Some of our potential clients think that choosing the right cloud hosting provider is all you need to do to become HIPAA (short for Health Insurance Portability and Accountability Act) compliant, but it’s actually more involved.
While the right hosting provider is important, it’s just the first step to achieving HIPAA compliance.
Having compliant web hosting is a part of the complete process of securing your application and data. There are parts to this process that you’ll have to do yourself no matter which provider you choose.
The good news is that after helping many clients and healthcare providers achieve HIPAA compliance with their applications, we’ve learned how to help our clients secure an application. We know how hosting fits in with fulfilling HIPAA requirements, and in this article we’re going to share our experiences so you pick the best options to becoming secure and HIPAA compliant.
HIPAA Compliance Is About More Than Just Your Hosting Provider
In order to be truly HIPAA compliant, your application and overall environment need to fulfill several criteria. Here’s just a small list of the major HIPAA requirements you must achieve as a covered entity (the term HIPAA uses to describe any liable organization with PHI, protected health information, or ePHI, electronic protected health information):
- Encrypting and decrypting all data as well as messages
- Complete activity and audit logs to record who has accessed patient data and medical records
- Automatic log-off of all external devices
- Control of who accesses physical facilities
- Policies and restrictions on workstations (PCs) as well as mobile devices
- Inventory of all relevant hardware
- Conducting risk assessments
- Having a risk management policy
- Training employees on data security methods and techniques
- Establishing security rules and procedures
- Developing and testing a contingency plan in case of a breach
- Having proper technical safeguards and data protection measures in place
- Maintaining physical security of servers
- Restricting third-party access
- Reporting security incidents
- Having a disaster recovery plan
- Having a Business Associate Agreement (BAA) with any other provider that accesses your electronic protected health information (EPHI)
The complete list is even longer, but this is the major criteria. You may notice that many of these criteria are not directly related to data and server hosting.
Training employees to handle patient data securely is not directly related to having secure hosting. However, some of your employees will have to use your patient data.
A mistake by an employee can cause data to leak, so it’s important that they know how to interact with your host properly.
It’s difficult to switch web hosting, so it’s important that you make the right choice. You’re going to have to change your business and employees’ habits to integrate with whatever host you choose.
That is the mindset shift you need to make in order to make your business HIPAA compliant when using an external host. You need to look at HIPAA compliance as a way to reorganize your business to treat ePHI securely.
It’s not just picking a hosting service provider for your application and/or patient data. Instead, it’s a way for you to make sure that your entire business makes an effort to secure personal health data.
HIPAA Compliance Does Not Mean Complete Security. HITRUST Certification Can Make You Even More Secure
Now that you’ve learned that it can take a good deal of time to become HIPAA compliant, you might be surprised to find out that HIPAA compliance is not the highest standard of security.
While becoming HIPAA compliant will mean that you have taken many steps to secure your patient data, you can go even farther by becoming HITRUST certified.
There is no required certification for HIPAA compliance. It’s a law and set of practices that businesses with health information are expected to follow.
Here are several reasons why you might decide that you want to go above and beyond just achieving HIPAA compliance:
- There’s no governing body that verifies that you’re HIPAA compliant.
- There’s no required annual audit, so you could stop being compliant after a year and not realize it.
- The only way for HIPAA compliance to be “enforced” is for complaints to be filed against you
- There are more regulations that govern security than just HIPAA (like PCI DSS for credit card information). You could be HIPAA compliant but not compliant with other data privacy laws.
For these reasons and more, you might want your organization to become HITRUST certified.
HITRUST is an entity designed to create a certifiable process that incorporates several compliance requirements besides HIPAA.
If your organization achieves a HITRUST CSF certification, then it’s achieved some of the highest standards of security. These standards are constantly evolving as technology changes, so you know that you’re adopting the best practices to secure your business.
At Armor, we are HITRUST certified and have helped many customers become HITRUST certified as well.
Whether you choose to be HIPAA compliant or become HITRUST certified, you need to make sure that you’re doing what you can to prevent and contain any leaking of sensitive information.
We don’t need to tell you the consequences that can result if your business gets breached. Large fines and the closing of your business are both possible. Ever since the HITECH Act was passed into law in 2009, lawmakers have been more aggressive in punishing neglectful companies.
Choosing the right hosting provider is a crucial part of becoming a secure business. In order to become as secure as possible, it’s essential that you choose a partner that will help you navigate the regulations around patient data.
If you want to know whether your business should get HITRUST certification or if HIPAA compliance is enough, you can reach out to one of our experts here.
With Armor Anywhere and Armor Complete, We Can Secure Your Data No Matter Where It Is.
Armor has two main products: Armor Complete and Armor Anywhere.
Armor Complete is where you host your data and applications in our private cloud and use our cloud services and dedicated servers. Plus, you’ll have access to other managed services that come from hosting with us. Our cloud follows the most stringent frameworks and is HITRUST certified.
