Ask HN: HIPAA Hosting?
My consulting company is working with a client to make some changes to their webapp (it's a health-care-related app - details aren't super-relevant). One of the items on their wishlist is "make it HIPAA-compliant". We're working with the client's lawyer to determine exactly what that means in practice, but it's clear that one of the items will be "host it on infrastructure other than the $10/mo. WebFaction plan".
The app itself is (relatively) simple systems-wise, so we don't really need a dedicated box and all the sysadmin and security headaches that come with it. But from my basic read of the HIPAA Security Rule, shared hosting (which abstracts away a lot of the sysadmin issues) won't cut it. We're primarily developers, not sysadmins, and certainly don't want to get into the server admin business on something with regulatory requirements.
Does anyone here have suggestions for either a host that can make this less painful (not even sure what that would entail), or a firm that specializes in the sysadmin side of things? (Preferably with HIPAA experience).
33 comments
[ 3.4 ms ] story [ 86.9 ms ] threadSo really the question is: is there a company that'll manage the damn server(s) for us so that we get to deal with a nice, clean abstraction similar to shared hosting?
Basically I want a HIPAA-compliant Heroku (though in this case not for Ruby).
Give one large VPS to your production app, and create other VPSes for testing or development purposes.
The reason you want to use a VPS on top of your own dedicated hardware is to gain the benefits of VPS control, including easy archiving of the entire system, snapshots, easy moves to new hardware even if the hardware is different, etc.
I think that's the key.
My employer hopes that a virtual machine on a private VLAN, with a fully-encrypted virtual disk, qualifies. This seems reasonable to me, but reasonableness isn't necessarily a part of any regulation.
I can't find any links about this though and it's been months since I've kept up on OpenBSD-misc, so I might be full of shit.
Personally, I would tend to choose a theoretically-insecure VPS over a vhost environment any day.
http://aws.typepad.com/aws/2009/04/white-paper-creating-hipa...
My company is in the middle of this, and we haven't encountered any deal-breakers so far.
The key to that link is encryption; it gets Amazon off the hook for a lot of things.
http://www.firehost.com/secure-hosting/hipaa
Their plans start from $845 monthly.
No affiliation, just passing info along.
You can't just rely on the provider though. All the server hardening in the world wouldn't help with apps that don't comply fully. Some of the audit requirements are bound to be very specific to the nature of your app.
1. Log Monitoring and Management: Not sure what they mean by this; surely it's something more complex than logrotate. Maybe rsyslog or something?
2. Continuous Vulnerability Monitoring: So, they follow the usual script sites & mailing lists.
3. Managed Anti-Virus Protection: I hope they aren't running on a Windows platform, and if they aren't, I'm not aware of very many current in-the-wild viruses for the various Linux distros.
4. 1 Gigabit Networking Infrastructure (Public and Private): Heh.
5. Two-Factor Authentication: I see this a bit, and it's usually mis-used. Unless they require you to physically submit a fingerprint, DNA sample, retinal image, or some other such thing, then it's not two-factor authentication.
6. Application and Database Server Isolation: They're running the application and the SQL instances on different servers, but if the application server gets compromised, then so does the SQL server, since the application needs automated credentials for the SQL server.
7. Managed SSL Service: Once a year they make sure your certificate is up-to-date.
8. Business Associate Agreement Friendly: What?
9. Managed Redundant Firewall Protection: Not sure what they mean by this. Either your firewall works, or it doesn't. Layering them doesn't do squat. If they mean that they have a hot spare ready to go in case of an outage, then that's a little better -- but still not that helpful if the app server or db server falls over for any reason.
10. Managed Redundant Web Application Protection (Port 80/443): What?
11. Managed Redundant DoS/DDoS Mitigation: This is nice, at least, since it requires a bit of infrastructure to do it right -- assuming that they can stand up to a multi-terabit-per-second hit, since that's what the botnets are packing these days.
12. Managed and Monitored Intrusion Detection: So, run-of-the-mill IDS + Nagios + remote logging.
13. Managed Proactive Operating System Security Patches: This is a lie unless they're personally writing and submitting patches. The most "proactive" you're likely to get otherwise is running a nightly update.
14. Managed Weekly Full Backups + Daily Differentials (Encrypted): I want to take just a moment here and toot our own horn: we do weekly fulls + daily differentials for our regular web hosting customers, for a heck of a lot less than $845 a month. They aren't currently encrypted, but that wouldn't be all that challenging to add on.
15: Highly Secure Data Center Environment: You can probably get the same "highly secure data center environment" from Rackspace, Hurricane Electric, or any of a number of other really big hosting providers.
16: VPN/SSL Provided for Server Management (RDP/SSH/FTP/SQL): Nice, but again, really not that hard to set up, especially for a turn-key environment.
TL;DR: I'm really surprised both at what qualifies as "HIPAA compliant hosting" as well as at the price charged for it. I wonder if the bulk of the cost goes towards paperwork or some other kind of administrative overhead? I certainly don't see the price reflected in their technical offering.
