SSL Certificate

SSL certificates

You need secure sockets layer (SSL) certificates established throughout your site, for any domains and subdomains on which sensitive information is accessed. In other words, any parts of your site that need login credentials should always also have an SSL. Each server used for your site needs its own SSL certificate installed. Note that some companies provide certificates that can be installed on multiple or unlimited servers. Also, be aware that an EV certificate, creating a green address bar, and/or respected brand name such as Norton or GeoTrust, can help increase trust and credibility for your system. Less costly certificates can be purchased from Comodo, GoDaddy, etc.

What is an SSL certificate?

An SSL (secure sockets layer) certificate is software that creates encryption of data during transmission and validates ownership of the certificate to varying degrees.

Groups called certification authorities (CA’s), which typically have very high reputations for security, issue these certificates.

SSL certificates come in three main levels of validation: domain validation (DV), organization validation (OV), and extended validation (EV). All certs create https protocol and a lock icon, along with brief information available to all web users. EV is represented by the green address bar indicators in all major browsers. SAN certificates and wildcards certs are other types.


HIPAA-Compliant SSAE-SOC

SSAE 16 Certification

Note that Statement on Standards for Attestation Engagements (SSAE) 16, created by the American Institute of Certified Public Accountants (AICPA), is more stringent, in some ways, than HIPAA is regarding security. It’s not a requirement for HIPAA, but seeing that certification should make you feel more confident that a company meets HIPAA compliant hosting requirements.

What is SSAE 16 Certification?

SSAE 16 certification entails an official review and audit that verifies you are meeting all parameters of Statements on Standards for Attestation Engagements No. 16, a standard developed by the AICPA (American Institute of Certified Public Accountants) via its ASB (Auditing Standards Board).

This standard provides guidance on best practices through which organizations can report on their compliance control, as gauged through a formal audit.


HIPAA-Complaint BAA

Business Associate Agreement (BAA)

If you use any outside entity to assist with your EMR, including a hosting company, you must have a BAA signed with that organization. That document does not clear you of your own responsibilities related to HIPAA, but it does delineate the role that the hosting company takes and ways in which they should be held liable for any breaches, etc.

What is a BAA (business associate agreement)?

A HIPAA business associate agreement is a legal contract between a HIPAA covered entity and business associate, as defined via the US Health Insurance Portability and Accountability Act of 1996. These agreements safeguard protected health information (PHI), which is the sensitive personal data and records of patients.

Covered entities are healthcare providers, plans, and data clearinghouses, while business associates are any organization doing business with covered entities in a manner that involves PHI.


Additional sources:

http://searchsecurity.techtarget.com/definition/firewall
http://searchnetworking.techtarget.com/tutorial/Introduction-to-firewalls-Types-of-firewalls
http://searchsecurity.techtarget.com/feature/The-five-different-types-of-firewalls
http://searchsecurity.techtarget.com/definition/two-factor-authentication
https://www.techopedia.com/definition/30124/offsite-backup
http://computer.howstuffworks.com/vpn7.htm
https://www.techopedia.com/definition/4868/dedicated-server
http://searchcloudsecurity.techtarget.com/definition/SSAE-16
http://searchhealthit.techtarget.com/definition/HIPAA-business-associate-agreement-BAA


SOC 1 & SOC 2

Service Organization Control

Ensures internal controls and best practices for physical security, availability, processing integrity, confidentiality, and privacy.

HIPAA Audited

HIPAA Audited

Ensures that our processes, policies, facilities, and hosting solutions comply with the latest HIPAA Audit Protocols.

HITECH Audited

HITECH Audited

Stringent testing that continues to expand to comply with HITECH Act policies and protocols.

Business Associate Agreement (BAA) Available With All HIPAA Hosting Plans

HIPAA Hosting Features

Business Associate Agreement

Business Associate Agreement

24/7/365 Phone, Chat, and Email Support

24/7 Phone, Chat, & Email Support

Fully Managed Firewall

Fully Managed Firewall

Intrusion Detection System

Intrusion Detection System

IP Reputation

IP Reputation

Blended Bandwidth

Blended Bandwidth

Linux & Window Servers

Linux & Window Servers

Highly Available Infrastructure

Highly Available Infrastructure

Anti-Virus Protection

Anti-Malware Protection

Vulnerability Scans

Vulnerability Scans

Encrypted Backup, Storage, & VPN

Encrypted Backup, Storage, & VPN

Log Management System

Log Management System

According to The Health Insurance Portability and Accountability Act (HIPAA), there are two different types of organizations that must ensure compliance: covered entities and business associates. Atlantic.Net falls into the latter category; a third-party entity contracted to handle protected health information(PHI).

