Ask HN: HIPAA Hosting?

14 points by kgrin ↗ HN
My consulting company is working with a client to make some changes to their webapp (it's a health-care-related app - details aren't super-relevant). One of the items on their wishlist is "make it HIPAA-compliant". We're working with the client's lawyer to determine exactly what that means in practice, but it's clear that one of the items will be "host it on infrastructure other than the $10/mo. WebFaction plan".

The app itself is (relatively) simple systems-wise, so we don't really need a dedicated box and all the sysadmin and security headaches that come with it. But from my basic read of the HIPAA Security Rule, shared hosting (which abstracts away a lot of the sysadmin issues) won't cut it. We're primarily developers, not sysadmins, and certainly don't want to get into the server admin business on something with regulatory requirements.

Does anyone here have suggestions for either a host that can make this less painful (not even sure what that would entail), or a firm that specializes in the sysadmin side of things? (Preferably with HIPAA experience).

33 comments

[ 3.4 ms ] story [ 86.9 ms ] thread
No shared hosting seems to imply that VPS won't cut it either--depends on what "shared hosting" really means. So you are left with looking for a dedicated hosting plan. I'd say check out a company like Rackspace (disclosure: I work there).
Happy to use Rackspace or another dedicated server provider... the trick is that we don't want to be responsible for, say, security patches to the kernel.

So really the question is: is there a company that'll manage the damn server(s) for us so that we get to deal with a nice, clean abstraction similar to shared hosting?

Basically I want a HIPAA-compliant Heroku (though in this case not for Ruby).

It's not cheap, but Rackspace has people you can pay to do this sort of thing for you.
There are plenty of companies that will do this for you, probably from about $250 per month; what I would recommend is a reasonably powerful dedicated machine on which you install your own VPS solution.

Give one large VPS to your production app, and create other VPSes for testing or development purposes.

The reason you want to use a VPS on top of your own dedicated hardware is to gain the benefits of VPS control, including easy archiving of the entire system, snapshots, easy moves to new hardware even if the hardware is different, etc.

The company we use, Rimuhosting, has sysadmin services available at $40/hr, which is pretty reasonable. Their dedi-server plans are reasonable as well.
depends on what "shared hosting" really means

I think that's the key.

My employer hopes that a virtual machine on a private VLAN, with a fully-encrypted virtual disk, qualifies. This seems reasonable to me, but reasonableness isn't necessarily a part of any regulation.

FWIW, I think I recall the OpenBSD devs coming out pretty hard against considering a VPS to be "secure" in most senses of the word; they seem to have thought that there were theoretical ways for VPSs to on the same machine to break through their respective barriers.

I can't find any links about this though and it's been months since I've kept up on OpenBSD-misc, so I might be full of shit.

Personally, I would tend to choose a theoretically-insecure VPS over a vhost environment any day.

I don't know of a specific rule that prevents shared hosting - and if you do, I'd love to see it (as I mentioned, by company is in the middle of a similar process). What is clear is that you have to document access and changes, which could be trickier in a shared hosting environment. But if the host itself has processes in place, and documents them to you, you should be fine.
The first company that gets to a certified HIPAA and PCI hosting cloud is going to have to figure out what to do with the buckets of cash they have lying around. I think for the enterprise PCI certification will be the event that gets the big (non-tech) guys out of running their own infrastructure. I would imagine that it would be the same for medical. As for you immediate question, I am sorry I can't help I don't know who if anyone is doing this. I am still looking for a PCI certified cloud as a portion of my customers are Public companies and not having to work on all their different infrastructures and being able to provide them a hosted solution would be great for me, but there is no way I could get into managing a PCI certified hardware infrastructure just to achieve that goal.
As a point of clarification... HIPPA is a federal law. PCI is an industry standard (VISA, Mastercard, etc). That does not mean one is better than the other, I just wanted to clarify.
Yes, I am aware of the difference but thanks for the clarification. My point was more to the fact that a specialized cloud provider could really fill a needed void here on both counts.
I agree it would be great, I've gotten letters from Amazon that it is hipaa compliant but not PCI, and from rackspace that it is pci compliant but not hipaa.
I did not know that Rackspace is PCI compliant. Thanks for that info.
HIPAA is more about documenting your intended process, and your actual actions, than it is about requiring any particular solutions provider. For example, it's entirely possible to build a HIPAA compliant web app on AWS:

http://aws.typepad.com/aws/2009/04/white-paper-creating-hipa...

My company is in the middle of this, and we haven't encountered any deal-breakers so far.

A system built from scratch can meet HIPAA, and HITECH, without much more than good security. The issue is often with companies that give security an afterthought or have older software that needs to be "made secure."

The key to that link is encryption; it gets Amazon off the hook for a lot of things.

