What is a HIPAA Compliant Server?
You cannot achieve overall HIPAA compliance if you don’t use a server that ensures the confidentiality, integrity and availability of your organization’s protected health information (PHI). You have the option to use a cloud server, and given the buzz around the affordability and convenience of cloud computing solutions, you may want to take a closer look at this option.
What is a cloud server?
Cloud computing involves maintaining information on a remote server (in “the cloud”), and accessing the information over the internet rather than storing it on a local hard drive. What, then, is a “cloud server”? A cloud server is a “server on the internet somewhere.” Often instead of using an entire physical machine, it is more cost effective to install special software on the physical machine that allows it to run one or more separate and independent “virtual servers.” E.g., a virtual server is like an apartment and the physical machine is akin to the apartment building. If you own the physical server and all the virtual ones, then you have a “Private Cloud” … where you are in control of everything. If you only own a virtual server and someone else (like Amazon) is in charge of the physical server and allows other people to rent virtual servers on the same machine, then you are in the “Public Cloud” (i.e., you are just a tenant and not a landlord!)
A public cloud will serve you adequately if you don’t need a lot of hardware and capacity or are on a budget. A private cloud is useful when you need custom hardware, better security, or have a large number of servers to manage.
Shared or dedicated hosting?
In shared hosting, a single physical or cloud server and the resources assigned to it are shared among any number of unrelated customers. With dedicated hosting, each customer is assign his/her own server – no sharing allowed. Dedicated is a safer choice from the perspective of HIPAA compliance. As the server is not shared with other people, the risk is greatly minimized; there is no chance of another customer administrator accessing your account or anyone hacking into someone else’s website and then accessing your web server file system, even if in a limited way. It is the job of the cloud vendor to have appropriate safeguards in place to prevent hackers from making their way into the web server; however, no security measures are perfect. It is always prudent to isolate your sensitive data and services as much as possible.
The HIPAA does not mandate the use of a dedicated server, but we strongly advocate for it. If you prefer to sign up with a shared hosting plan, make sure that your account is compliant with the technical safeguards under the Security Rule.
HIPAA requirements for servers
HIPAA hosting requirements are categorized into administrative (policies, procedures, staff training), technical (encryption, data storage, audit controls) and physical safeguards (access to servers, data redundancy and failure requirements).
To begin using a dedicated server or a public cloud server, you first sign a business associated agreement (BAA) with the cloud vendor who is going to come in contact with your PHI. The hosting environment must address HIPAA’s privacy, security, enforcement and breach notification rules in the following ways:
- Installing hardware and software firewalls for your website.
- Implementing backups according to your organization’s HIPAA contingency plan. Also document the backup scheme.
- Using TLS certificates to encrypting the parts of your site that require login credentials for accessing sensitive information. (Best to use TLS for everything these days)
- Ensuring that only authorized personnel have physical and logical access (connecting to a machine without being in the same room as the machine) to servers.
- Maintaining records of the movement of hardware and electronic data.
- Encrypting data at rest (when appropriate) and in transit (sent to and from the server), including within the network perimeter; documenting network topology and access points.
- Scanning for vulnerabilities, use of a quality anti-virus system, and patching in a timely manner.
- Ensuring unique login credentials as well as access monitoring and auditing.
The service provider must treat server data in a HIPAA-compliant manner, such as by applying all the HIPAA security and privacy rules to the server management items in their purview. When assessing providers, inquire about their current clients and get reviews directly from those healthcare organizations. Prioritize companies whose datacenter has been SSAE-16 certified. Statement on Standards for Attestation Engagements (SSAE), a regulation created by the Auditing Standards Boards (ASB) of the American Institute of Certified Public Accountants (AICPA), redefines and updates how service companies report on compliance controls. Although the certification is not a HIPAA requirement, it calls for stringent standards, indicating that the provider may have robust controls in place and have no problem adhering to HIPAA rules.
Understanding each party’s obligations
When you purchase or lease a server from a provider, they are responsible for ensuring a compliant environment for your website or services to operate in, but keeping your website compliant is your duty. As the owner of the server, the onus is on you to ensure that the software that you install is tested and patched, proper encryption and best practices are implemented, access control and auditing are in place, and so on. Conduct periodic reviews and validate if you are implementing your website in an overall compliant manner.