Also, the SAS70 is going away for the SSAE 16. Read more here: http://www.csoonline.com/article/622277/sas-70-replacement-s...
The majority of the cases where I've seen it used so far are in websites or other services that are just asking you for a second piece of information you know -- like a challenge question, passphrase, or the like.
...it looks like Firehost is using Phone Factor (http://www.phonefactor.com/) for their second factor authentication. I'm not sure what I think of that. On the one hand, it's marginally better than a password. On the other hand, it's only marginally better than a password. Unlike a SecurID, phones are pretty easy to compromise -- especially smart phones.
We had looked at iPhones for CC processing over cellular networks, but the lack of a consistent signal killed that. Which sucks because that would have been much easier and cheaper as a temporary solution than what we are doing now.
1. Log Management is required for PCI and HIPAA compliance. We use a product called LogLogic and review all required logs on a daily basis and remediate anything that comes up. LogLogic is the solution we put into place: http://www.loglogic.com
2. External vulnerability scans on the application and network layer.
3. Managed A/V protection. We have customers on Windows and Linux. Also detects malware and trust me - enough Linux threats out there as well.
4. GB network connectivity is absolutely correct.
5. Two-factor authentication is something you know (username and password) and something you have (dongle, ID, etc). Our two-factor is powered by phonefactor and is a great way to serve this need.
6. We use other methods to ensure this doesn't happen. (Encryption and Database Monitoring with strict rules).
7. Correct.
8. It's an absolute requirement for an organization going after HIPAA compliance to have a business associate agreement (google it for more info) and we're BAA friendly where most hosting providers are not.
9. It's redundant meaning if there's a physical firewall fail there's no loss in connectivity.
10. This protects your web application from the biggest threats on the net. Learn more here: http://www.owasp.org/index.php/Web_Application_Firewall
11. We block DDoS attacks everyday. Not all of them are high bandwidth. Google slowloris dos and learn more as an example.
12. Couldn't be more wrong. =)
13. Read #12
14. Congrats for being responsible.
15. Our datacenter meets strict requirements for redundancy and security as would other top facilities.
16. It's a nice security feature and integrates with our two-factor authentication. If your network is open to SSH (or other management ports) there's a lot to discuss.
Regarding the price, shop other managed hosting providers and you will find none that's transparent on what they offer and display pricing. Go ahead and secret shop them and you will see how low we've priced the FireHost's solution.
Also, we have our SAS70. However, that's going away for the SSAE 16 standard FYI.
Hope that helps and best of luck!
If you don't mind my asking -- if it doesn't give away any sensitive or proprietary information -- where would you say the majority of the $845/mo is going? Are there tremendous administrative costs, other business expenses (insurance?), or does that actually represent your infrastructure cost?
Sure there are people who abuse the system but more time is spent on the false positives. Usually there is an innocent reason someone knows why the concerned patient was in the hospital; like they were shopping for baby clothes and put on a lot of weight recently.
With changes in HITECH the requirements for reporting are going to get broader, increasing the cost. Some of this can be planned for but much of it is just man hours to gather, report and store information.
The longest case I have been involved with is just over 2 years of litigation against a physician. The physician was found innocent but all of the emails, medical records, voice mails, etc that might pertain to that specific situation have to be preserved. Access logging is the largest use of disk space in our organization; around several GB per day.
For a hosting organization there is less to save, but there is also additional work in isolating systems. We have a significant investment in datacenter operations and lease the EMR out to specialty practices in our area. Most of the effort with external organizations is talking to their auditor of choice to prove that our systems are secure and isolated, running reports to show who has access to their data or what people did and the extra process to verify each change that affects their information or part of the system. Some of the extra steps are to address Accounting for Disclosures.
The majority of our "costs" are built into our security layers. We're providing DDoS protection, Web Application Firewall Protection, Managed Redudant Firewalls, and more. The enterprise-grade level technology we purchase is in the seven-figures. So for starting at $200 a month (secure server with FireHost) you're protected by seven-figures in security equipment. So there's economies of scale which allows us to do this, it's just cannot be low-cost.
And as you said, there's of-course the environment is fully managed, we have engineer costs to ensure the integrity of your environment is constantly maintained.
Let me know if you have additional questions.
An organization has to have their own application specific needs met, business and process controls, database table obfuscation, etc. etc.
What's important is selecting a provider who has all the hosting needs met to achieve compliance with your auditor and will execute a business associate agreement as required.
Best of luck with your search.
We did this on a pilot project with one of our clients with hipaa requirements. We asked for box with the minimum requirements with admin/firewall setup and used this server as our end point for our app. hope this helps.
http://www.lightcrest.com
http://www.lightcrest.com/security/hipaa
Ex Myspace/Microsoft folks - lots of in house experience building high-volume sites that get pounded with malicious traffic.
Cheers