In order to both comply with the law and assure our clients that we’re committed to keeping their information safe, we’ve drafted up a HIPAA Business Associate Agreement. This HIPAA-Compliant document is critical to our relationship with healthcare firms and medical practitioners alike, as it firmly establishes parameters for our use of PHI. The following three components are central to this contract:

  • Business associate’s role – the exact nature of the third party’s interaction with the healthcare data, including any forms of use and disclosure.
  • Limitations – the prohibition of the third-party from any forms of use or disclosure not stated in the agreement.
  • Security requirements – the necessity for extensive security technologies and protocols to guard against any unauthorized use or disclosure.

In conjunction with our SSAE 16 Type II certified data center, our BAA shows that we’re committed to keeping the private healthcare information of our clients both safe and secure. Moreover, it shows that we’re willing to go beyond the minimum standards of compliance established in HIPAA. Healthcare businesses who choose us as a host have the peace of mind that can only come from knowing that they’re partnered with a veteran - and one that’s completely committed to their best interests, at that.

HIPAA-Compliant Colocation

We've served thousands of colocation clients over the past two decades, and we know exactly what our clients need. We’re confident that if you host with us, your data will be safe - and more importantly, that it’ll be accessible exactly when and where you need it. That’s a promise.

Thanks to our fully-redundant infrastructure and high-quality on-site security, colocation has never given better peace of mind. Colocation clients enjoy an industry-leading service-level agreement which promises 100% uptime - hosting with us means neither your network nor your infrastructure will ever make your data inaccessible. Factor in our superior on-site security, and it’s clear why we’re the logical choice for colocation if you’re in the healthcare industry.

We offer fully-secured, custom-sized cabinets and colocation cage space, to be scaled up or down according to your needs.

HIPAA-Compliant Cloud Hosting

You could be forgiven for thinking the cloud isn’t secure enough for healthcare - there’s plenty of paranoia about the safety of cloud hosting, after all. You needn’t worry, though. We’ll provide your healthcare firm with an ultra-secure private cloud that only you can access; you’ll have access to all the benefits of cloud hosting with none of the risks.

We’ve taken the following security measures to make sure our cloud is as ironclad as possible:

  • A fully-managed firewall that prevents unauthorized network access
  • A robust intrusion detection system to root out specific breach attempts
  • A virtual private network (VPN) to encrypt data moving into or out of the system via SSL certificates and other technologies.

Beyond security, we understand that healthcare organizations desire quick, efficient, and effective support. We’re more than up to the task of providing just that. All Atlantic.Net clients have access to 24/7 phone and email support.

If you’re looking to be HIPAA-compliant, a dedicated server can be one of the most nightmarish hosting choices in the industry. In order to keep your server up to par with regulations, there’s a good chance you’re going to need to gather a mishmash of security software, encryption platforms, and VPNs. Of course, you could always just host with Atlantic.Net - our experience means that we’re uniquely-positioned to provide your dedicated server with everything you need in order to stay compliant.

Atlantic.Net’s dedicated servers include the following features:

  • Complete Root Access for Administrators
  • Live, 24/7/365 Support and Monitoring of all Systems
  • Certification for SSAE 16 (SOC 1) TYPE II (Formerly SAS 70)
  • Full Line of Linux and Windows Dedicated Server Options
  • Various Tier-1 Internet Backbone Network Redundancies
  • Industrial-Strength UPS (Uninterruptable Power Supply) and diesel generator
  • Failsafe HVAC (Heating, Ventilation, Air Conditioning) and Fire Suppression Systems
  • Our HIPAA Compliant Hosting solution has been audited by an independent third party against the HIPAA Security Rule.
  • 100% Money Back Guarantee and 100% Network and Hardware Uptime SLA (Service Level Agreement)

HIPAA-Compliant Application Hosting

The applications run by healthcare companies are frequently incredibly resource-intensive, requiring a dedicated server imply to operate effectively. This server, whether a dedicated or virtual system, needs to be both secure and compliant. That’s doubly true if the company is a healthcare application service provider, which routinely manages patient data from a wide array of firms.

Once again, Atlantic.Net is fully-equipped to deliver.

