HIPAA Compliant Cloud Hosting: A Beginner’s Guide …

… to life outside the Matrix

by Stephen Trout

I know why you’re here, Neo. I know what you’ve been doing. I know why you hardly sleep, why you live alone, and why night after night, you sit at your computer. You’re looking for him… It’s the question that drives us, Neo. It’s the question that brought you here. You know the question, just as I did.

- Trinity, The Matrix, 1999

In the classic sci-fi film The Matrix, the virtual world is a data-dripping reality that paints a glittering image of our actual selves.*

Neo can fly, fight, and twist away from bullets. But in the “desert of the real” (as the character Morpheus calls the “unplugged self,” quoting Baudrillard), things can get a bit dicier.

Like Neo, we too have our questions; our sleepless nights, our nagging fears. Zion is real, but real life (outside the Matrix) is a mix of joys and sorrows, darkness and light. Deny it, and you might hear the Architect’s response:

Denial is the most predictable of all human responses.

If we’re honest, our healthcare data reveals some of these struggles — partial, to be sure. We share it as we will.

At least, HIPAA regulations were designed to give us that option; a measure of privacy is guaranteed by law.

Yet as we saw last week — exploitation happens. Identities may be stolen; even our livelihoods and reputations. Real harm can come from those who wish to write a different story about our lives.

The Difference Between Traditional & HIPAA Compliant Hosting

You don’t need to fully grasp The Matrix to know your personal data needs protection — especially in the “virtual healthcare cloud.”

If you’re plugged in at all, you’ve heard about the “Agent Smiths” running around, looking to hack healthcare networks and steal your sensitive data.

But if you’re new to HIPAA compliance and data security — e,g., a fledgling developer, or a physician just opening a practice — you’ll want to know: How should my patient’s data be protected? With that, a closely related question: What actually is HIPAA Compliant Hosting?

Two Distinctions About HIPAA Compliant Hosting

Let’s explore the latter question first, which should help with the former.

First, hosting requires infrastructure — think secure servers and storage, only virtualized in the cloud.

Unlike a traditional hosting company, a HIPAA-compliant host will have a compliant, third-party audited infrastructure — specially configured to handle the confidentiality, integrity, and availability of electronically protected health information (ePHI), both in transit and at rest.

Second — also unlike traditional hosting companies — a HIPAA-compliant host will provide you with a signed, legal Business Associates Agreement (BAA).

Essentially, a BAA outlines the responsibilities that each party will have in managing the PHI or EHR data.

7 Keys to Success for HIPAA Compliance

The BAA states that both parties will appropriately safeguard the protected health information being handled, and keep unauthorized users from accessing that PHI data.

Neo had Morpheus to show him the ropes; the Oracle was there for questions, too. It’s true: any journey into unknown territory goes better with an experienced guide.

While a HIPAA-compliant host is indispensable for building the infrastructure (it’s complex and expensive to try on your own) you’ll need a point person to ensure your organization is satisfying all HIPAA regulations. What should you do?

1. Assign a Compliance Officer

This is the work of the compliance/security officer; their role is to certify that policies and procedures are up to date.

Without a C.O., maintaining compliance will be a lot more challenging. And actually, HIPAA requires you to have one — whether an existing employee who will train for the role, or a new hire who comes with expertise.

• Develop and maintain your HIPAA-compliant privacy program
• Oversee the HIPAA training of your employees
• Conduct a risk analysis
• Create HIPAA-compliant procedures where needed, and monitor compliance with the program
• Investigate and report any data breach incidents as required
• Ensure the protection of your patients’ rights in accordance with federal/state laws
• Keep up-to-date with pertinent state and federal laws

2. Identify which data needs protection (Where is your ePHI?)

What functions will the Compliance Officer handle? Here’s a summary:

In The Matrix, Neo was the key; knowing where he was and what he was doing was critical. The same applies to your sensitive data: you’ll want to know exactly where it is and how securely it is stored.

To do this requires first investigating where the sensitive data (ePHI) is throughout your organization, then applying the best protections.

3. Take stock of your risks (A HIPAA Risk Analysis should be performed)

Basically, you’ll want to ask: How does ePHI travel in my organization? Have I included all the ePHI that we create, receive, maintain or transmit — including our website and from external sources such as vendors?

Another key in the Matrix was understanding the enemy. The ship known as the Nebuchadnezzar was always on the lookout for flying Sentinels (killer robots). It was crucial to identify where they might be lurking, so they could zap them (with EMP!) if encountered.

Similarly, imagine taking a trip into unknown territory. You wouldn’t leave without first mapping the terrain you would need to cover. You’d look for potential danger spots; maybe an icy mountain pass, or hazardous sections of the road.

In the same way, taking stock of risks to data is crucial. You will be looking to answer:

What are the human, natural, and environmental threats to information systems that contain electronically protected health information (e-PHI)?

Note: This is a question you must revisit regularly (we suggest monthly), as systems change and threats can (and do) evolve quickly.

You can’t sit back and click on “cruise control” on this one (or any of the steps for that matter) — for if left unaddressed, these risks will actually leave the door open for malicious actors to exploit your ePHI.

4. Equip those who travel with you

And while there isn’t one exact way to do a risk analysis, you can find some guidance here.

You’ll soon discover, if you haven’t already, that HIPAA regulations are multi-faceted. One facet that shines especially brightly is about trustworthy people doing the right thing — each in their own sphere.

As mentioned, staff training (with refresher training annually) will be necessary to help your people understand HIPAA requirements about patient privacy, as well as their own responsibilities to work securely.

5. Document all training and assessments

This includes everyone from network engineers and system administrators to employees on your network who might be tempted by a phishing email or other kinds of social engineering. As someone has rightly said, “your security solution is only as good as the people you have maintaining it.”