Armor Anywhere is a software solution that can secure your data no matter where it is (on-premise, Amazon Web Services, Microsoft Azure, Google Cloud Platform) and on any operating system (Microsoft or Linux). This will help you secure whatever host is holding your data.
It’s not a simple transition, that’s why we’re more than just a software solution. We offer all of our customers advice and counseling to help them become HIPAA compliant and/or HITRUST certified.
Our advisors have real-world experience helping businesses like yours become compliant and secure.
By choosing Armor, you’re not only getting software that will automatically do a lot of the work for you, but you’re also getting a partner with years of experience securing servers holding patient data.
If you choose Armor Complete, then you’ll have to do less work to become compliant. Plus, we have built-in security controls on our cloud environment to help you with uptime, managing dedicated servers, or other issues that come from hosting an application on the cloud.
If you choose Armor Anywhere, you’ll have the flexibility to host your data on a public cloud like AWS but there’s more work that you need to do to be compliant.
Here’s a simple matrix showing how our two products secure different aspects of your hosting:
|Feature||Armor Complete||Armor Anywhere|
|File Integrity Monitoring||X||X|
|Log Collection & Management||X||X|
|Storage, Database, & Networking||X|
|Regions, Availability Zones, & Edge Locations||X|
|Identity & Access Management|
For the areas that we can’t secure for you, we’re always happy to advise you on how to become compliant.
Reach out here if you want to talk with us about the steps you need to take to have a secure and compliant hosting solution.
Why Armor Is the Most Effective Choice for HIPAA Compliant Hosting
We figure that you have several choices if you want to have compliant HIPAA hosting.
First, you can pick any public hosting company and then do all the HIPAA compliance set up yourself. While this is possible, it’s a lot to learn for someone who hasn’t done it before.
Look at this diagram from AWS on how to get started with HIPAA compliance:
This is just a simplification.
Your second option is to hire a consultant to create a custom tech stack for you. While this should work as long as you hire the right consultant, it will be quite expensive for any firm to walk you through all of these steps.
Your third option is to choose one of our competitors who also provide security and/or compliance software.
We’ve looked at all of our competitors, but none of them provide the combination of software, service, experience, flexibility, and commitment to service that Armor does.
Your final option is to use Armor. There are several reasons why we believe that we’re the best solution:
- We’re available 24/7 to respond to any breaches and will help you remediate any issues.
- Our software is constantly monitoring your application and is designed to only send you a notification when there’s a high likelihood of an incident. Without our selective throttling, you’d likely be bombarded with false incident messages.
- And, with our staff who has years of experience hosting applications like yours, you’ll always have someone to help you make sure you’re up-to-date with the latest changes in HIPAA compliance and/or HITRUST standards.
While other services will notify you if you’ve been breached, only Armor will actually remediate issues for you and then investigate your service to prevent it from happening again in the future.
We’ve looked, and we haven’t found another solution out there that combines all of these benefits.
If you do decide to pick Armor as your host, you’ll have to decide whether to choose Armor Complete or Armor Anywhere.
If you want HIPAA compliant hosting for the least amount of effort, we suggest choosing Armor Complete.
If you want the flexibility of hosting your data on a public or private cloud, then we suggest choosing Armor Anywhere.
We’ve worked with applications that are hosted on any combination of hosts (public, private, hybrid), and can help you secure your application.
Here’s a helpful chart of how our services stack up to the competition when it comes to securing your application:
|Public Cloud (AWS, Azure, GCP)||Consultant||Threat Stack||Alert Logic||Armor Anywhere||Armor Complete|
|Access to HIPAA Compliance Tools||X||X||X||X||X||X|
|Near Instant Installation of Security Software||X||X||X||X|
|Immediate Secure Infrastructure Setup||X|
|Data and Identity Management|
Armor is the only solution that will actually help you in case a security breach happens. Instead of just a notice saying something went wrong, you’ll have a trained security team that can fix issues as soon as they arrive.
Data and identity management is something you’ll have to figure out (as it’s unique to your particular situation). However, we have experience securing applications like yours and are always ready to give you advice.
When choosing a HIPAA compliant host, you’re not just finding a place to store your data. You’re looking for a partner to help you completely secure the servers hosting the patient data that has been entrusted to your business.
You need someone who can tell you all of the intricacies involved with complying with HIPAA compliance law. You shouldn’t settle for a provider who gives you a set of tools and vague instructions.
If you want to go above-and-beyond and become HITRUST certified, then you need a partner who can help you with that.
You need a host who understands all the requirements of making your business HIPAA compliant. Someone who not only understands data and servers, but also the myriad business changes that you need to make.
In short, you need a business partner who’s constantly watching your environment, staying up-to-date with changes in compliance regulations, and ready to advise you when you need it.
Once you have that partner, you’ll be sure that your data and business are not just HIPAA compliant but truly secure.