Choosing a HIPAA cloud hosting provider

December 3, 2020

What are the key factors physicians should look out for?

The popularity of HIPAA Cloud Hosting has skyrocketed in 2020. More and more US healthcare organizations are choosing to outsource their IT systems to a HIPAA compliant hosting provider. Searching for the right provider is a challenge, so what are the key factors you should be looking for to get the best service?

Get a signed Business Associate Agreement (BAA)

The first requirement of HIPAA compliance is to choose a hosting partner that will offer and sign a Business Associate Agreement (BAA). Paperwork is never the most exciting part of your digital journey, but it is a fundamental piece of the puzzle. Look for a provider that will sign a contract to guarantee their HIPAA compliance status when processing, managing, or storing protected health information (PHI).

The BAA is essential when outsourcing to a HIPAA compliant provider. You are essentially offloading many of the compliance and security challenges of HIPAA to a third party, so you need to know that they can do the job. The BAA give assurances of the service level agreements of the service and will explain how the business associate (BA) handles PHI, or if the BA outsources any of these tasks to someone else.

Security defined hosting

Maintaining the data integrity of PHI is the overall objective of HIPAA compliance. The healthcare organization and all BAs have a duty of responsibility to protect and secure patient data and guarantee no unauthorized changes are made to PHI.

Choose a hosting provider with a security-first dynamic. The hosting provider must know exactly what is going on inside their network. This state is achieved by 24x7 monitoring, detailed verbose logging of all network appliances, filesystems, and in-house applications. A technical solution, such as SIEM software can interpret this abundance of data into usable information, data analytics, and even create a trend baseline of expected activity.

Each data center location provided must be a completely secure facility, not just structurally, but security-conscious practices must be guaranteed onsite. Physical controls including CCTV, restricted access control lists, key card entry systems, cabinet locks, 24/7 perimeter monitoring, and intrusion detection systems (IDS) should be standard features.

Zero Trust

Consider a hosting provider that architects a HIPAA compliant environment using the Zero Trust model. This theory considers every transaction, movement, or iteration of data as suspicious. Appliances such as an Intrusion Prevention System (IPS) can track data flow and network behavior, and automatically alert against suspicious network activity.

Each network layer must separate and isolate traffic, and be encrypted and isolated. Secure VPN access must be available to connect to the hosting platform, and it is highly recommended to encrypt all HIPAA hosting file storage, not just disks with PHI.

Complex firmware upgrades to the Hyper-Converged Infrastructure, hypervisor upgrades, or any storage and network stack are the hosting provider’s responsibility. This is not an easy task, especially when the provider must maintain a guaranteed uptime service level agreement.

Look for Compliance Standards

Reputable cloud hosting providers will be subject to physical audits by external parties on their HIPAA compliant infrastructure. They must be HIPAA audited to guarantee management and business processes are fully compliant with HIPAA standards.

Look for the HITECH certification. This guarantees the standards for privacy and security of confidential Electronic Health Record (EHR) data. This ensures your provider is the best choice for healthcare hosting and data confidentiality requirements.

Additionally, look for compliance certifications from AICPA SOC. This standard ensures our information management and network technology assurance adheres to AICPA’s best practice and ethical standards.

Know what PHI you have

Safeguarding how users, patients, and healthcare professionals access PHI is an essential part of HIPAA compliance. It specifically relates to several key administrative and technical safeguards of HIPAA legislation.

Every covered entity must first know what PHI they have and how they process it. There is no getting around this - it’s mandatory.

Choose a hosting provider that will work with you, and assist with the initial risk assessment so that all invested parties know what PHI is in scope. Going forward, a risk assessment should be conducted at least once a year to ensure progress is being made.

Control Access to PHI

After the initial risk analysis, access controls can be implemented that give only authorized users access to PHI. Each user is assigned a centrally-controlled unique username and password, as well as a PIN code for multi-factor authentication when logging on.

Multi-factor authentication is normally tied to a person’s mobile phone, and your hosting provider should help with encrypting endpoint devices such as laptops, mobile phones, and tablets. Enterprise-grade solutions can scan for vulnerabilities on these devices, and track when the device was last attached to the network.

Do they offer a Managed Service?

Medical professionals are extremely busy people. One effective way to relieve some of the pressure is to leverage additional managed services from the hosting provider. The type of services available vary between vendors but the service controls are key to enhancing organization-wide cybersecurity.

Managing a secured network, network firewalls, web application firewalls and everything in-between creates an intrinsically secure network infrastructure that isolates and protects your service. Creating a secured network architecture is not easy to do. It can take years to complete and requires highly skilled teams to manage. The complexities are evidence of why outsourcing this responsibility is so popular.

Managed Backup and Disaster Recovery?

How do you look after your backups? Does your cloud hosting provider include a managed backup service? Having encrypted backups of PHI is mandatory, and offloading this to a hosting partner is usually an easy win.

Other services might be a disaster recovery capability. This is a technical solution that will protect critical business servers from unexpected downtime. There are numerous ways this can be achieved, such as high availability clustering, automated node failover, and even a fully managed disaster recovery solution as a service.

Ensuring business continuity and disaster recovery capabilities is an essential requirement of HIPAA compliance.

Richard Bailey is the Lead IT Consultant at Atlantic.Net, a growing and profitable cloud hosting company that specializes in HIPAA compliance.