Health Insurance Portability & Accountability Act and Web Hosting

“HIPAA” is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:

1. Improved efficiency in health care delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

1. Standardization of electronic patient health, administrative and financial data
2. Unique health identifiers for individuals, employers, health plans, and healthcare providers
3. Security standards protect the confidentiality and integrity of “individually identifiable health information,” past, present, or future.

Compliance requirements include:

• Building initial organizational awareness of HIPAA
• Comprehensive assessment of the organization’s privacy practices, information security systems and procedures, and use of electronic transactions
• Developing an action plan for compliance with each rule
• Developing a technical and management infrastructure to implement the plans
• Implementing a comprehensive implementation action plan, including
• Developing new policies, processes, and procedures to ensure privacy, security, and patient rights
• Building business associate agreements with business partners to support HIPAA objectives
• Developing a secure technical and physical information infrastructure
• Updating information systems to safeguard protected health information (PHI) and enable the use of standard claims and related transactions
• Training of all workforce members
• Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer

All these requirements apply to not only the company which owns the PHI but also any company or contractor with whom they have access to this information. The details on how to meet the HIPAA requirements are up to the individual company, allowing the “market to dictate” the terms and conditions.

Most companies I have worked with spend considerable time generating the paper documentation they feel will meet the above requirements. That is an essential part of any security policy or plan. However, there is considerably more. Download our FREE HIPAA compliance checklist.

Data centers, managed service providers, and other contracted service providers come into the compliance picture when companies outsource their data-center. If you look at the HIPAA requirements, they all can be applied in some form or another to the outsourced provider. Still, the validation is left up to the contracting business, and there is no guidance other than “best practices.”

So what should you look for in a business partner that can meet these HIPAA requirements? Before I answer that, I would like to discuss a similar security standard. As you may know from regular occurrences in the news, credit card data is lost and stolen on an increasingly regular basis. To help fight this, the Payment Card Industry has created the PCI Security Standards Council, whose charter is to create and maintain specific industry standards and train qualified assessors to validate against those standards. Any business that stores, transmits, or processes credit card data is required to abide by these standards. This means even the person with a cellular card swipe machine at the flea market has to meet the same standards as Walmart, Amazon.com, PayPal, or other multi-national merchants and banks. Below is a list of 12 PCI Security Audit Procedure sections that you should look for from any service provider or partner you are considering. These sections detail the steps that must be taken to comply with the PCI standard. To get more information, you can download the PCI details here https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf and here https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

1. Firewalls & Routers
2. Service configuration (note service includes servers/applications/databases/firewalls/etc.)
3. Storage of Card data (what is/is not allowed, encryption, secure deletion), Data retention policy
4. Transmission of card data (SSL, VPN, 802.11, etc.)
5. Anti-virus
6. Secure Development — ** Change Management **
7. Need-to-know
8. Unique ID for _everyone_ – no shared root, enable, administrator & password requirements
9. Physical Security
10. Logging & Time sync
11. Security Testing (security scanning, pen testing)
12. Policies, Contracts, Security Training, Risk Assessment, Incident Response Policies, Connected Entities (partner connection), management

Additionally, depending on which services you plan on using from a contracted provider or partner, different sections will apply, for example:

• If they are going to provide router or firewall services, section 1
• If they are going to provide any servers (virtual or real), then sections 2, 5, 7, 8, 9, 10, 11 & 12 (yes, most of it:)
• If they are going to provide development support, sections 3, 4 & 6
• If they are going to provide system management support, 2, 3, 4, 5, 7, 8, 10

I mention PCI because the PCI Standards and process are very clearly defined, unlike the HIPAA requirements. While PCI is not perfect, since it was based on ISO17799, it covers many security issues. Suppose you take the PCI standards and replace PCI with HIPAA or Financial (SOX). In that case, you have a great guideline and audit procedure to work with for your and your partners’ security.

So back to the question for this article. How can you determine if a data center/service provider meets your needs for the various compliance requirements? To answer this, you need to choose the service provider’s role in relation to your business and your specific data-set requirements.

If you are looking for somewhere to host your entire “business” and then VPN back into your company network, you have physical, network, policy, procedure, and contractual security needs.

Suppose you are looking to have someone provide a more hands-on role. In that case, the same requirements are met, but the provider’s mechanisms for providing support will need to be evaluated. This would bring the assessment into how they store passwords, monitor systems, provide support, troubleshoot, maintain change management, key management, security monitoring, image management, upgrades, etc.

