What is Managed Web Hosting?
When setting up a new website, users must decide how it will be hosted. In this article, we discuss some of the options with a special focus on HIPAA compliance.
What is Web Hosting?
Before diving into the different options, let’s briefly explain what web hosting is. Simply, a web host stores the files that make up a on a server (or servers). Then, the web host makes the files accessible on the Internet when the website’s domain name is entered in a web browser.
To display a website on the Internet, a web host is required. There are two main ways to host a website on the Internet: self hosted or managed. Self-hosted means that a company buys servers and manages them internally, while a managed solution involves hiring a third party to manage the web servers.
Self-Hosted Web Hosting
Before explaining managed web hosting, it’s helpful to understand the alternative. Self-hosted web hosting gives organizations the most choices and control over the server environment. There are a few ways to self-host a website. A company can buy their own web servers and keep them in their offices, host their website in the cloud, or they can buy servers at a commercial data center.
Many organizations choose a self-hosted solution because they can fully customize and control the server resources.
However, configuring and managing a web server requires fully qualified IT staff. Depending on the complexity of the website or application, setting up the servers and managing the environment could require several full time IT staff members. In addition, the labor costs involved to manage the servers can quickly exceed hardware and software expenses.
All the responsibilities for managing the web host will fall to the internal IT team. These tasks include:
- Keeping the operating system patched and updated.
- Configuring the appropriate communication links.
- Setting up firewalls, intrusion detection systems, and other security measures.
- Maintaining, patching, and upgrading systems as needed.
In addition, if the website is subject to HIPAA regulations, web hosts must take extra steps to secure sensitive data. Some of the main requirements for HIPAA-compliant websites include:
- Transmission encryption
- Data backups
- User authorization
- Data integrity controls
- Storage encryption
- Disposal procedures
For more information see: 7 Steps to Make your Web Site HIPAA-Compliant.
Furthermore, HIPAA compliance requirements introduce another layer of complexity. In addition to understanding server and database management, IT staff must also have a thorough understanding of how to architect these solutions to comply with HIPAA regulations. Given the complexity of setting up and managing a HIPAA-compliant web host, many website owners prefer a hosted or managed solution.
Managed Web Hosting
In this situation, a third-party maintains the server infrastructure. The hosting provider is responsible for its core software, maintenance, the underlying security infrastructure, networking, and external communications. The hosting provider takes care of everything related to the web server so that organizations are free to focus on maintaining the website.
In addition, managed web hosting providers are often less expensive than self-hosted solutions.
However, there are risks to be aware of. In a managed hosting situation, server resources may be shared among hundreds of other customers to keep costs down. In addition to possible performance issues, shared servers introduce security risk. Companies cannot control what other users may be doing on their own websites. The errors they make may compromise shared web servers.
We strongly recommend hosting websites on dedicated servers instead of shared public cloud servers. Using a dedicated server infrastructure allows for nearly as much control over resources and settings as companies can have in a self-hosted scenario.
At LuxSci, we manage all of the underlying infrastructure aspects and place each customer on a dedicated server, leaving businesses with only the responsibility of managing their website or application.
Additionally, companies with HIPAA obligations need to do even greater diligence to choose a hosting provider to ensure they understand HIPAA requirements. A managed web hosting company must sign a Business Associate Agreement that lays out the steps they will take to secure data and report breaches.
Do not choose a web hosting provider who is not well-versed in HIPAA compliance. Instead, choose a provider who built their web infrastructure with HIPAA in mind. Following HIPAA regulations requires more attention that most systems were built to support.
Selecting a HIPAA-Compliant Managed Web Hosting Vendor
Finally, to help you find a vendor that will adequately protect sensitive data, here are some key questions to ask:
- Will you sign a Business Associates Agreement?
- How is information stored?
- Do you keep access logs?
- Is data backed up?
- Who will have access to our data and under what scenarios?
- What security measures do you have in place? (anti-virus, firewalls, DDoS protection, etc)
- Do you offer transmission encryption?
- What encryption is used for data at rest?
This list is just only a starting point. HIPAA compliance is a complicated subject, and it’s always best to work with an expert to make sure sensitive data is secure and protected.
In conclusion, managed web hosting is a good option for businesses with limited IT resources. However, it’s very important to do due diligence on any vendor to make sure they can meet the performance, security, and compliance requirements for your business. A web hosting provider like LuxSci specializes in HIPAA compliance and can provide a secure solution for your business. Contact us today to learn more.