Had to research this before. Firehost is one of the names that came up often:

http://www.firehost.com/secure-hosting/hipaa

Their plans start from $845 monthly.

No affiliation, just passing info along.

You can't just rely on the provider though. All the server hardening in the world wouldn't help with apps that don't comply fully. Some of the audit requirements are bound to be very specific to the nature of your app.

I was curious what $845/month got you, so just for fun I looked. From the features part of that page:

1. Log Monitoring and Management: Not sure what they mean by this; surely it's something more complex than logrotate. Maybe rsyslog or something?

2. Continuous Vulnerability Monitoring: So, they follow the usual script sites & mailing lists.

3. Managed Anti-Virus Protection: I hope they aren't running on a Windows platform, and if they aren't, I'm not aware of very many current in-the-wild viruses for the various Linux distros.

4. 1 Gigabit Networking Infrastructure (Public and Private): Heh.

5. Two-Factor Authentication: I see this a bit, and it's usually mis-used. Unless they require you to physically submit a fingerprint, DNA sample, retinal image, or some other such thing, then it's not two-factor authentication.

6. Application and Database Server Isolation: They're running the application and the SQL instances on different servers, but if the application server gets compromised, then so does the SQL server, since the application needs automated credentials for the SQL server.

7. Managed SSL Service: Once a year they make sure your certificate is up-to-date.

8. Business Associate Agreement Friendly: What?

9. Managed Redundant Firewall Protection: Not sure what they mean by this. Either your firewall works, or it doesn't. Layering them doesn't do squat. If they mean that they have a hot spare ready to go in case of an outage, then that's a little better -- but still not that helpful if the app server or db server falls over for any reason.

10. Managed Redundant Web Application Protection (Port 80/443): What?

11. Managed Redundant DoS/DDoS Mitigation: This is nice, at least, since it requires a bit of infrastructure to do it right -- assuming that they can stand up to a multi-terabit-per-second hit, since that's what the botnets are packing these days.

12. Managed and Monitored Intrusion Detection: So, run-of-the-mill IDS + Nagios + remote logging.

13. Managed Proactive Operating System Security Patches: This is a lie unless they're personally writing and submitting patches. The most "proactive" you're likely to get otherwise is running a nightly update.

14. Managed Weekly Full Backups + Daily Differentials (Encrypted): I want to take just a moment here and toot our own horn: we do weekly fulls + daily differentials for our regular web hosting customers, for a heck of a lot less than $845 a month. They aren't currently encrypted, but that wouldn't be all that challenging to add on.

15: Highly Secure Data Center Environment: You can probably get the same "highly secure data center environment" from Rackspace, Hurricane Electric, or any of a number of other really big hosting providers.

16: VPN/SSL Provided for Server Management (RDP/SSH/FTP/SQL): Nice, but again, really not that hard to set up, especially for a turn-key environment.

TL;DR: I'm really surprised both at what qualifies as "HIPAA compliant hosting" as well as at the price charged for it. I wonder if the bulk of the cost goes towards paperwork or some other kind of administrative overhead? I certainly don't see the price reflected in their technical offering.

(comment deleted)
I thought "Two-Factor Authentication" referred to an RSA SecurID or something similar. Am I wrong? Why do you say "it's usually misused"?
A SecurID would work. ("Something you know, plus something you have or something you are.")

The majority of the cases where I've seen it used so far are in websites or other services that are just asking you for a second piece of information you know -- like a challenge question, passphrase, or the like.

...it looks like Firehost is using Phone Factor (http://www.phonefactor.com/) for their second factor authentication. I'm not sure what I think of that. On the one hand, it's marginally better than a password. On the other hand, it's only marginally better than a password. Unlike a SecurID, phones are pretty easy to compromise -- especially smart phones.

The issue I'd have with this setup is reception. In our Hospital there are a lot of places with little or no reception; Radiology and Lab are two main examples. Due to all of the lead they have around there is no signal.

We had looked at iPhones for CC processing over cellular networks, but the lack of a consistent signal killed that. Which sucks because that would have been much easier and cheaper as a temporary solution than what we are doing now.

A few responses to this post:

1. Log Management is required for PCI and HIPAA compliance. We use a product called LogLogic and review all required logs on a daily basis and remediate anything that comes up. LogLogic is the solution we put into place: http://www.loglogic.com

2. External vulnerability scans on the application and network layer.

3. Managed A/V protection. We have customers on Windows and Linux. Also detects malware and trust me - enough Linux threats out there as well.

4. GB network connectivity is absolutely correct.

5. Two-factor authentication is something you know (username and password) and something you have (dongle, ID, etc). Our two-factor is powered by phonefactor and is a great way to serve this need.