Given all of these considerations, you need to determine how you wish to handle the requirements as a business. If you are a large merchant or service provider, you typically get ISO or SAS70 audits. Any data center should be able to provide that assessment as you are trying to determine who you wish to work with. Keep in mind that with these assessments, the company has hired the auditor to validate a “specific” item. The audit report will be focused only on that and may not consider other processes or areas within the facility.

Suppose the company has been through a PCI or other audit. In that case, it should be able to provide some documentation regarding the audit and the controls they have in place that it used to go through the audit.

If they are a service provider (providing services to PCI organizations) and have been through a level 1 audit, then they will be listed here https://www.visa.com/splisting/searchGrsp.do

Few ISPs or Data-Centers have been through a level 1 PCI audit as they are usually very costly. If you read through the SAP, you will find it time-consuming in the details that need to be met.

So what can you hope to find in a service partner you are looking to host with:

• A physical location that has good security controls
• 24×7 guard & locked doors
• Sign-in is required, and only authorized visitors
• at least three months of camera data (90 days) on all entrances & exits to the data-center facility
• Security for the physical servers (do not use shared cages)
• Policies
• Standard configuration documentation for all services you are getting services for (servers, firewalls, load balancers, certificates, etc.)
• Network & server security – IDS / IPS / Host IDS / Log Monitoring / Internal & External Scanning / ASV Scanning
• Change management that includes
• Documentation of impact
• Management sign-off – colo should notify customers of changes (good communication, as it was mentioned in a previous post, most providers that provide HIPAA or other services tend to have more communication with their customers)
• Back out plan/procedure
• Functional testing

Suppose you are looking for more advanced services to ensure that the machine is physically secure and have you deployed your application architecture properly. In that case, you may also want to be sure the service provider can also provide:

• Firewalls
• Private Networks
• VPN
• Load balancers
• 2-factor authentication
• IDS
• Log Monitoring
• Centralized logging
• Monitoring (Security & Availability)
• Development services
• Code review
• Time services (NTP)
• Senior Security & Architectural staff as well as Sr systems staff

Many people I have worked with have needed just about all of the above services when they are either building, expanding, or migrating their applications into data-center facilities.

I know I did not stick specifically with the HIPAA question. Still, hopefully, this information will help those who are looking for new hosting facilities.

Now for those wondering, do you provide those services? The short answer is yes. However, not all are immediately activated “web dashboard” ready services and require a direct relationship with our senior architects and systems folks.

Our San Francisco data center is through a partnership with Rackspace, which provides the physical security and raw bandwidth to our secure cabinets. While the physical center has not been through any Level 1 PCI audits, ZZ servers have been through 2 bi-annual security audits by American Express for one of our customers. The facility has a SAS70 certificate and the added security of hosting the 911 systems for the city of San Francisco, so our structural, power, and data systems are a step above par.

I consult with a QSA out of San Meto (http://www.drgsf.com) and perform Level 1 audits and Security Assessments for payment applications as specified by the Payment Applications Best Practices following the PA-DSS.

After spending 20 years building and working with small to large companies and founding three previous ISP services, I wanted to bring a level of business service to the hosting community. So in founding ZZ Servers with my brother, Peter – a 20-year Navy vet currently spending his last year in the service stationed in Bagdad), we created the infrastructure to provide many, if not all, of the requirements mentioned above.

We are focused on providing priced services to compete with the largest players (rack space, one and one, etc.) but also to have the value-added services I discussed in the requirements listings above.

We currently have customers utilizing the following services:

• Co-located servers
• Leased Servers
• Virtual Private Servers
• Private Networks
• Multiple firewalls (internal & external)
• Load Balancers
• Managed monitoring & support
• Centralized Logging & Monitoring
• IDS
• VPN
• 2 Factor Authentication with CryptoCard
• Time services (NTP)
• Senior Security & Architectural staff, as well as senior systems staff

And we are deploying a full change-management system that will be available to any customer using any service, which will be fully integrated into all hosted services (schedule changes for firewalls or clusters of servers and track the status of each change).

We have also just signed an agreement with DRG to provide integrated ASV scanning, which will be integrated into our order wizard, allowing customers to sign-up and manages their PCI-compliant scans and automatically sends results to your merchant bank. This service will also include an online form for creating and submitting the Self Assessment Questionnaire.

We are a small family-run business focused on slow growth and providing tools for both the smaller & larger customers to grow into whatever their business has potential.

For more details about HIPPA, please visit (https://www.hhs.gov/hipaa )

Regards,

David