Our three-machine design includes an application server that can be adapted to your needs whether your architecture is physical or virtualized. Even better, all Atlantic.Net application servers are protected with a full suite of security components, including a fully-managed firewall appliance, an encrypted VPN with GeoTrust SSL, and a powerful intrusion detection system with proactive monitoring.

HIPAA-Compliant Database Hosting

Perhaps the most frequent reason for a healthcare provider to look into hosting services is the operation of a database in order to store patient and organizational data. We’ll provide you with whatever format of database best meets your needs - and it’ll be affordable no matter what your choice. Whether you choose Microsoft SQL Server, MySQL, or PostgreSQL, we've got you covered.

Our HIPAA-compliant database security incorporates our fully-managed firewall appliance, an encrypted VPN with SSL technology, and our intrusion detection system. Further, everything we do that concerns your hosting plan is considerate of compliance implications; we honor regulatory parameters at all times.

Here are just a few benefits of choosing to host your database with Atlantic.Net:

  • All data exists in one defined place
  • You can customize security specific to the database
  • Organization of the data can make administration more efficient
  • Responses to data requests are streamlined
  • Multiple users can retrieve data simultaneously.

HIPAA Compliant Managed & Unmanaged Hosting

In addition to managed/unmanaged dedicated servers, we offer virtualization hosting solutions with the following hypervisors:

  • Hyper-V Private Virtualization Hosting – Microsoft Hyper-V 2.0/3.0
  • KVM Private Virtualization Hosting – Proxmox VE 4.2+

Intrusion Detection

With data breaches occurring with greater and greater frequency on the modern web, your healthcare organization needs to do everything in its power to keep itself safe. Atlantic.Net can help. Our fully-managed and compliant intrusion detection system allows us to consistently keep track of your security, allowing you to stay focused on your core competencies.

Our IDS works off of a continually-revised database of malware and other potential hazards, and features customizable security infrastructure that allows us to tweak it to your specific needs. We routinely test and re-test all components of our IDS, and allow upgrades on an as-needed basis. Threats are monitored and prevented in real-time.

Our IDS also features a powerful Firewall Appliance which connects to each interface, monitoring everything from CPU usage to response rate for gateways. For those of you who require traffic shaping and simultaneous connection limitations, both are easily configurable. All of this is available at minimal cost - meaning you’ll have access to world-class security at a price that won’t leave you tapped out.

Anti-Malware Protection:

One of the stipulations of HIPAA is that healthcare organizations must utilize an antimalware application to remain compliant. Here at Atlantic.Net, we trust Trend Micro Anti-Malware to protect clients from malicious software.

Trend Micro™ Deep Security Suite – Key Features:

Virtual Environments: Preserve performance and consolidation ratios with comprehensive agentless security built specifically to maximize protection for virtual environments.

Optimized for Server Environments: Optimizes security operations to avoid antivirus storms commonly seen in full system scans and pattern updates from traditional security capabilities.

Virtual patching: Shield vulnerabilities before they can be exploited, eliminating the operational pains of emergency patching, frequent patch cycles, and costly system downtime.

Compliance: Demonstrate compliance with a number of regulatory requirements including PCI DSS 3.0, HIPAA, HITECH , FISMA/NIST , NERC , SSAE 16, and more.

Trend Micro™ Deep Security Suite – Deep Security Modules:

Trend Micro Deep Security Anti-Malware

  • Delivers an anti-malware agent to extend protection to physical, virtual, and cloud servers
  • Optimizes security operations to avoid antivirus storms commonly seen in full system scans and pattern updates from traditional security capabilities
  • Protects from sophisticated attacks in virtual environments by isolating malware from critical operating system and security components

Trend Micro Deep Security Network Security Package

  • Examines all incoming and outgoing traffic for protocol deviations, policy violations, or content that signals an attack
  • Automatically protects against known but unpatched vulnerabilities by virtually patching (shielding) them from an unlimited number of exploits, pushing protection to thousands of servers in minutes without a system reboot
  • Decreases the attack surface of physical, cloud, and virtual servers with fine-grained filtering, policies per network, and location awareness for all IP-based protocols and frame types
  • Includes out-of-the-box vulnerability protection for all major operating systems and over 100 applications, including database, web, email, and FTP servers

Trend Micro Deep Security Integrity Monitoring

  • Monitors critical operating system and application files, such as directories, registry keys, and values, to detect and report malicious and unexpected changes in real time
  • Uses Intel TPM/TXT technology to perform hypervisor integrity monitoring for any unauthorized changes to the hypervisor, thereby extending security and compliance to the hypervisor layer
  • Reduces administrative overhead with trusted event tagging that automatically replicates actions for similar events across the entire data center