Any good captain of a ship will have a ship’s log, as well as documented procedures.

Should your company ever be audited, it will be key to have all your HIPAA training sessions and risk assessments documented.

6. Document all emergency procedures and Rules for Breach Notifications

Again, the Compliance Officer should ensure that this happens. Have you included phishing training so your employees will recognize fraudulent emails designed to steal your credentials?

One piece of documentation you should be prepared to show is how you are prepared for an emergency situation.

7. Control (and track) who accesses data

Basically, an auditor will want to know: In the event of a data breach, what is your plan, and how will you appropriate “first aid” in order to mitigate damages?

A key principle to control access to ePHI is that it should be as limited as possible, governed by application roles on a need-to-know basis. This is known as the ‘principle of least privileges.’

With these things in mind, we now turn to:

7 Keys to Implementing a HIPAA-Compliant Cloud

1. Ensure the Use of Appropriate Physical and Technical Safeguards

Tamper-detection techniques can be employed to send alerts when code is being modified or changed, and log all changes. Finally, be aware of any dashboard access to PHI that might possibly be available to every user.

In accordance with the HIPAA Security Rule, your hosting company must maintain appropriate physical safeguards to help ensure the confidentiality, integrity, and security of PHI. Ask them if they have policies and procedures in place for this.

There should be safeguards to protect IT facilities [IT departments, data centers, etc.] and the equipment therein from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, security services, etc.

A HIPAA-compliant infrastructure must be also governed by technical controls which will authenticate user access to your hosting environment.

They should have a system of developing unique user IDs and passwords, as well as procedures for login, logout, encryption/decryption, and emergencies. Once a determination is made regarding the appropriate access and permissions for your team, admins will set these unique user IDs.

2. Ensure Data Center Compliance

HIPAA Vault’s customers can have peace of mind that our enterprise-level data center facilities meet or exceed industry-standard certifications, including SSAE 16, NIST 800–53, and Service Organization Controls (SOC) audits 1, 2, and 3.

SOC 1 is used for the auditing of Internal Controls over Financial Reporting (ICFR) focusing on security and availability.

SOC 2 is used to audit the service organization in terms of relevancy for Security, Availability, Processing Integrity, Confidentiality, and Privacy (called the Trust Services Principles), to ensure systems have protection against unauthorized physical/logical access.

SOC 3 is used for the same auditing purposes as SOC 2 and includes auditing in accordance with the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations — to provide a summary Trust Services Report.

These audits, along with HIPAA and HITECH Omnibus standards, are used for assurance and validation that all service controls have been implemented and are functioning properly.

Further, state-of-the-art security for medical data and HIPAA compliance is the primary reason HIPAA Vault became a Google Cloud Partner.

Service continuity is ensured by Google’s “redundancy of everything” approach, ensuring that the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data.

• Information security policies
• Organization of information security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Logical security
• Incident management

In other words, your data is always available within a secondary system, should one system fail. Distributed, compliant data centers minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.

Google’s world-class data center compliance relies on the ISO 27001 certification, an internationally accepted and independently verified security standard composed of 114 controls, including:

Physically, Google boasts 6 layers of state-of-the-art security for their data centers, and it’s impressive. Think of concentric circles, each with a different type of security inherent in the layer.

3. Ensure encryption, both in-transit and in storage

Sensitive medical data needs strong, end-to-end privacy protections to preserve it should it ever fall into the wrong hands. Encryption is the “standard of care” for protecting health data; it does this by replacing your data with ciphertext, making it unreadable until decrypted.

4. Ensure systems are monitored 24/7 to ensure consistent reliability and uptime

HIPAA-compliant hosting ensures the encryption of data “in transit” — meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers — and also “at rest” on their servers.

The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

Another way that a HIPAA-compliant host will maintain the high availability and integrity of data is by monitoring the health of each server. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS.

Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This allows them to take action proactively and keep your system available and running smoothly.

5. Ensure regular vulnerability scans of servers, and mitigation of those vulnerabilities

The HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it).

In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure.

6. Ensure off-site backups, and log retention

Ask your HIPAA web host if they provide automatic, offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location — at least 50 miles away or further. This helps prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. In this way, you preserve critical data integrity and availability.

A HIPAA Compliant Host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. Log retention of 6 years is a HIPAA mandate — and in accordance with HIPAA regulations, the host ideally should offer a streamlined approach to gathering these logs and searching through them. These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts.

7. Your HIPAA-compliant host should be an extension of your team

Last but not least, in addition to a robust, secure managed platform that includes all of the above, we think strong relationships are key (and we bet you do too). As critical as your environment is for being proactive and preventative in your care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. They should essentially act as an extension of your own company.

For example, HIPAA Vault maintains a “tier-less” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring — with over 90% resolution the first time you call.

No phone trees or being kept on hold for long periods of time. And our managed services allow you to streamline your IT costs, effectively saving you money.

So there you have it… that’s a good way to prepare for life “outside the matrix,” in the real world of HIPAA compliance.

Ready to take the red pill?

Any questions, please feel free to give us a call! 760–290–3460.

*Since the emergence of social media, comparisons to The Matrix and cynicism about certain online media platforms have become popular. We’re of the opinion that social media — when used well — is a helpful connection tool; you bring to it what is inside you.

HIPAA Vault’s Managed Cloud Services for HIPAA compliance include less-than-15 minute response times for critical alerts, and 90% first call resolution. Our dedicated IT professionals handle everything from general support questions and maintenance, to more complex issues such as advanced firewall configurations and system monitoring. In this way, we simplify your business while providing peace of mind.

Originally published at https://www.hipaavault.com on July 5, 2022.