6. We use other methods to ensure this doesn't happen. (Encryption and Database Monitoring with strict rules).

7. Correct.

8. It's an absolute requirement for an organization going after HIPAA compliance to have a business associate agreement (google it for more info) and we're BAA friendly where most hosting providers are not.

9. It's redundant meaning if there's a physical firewall fail there's no loss in connectivity.

10. This protects your web application from the biggest threats on the net. Learn more here: http://www.owasp.org/index.php/Web_Application_Firewall

11. We block DDoS attacks everyday. Not all of them are high bandwidth. Google slowloris dos and learn more as an example.

12. Couldn't be more wrong. =)

13. Read #12

14. Congrats for being responsible.

15. Our datacenter meets strict requirements for redundancy and security as would other top facilities.

16. It's a nice security feature and integrates with our two-factor authentication. If your network is open to SSH (or other management ports) there's a lot to discuss.

Regarding the price, shop other managed hosting providers and you will find none that's transparent on what they offer and display pricing. Go ahead and secret shop them and you will see how low we've priced the FireHost's solution.

Also, we have our SAS70. However, that's going away for the SSAE 16 standard FYI.

Hope that helps and best of luck!

Thanks for responding! Regardless of any debate over the merits of the specific things you guys do, it's clear that you have put a lot of work into your service, and you are at least describing some of what you do, instead of saying, "magic (now with hand waving)".

If you don't mind my asking -- if it doesn't give away any sensitive or proprietary information -- where would you say the majority of the $845/mo is going? Are there tremendous administrative costs, other business expenses (insurance?), or does that actually represent your infrastructure cost?

I work in IT at a health network; specifically doing compliance, audit and IT security. We have to keep logs for decades from every system used to "transmit, store or process ePHI." A LOT of time is spent chasing shadows when a patient thinks someone might have looked at their record.

Sure there are people who abuse the system but more time is spent on the false positives. Usually there is an innocent reason someone knows why the concerned patient was in the hospital; like they were shopping for baby clothes and put on a lot of weight recently.

With changes in HITECH the requirements for reporting are going to get broader, increasing the cost. Some of this can be planned for but much of it is just man hours to gather, report and store information.

The longest case I have been involved with is just over 2 years of litigation against a physician. The physician was found innocent but all of the emails, medical records, voice mails, etc that might pertain to that specific situation have to be preserved. Access logging is the largest use of disk space in our organization; around several GB per day.

For a hosting organization there is less to save, but there is also additional work in isolating systems. We have a significant investment in datacenter operations and lease the EMR out to specialty practices in our area. Most of the effort with external organizations is talking to their auditor of choice to prove that our systems are secure and isolated, running reports to show who has access to their data or what people did and the extra process to verify each change that affects their information or part of the system. Some of the extra steps are to address Accounting for Disclosures.

You're absolutely welcome.

The majority of our "costs" are built into our security layers. We're providing DDoS protection, Web Application Firewall Protection, Managed Redudant Firewalls, and more. The enterprise-grade level technology we purchase is in the seven-figures. So for starting at $200 a month (secure server with FireHost) you're protected by seven-figures in security equipment. So there's economies of scale which allows us to do this, it's just cannot be low-cost.

And as you said, there's of-course the environment is fully managed, we have engineer costs to ensure the integrity of your environment is constantly maintained.

Let me know if you have additional questions.

This is absolutely correct. Your managed hosting company has a portion of the responsibility for HIPAA compliance which is why we say "Compliance Ready".

An organization has to have their own application specific needs met, business and process controls, database table obfuscation, etc. etc.

What's important is selecting a provider who has all the hosting needs met to achieve compliance with your auditor and will execute a business associate agreement as required.

Best of luck with your search.

One other issue to consider is that just because your hosting provider's infrastructure is HIPPA compliant doesn't mean your application is. There are still a ton of privacy issues within the application, plain text HTTP, user authentication, etc.
Yep - we're aware of all that, and we can handle the various app-level changes... we just don't want to be in the "ongoing server maintenance" business.
Depending on your fit/needs, it may be worthwhile to check out if the end client would like to maintain this box. That way, you are on their network. The disadvantage is of course the administration.

We did this on a pilot project with one of our clients with hipaa requirements. We asked for box with the minimum requirements with admin/firewall setup and used this server as our end point for our app. hope this helps.

Lightcrest is a complex managed hosting provider that works with clients to ensure HIPAA compliance. We build fully managed environments (servers, storage, network, physical security) and work with application developers and management on a variety of compliance issues.

http://www.lightcrest.com

I work for a managed infrastructure firm that specializes in scaling out secure platforms for customers that require HIPAA compliance - might want to check it out.

http://www.lightcrest.com/security/hipaa

Ex Myspace/Microsoft folks - lots of in house experience building high-volume sites that get pounded with malicious traffic.

Cheers