Trend Micro Deep Security Log Inspection

  • Collects and analyzes operating system and application logs in over 100 log file formats, identifying suspicious behavior, security events, and administrative events across your data center
  • Assists with compliance (PCI DSS section 10.6) to optimize the identification of important security events buried in multiple log entries
  • Forwards events to SIEM system or centralized logging server for correlation, reporting, and archiving

Dedicated Firewalls & Encrypted VPN

In addition to our IDS system, Atlantic.Net provides a powerful set of managed firewall components, designed with optimal affordability and security in mind. We’re able to create out-of-the-box solutions for just about any configuration, including Linux servers or even Cisco ASA Firewalls. Reporting maintains historical information on every aspect of your system related to network security, including CPU utilization, firewall states, WAN gateways, and traffic shaping.

By default, we deploy an OpenBSD stateful firewall that allows you to granularly control your states. This allows you to limit states per host, new connections per second, state timeout, state type, and simultaneous client connections. It allows the handling of multiple states, as well. Have a look for yourself:

  • Keep state – Works with all protocols. Default for all rules.
  • Modulate state – Works only with TCP. Atlantic.Net’s Firewall Appliance will generate strong Initial Sequence Numbers (ISNs) on behalf of the host.
  • Synproxy state – Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of “keep state” and “modulate state” combined.
  • None – Does not keep any state entries for the traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances.

It also offers a number of state table optimization options:

  • Normal – The default algorithm.
  • High latency – Useful for high latency links, such as satellite connections. Expires idle connections later than normal.
  • Aggressive – Expires idle connections more quickly. Uses hardware resources more efficiently, but can drop legitimate connections.
  • Conservative – Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization.

Last but certainly not least, our dedicated firewalls are connected to a management service that’ll help you ease the burden of monitoring.

This management service allows us to help you implement switches that can be used to set up encrypted VPN connections (we support OpenVPN, IPsec, and PPTP by default) to and from your hosted servers. HIPAA compliance requirements are kept central to the entire process, from management to maintenance to troubleshooting. It’s efficient, too - we realize that your time is important, so we stay with you every step of the way to make compliance a breeze.

NAT

All Atlantic.Net clients by default have access to our Network Address Translation Utility, designed to allow them to quickly and easily shape how their network functions. It features easy configuration for port forwarding (including ranges and the capacity to support multiple public IPS), outbound NAT, and advanced load balancing for both inbound and outbound connections. Integrated with the firewall appliance, it can be readily set up with full redundancy thanks to pfsync and CARP from OpenBSD.

Backup

The rapid growth of data, shrinking backup windows and budgets, scaling issues, and multiplatform environments currently in place in the healthcare industry all present significant challenges for server administrators. Atlantic.Net seeks to help. Through our powerful Server Backup Manager - a fast, affordable platform for both Linux and Windows - we perform backups either daily or in real-time for each of our HIPAA clients. Incremental backups are done at the block level for advanced speed, and clients have full control over when, where, and how their data is stored. Data is by default kept in our SSAE 16 Type II Orlando data center, secured through both on-site measures and by a suite of powerful and robust security software.

In addition to a host of customization options, our backup platform is also equipped with robust monitoring tools, portable backups, point-in-time snapshots, and the ability to perform a bare-metal restore at any point in time. We support backups for the majority of virtualized platforms, as well as a wide range of SQL servers and databases.

You can read a little more about what our backup system offers below.

Our Technology Partners

HIPAA Partners

A Support Team Backed By Decades Of Experience

24/7 Cloud Support

We are always here!

Cloud Expert Support

Experts that care!

Phone, Chat and Email

Phone, Chat and Email

Atlantic.Net is a market leader in cloud hosting, with over two decades of experience in the industry. It shows - especially when you look at our support team. Signing up as a cloud hosting member with us means you'll have 24/7 access to a crop of dedicated veterans, capable of solving any technical problem you throw their way.

Hosting in Multiple Data Centers

International Cloud Data Center Locations
Contact Us

Share your vision with us and we will develop a hosting environment tailored to your needs!

Contact an advisor at 888-618-DATA (3282) or email us at [email protected]

Contact Us for a Free Consultation Today!

Atlantic.Net in the News

Featured Logos

Clients Served

Clients Logos
NO THANKS!

New York, NY

100 Delawanna Ave, Building 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada