Ask HN: How do I set up a HIPAA-compliant server? - th3o6a1d
======
USNetizen
It's not just the server - it's the storage, accessibility
(compartmentalization), and transmission of sensitive data (PHI and PII) at
all levels. There is a lot more to HIPAA/HITECH than just server configuration
- there are legal agreements you have to enter into as well (BAA's), insurance
requirements, and potentially a lot more.

I'd suggest you work with a company that has a lot of experience in this area
before you inadvertently find yourself fined (or sued) into bankruptcy.

~~~
paco3346
A lot of HIPAA complience also has to do with due dilegence. My organization
recently when through a long period of training that covered everything from
building access logs to the way we do employee password resets. Unfortunately
there aren't hard, static rules that define it.

On the positive side- I've learned to love the compliance. Most of it is
common sense things (like not giving out info over the phone to any random
person) and has made our organization more efficient.

~~~
rficcaglia
+1 do these things because they are actually good engineering practices. be a
good custodian of any user's trust.

i think some companies try for the quick buck and in the name of cost savings
run a shoddy operation. ymmv.

ps - do not try making said quick buck in health care. contrary to VC bets
otherwise, it doesnt exist. plan for a very very long haul.

------
wyc
There are a few options if you want HIPAA compliance. Note that "HIPAA
compliance" is somewhat of a loaded term in that there aren't many super-
technical benchmarks to meet, but a general "do-good" attitude including (but
not limited to) some of the following points:

\- Physical server isolation: you cannot have other instances sniffing around
in your deallocated garbage memory.

\- Encrypted data stores: physical theft of the server should not provide
access to your data.

\- Server providers who can sign a Business Associate Agreement: many
hospitals and firms with medical data require this in their stipulations.

\- Audit trails for database modifications, access, etc. Basically, log
everything, and this has to be encrypted too if it contains protected health
information (PHI).

\- All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.

\- "Soft" guidelines such as password complexity measures, auto session
expiration, disallowed multi-sessions.

Again, this is not an exhaustive list. You really need to check with a lawyer
who knows this stuff. The fines are enormous (read: business-ending) if you
break the rules.

How do you work to implement these? Well, find a host who is willing to sign a
BAA. Here are the two major contenders I'm aware of:

\- Use Amazon AWS; they're willing to sign a BAA with you and provide you the
physical server isolation you need. However, this doesn't come cheap. Expect
>$2,000/mo in costs to keep this configuration. Also, you'd better be a
network pro or willing to learn how to manage VPCs correctly to provide proper
network-level isolation for the databases.

\- Use aptible.com (they happen to be a YC company, and I don't know of anyone
else doing this). Frank & Chas (the founders) are very responsive and aim to
provide a comprehensive package, including backups, audit trails, and even
employee training. The Docker-based and heroku-like interface is very
appealing:

[https://support.aptible.com/hc/en-
us/articles/202638630-Depl...](https://support.aptible.com/hc/en-
us/articles/202638630-Deploying-your-first-app)

This option is still expensive. They host on AWS as well, so you're paying for
the server costs + premium. However, this will still be a lot cheaper than
hiring a competent sysadmin to make sure the execution is flawless.

~~~
laurencerowe
Does HIPAA really require "physical server isolation"? I wasn't able to find
anything specifying that in my reading. (Encrypting data at rest is definitely
required. I suspect the S3 functionality was built to address the
requirement.)

AFAICT the whole "can't do HIPAA in the cloud" meme arose from the reluctance
of cloud services to sign BAAs, Google only got on board with that earlier
this year.

~~~
chasb
I'm a lawyer, but not _your_ lawyer. This is not legal advice. :)

The HIPAA Security Rule requires that you take "reasonable and appropriate"
measures to safeguard the confidentiality, integrity, and availability of
electronic regulated health data.

Physical server isolation is not prima facie required, meaning there is no
requirement that literally states you must isolate servers down to bare metal.
Your customers' judgments about what constitutes "reasonable and appropriate"
safeguards may vary, though. That decision should be driven by your risk
assessment.

Encryption is also not prima facie required, actually.[0] I can't imagine a
case in which it would be reasonable for a cloud SaaS provider not implement
it, so I'd say it is de facto required. MFA may be moving to the same
category, for most web services.

[0]:
[http://www.law.cornell.edu/cfr/text/45/164.312](http://www.law.cornell.edu/cfr/text/45/164.312)

------
sebst
It's a big task on its own and it seems a bit in-transparent to me.

However, you may want to have a look at TrueVault[0] which has been featured
on HN[1].

[0]: [https://www.truevault.com/](https://www.truevault.com/)

[1]:
[https://news.ycombinator.com/item?id=7033188](https://news.ycombinator.com/item?id=7033188)

------
michaelmachine
As some people have mentioned here, there are other issues to think of besides
the IT aspect. There is employee training, risk assessment, policy
development, and the business account agreements. Accountable is a company
that focuses on these type of issues to make them easier by providing things
like employee training, ready to use policies and procedures, and business
association agreements. I found them while learning about HIPPA compliance,
and I have not actually tried the product but it looks like it could be useful
for you, so I thought I would mention it here.
[http://accountablehq.com/index.html](http://accountablehq.com/index.html)

------
th3o6a1d
Surprised no one has posted this. From the folks at TrueVault.
[https://github.com/truevault/hipaa-compliance-developers-
gui...](https://github.com/truevault/hipaa-compliance-developers-guide)

------
th3o6a1d
@USNetizen -- You're right...I should have clarified that I want to know how
to get an entire stack up and running, although I don't trust myself to do
this unassisted.

I'm just surprised at how few resources there are that explain what it takes,
and I hope that someday soon, healthcare startup CTO's will be referred to
clearly documented open source solutions that are fairly fool-proof, rather
than paid-for services (@sebst). Amazon's compliance page is unfortunately
uninformative (@byoung2).

~~~
chasb
I'm the co-founder of Aptible, a HIPAA-compliant PaaS that just went through
YC. I'd be really happy to talk to you and help figure out what kinds of
resources we could publish, for free, that would help CTOs in your position
figure this out. Email is in my profile.

------
voska
If you want a HIPAA-compliant server setup for you:
[https://www.aptible.com/](https://www.aptible.com/) (S14)

------
chasb
(Disclosure: I'm a co-founder of Aptible.)

As noted in other comments, most of HIPAA is not technical. Most of the
requirements relate to risk assessment, policies, training, incident response,
etc.

With that in mind, I'm going to quickly run down all of the major moving parts
and then cover some of the technical considerations for setting up a server.

HIPAA has three main rules you need to comply with:

1\. The Privacy Rule - Governs the use and disclosure of PHI (protected health
information). Applies to all forms of PHI (verbal, written, electronic, etc.).

2\. The Security Rule - Governs safeguards for electronic PHI

3\. The Breach Notification Rule - Governs your responsibilities during a
security or privacy incident

 __ __ __ __ __ __ __ __

The Security Rule has a general security standard, some documentation
/retention rules, and three sections of safeguards. They are:

1\. Administrative Safeguards

2\. Physical Safeguards

3\. Technical Safeguards

Some of the safeguards are mandatory. Some are "addressable," meaning if you
don't implement them you must document why you chose not to and what other
safeguards you applied instead.

 __ __ __ __ __ __ __ __

Most likely, you 're going to start with something like the following for your
servers:

1\. Sign a BAA with any service provider who is going to touch PHI for you.

2\. Restrict physical and logical server access to authorized individuals.
Document how you restrict access and why the methods chosen are reasonable and
appropriate given the risk posture of your organization. (There's a LOT packed
into this step.)

3\. Log all access and data modification events. If you use a logging service
that isn't HIPAA-compliant, make sure you're not including PHI data you send
them.

4\. Encrypt data at rest and in transit, including inside the network
perimeter. Document your network topology and access points.

5\. Implement backups according to your organization's HIPAA
contingency/disaster recovery plan. Document the backup scheme.

A few caveats:

\- I haven't addressed application-level security. The same requirements
apply, but the implementation differs.

\- Your customers will demand additional safeguards that aren't in HIPAA.

At Aptible, we help with all of this, plus all of the other requirements (risk
assessment, policies, training, etc.), so you can get a complete handle on
your compliance status.

~~~
niels_olson
> $3500/month.

> $0.10/Hour Additional App/Database Containers $0.40/GB/Month Additional
> Storage.

¡Ay, caramba!

Thanks for at least giving me a source to cite in grant applications!

~~~
markolschesky
Where I work at Catalyze, we offer a starting package beginning at $500/mo
that includes one database container and one server. Or, if your application
only required a secure backend, prices start as cheap as $100/month. We have a
calculator here to compare prices: [https://catalyze.io/platform-as-a-
service/](https://catalyze.io/platform-as-a-service/)

We've been building applications with both startups and large healthcare
organizations like the VA. I'd love to talk with you more to see what your
needs are. Feel free to hit me with an email (mark@catalyze.io) with any
questions.

Good luck!

~~~
nicarus1984
Hmmm... 8GB max? That doesn't cut it for the amount of claims data I generally
deal with. Any rationale behind that limit?

~~~
markolschesky
That's the most that we have on the calculator, but we can help you with
whatever your need. Email me (mark@catalyze.io) and we can work with you to
meet your infrastructure needs.

------
th3o6a1d
Thanks for all of your comments so far. Synopsis is...it's complicated. There
are basically no straightforward guides and no reliable, tried-and-true open
source solutions that can be deployed with minimal security expertise, at
least with respect to the technical setup.

Options are to go with a service company like Aptible or TrueVault, or fumble
through vast amounts of obtuse technical and legal documentation, then hire a
security expert to audit your homemade system and hope that everything goes
OK. Both options, as they currently exist, require a fair amount of $$$.

~~~
PeterisP
Isn't "no solutions that can be deployed with minimal security expertise" just
about the whole point of this compliance?

If you have minimal security expertise, then you're supposed to be treated as
noncompliant. There are two valid options: _have_ the security expertise (and
be prepared to legally vouch for it that you have, and get insurance for cases
if it turns out that your expertise wan't enough), or _get_ the security
expertise from someone else. Oh, and the third option is to stop handling any
sensitive data at all if you aren't equipped to handle it.

The reason why HIPAA (and similar compliance issues in other domains) exist is
to try to eliminate what you're proposing. Random companies with minimal
security expertise shouldn't be handling such data themselves, period.

~~~
rcoder
This, +1000: 'Isn't "no solutions that can be deployed with minimal security
expertise" just about the whole point of this compliance?'

If you aren't a trained, competent security analyst/engineer (or working with
one) then don't accept sensitive information. PHI, credit card numbers, even
contact lists: all of these are considered "sensitive" for a reason, and you
are being reckless in the extreme if you accept them from your customers
without the proper protections in place.

I have seen and even been responsible for (many years ago) the implementation
of some horrifyingly bad "security controls" by people who simply didn't
understand the field.

It's not just crypto, or disabling root logins via SSH, or preventing XSS on
your web forms; you need to plan for a multitude of possible attack vectors,
internal and external. Many of those aren't likely to be intuitive without
some real training and exposure to best practices.

------
jeffasinger
I'd just have someone else do it for me. There are many "enterprise" level
hosting companies that can help you with that.

I believe that rackspace has a pretty program around compliance.

------
HIPAATraining
Hi,

training-hipaa.net provides Server Disaster Recovery Plan Template which is
the part of HIPAA Compliance.

This Server Recovery Plan documents the strategies, personnel, procedures and
resources necessary to recover the server following any type of short or long
term disruption. You can find more information about this over here
[http://www.training-
hipaa.net/template_suite/Server_recovery...](http://www.training-
hipaa.net/template_suite/Server_recovery_plan_template.htm)

------
ak217
If you are trying to set up a service for processing or storing PHI, you may
be interested in DNAnexus ([https://dnanexus.com/](https://dnanexus.com/)),
which focuses on compliant high throughput data analysis and storage for
genome information, but can be used to store other types of PHI data. (Full
disclosure, I work at DNAnexus). Email in profile if you want to go into
specifics.

~~~
markolschesky
Cool! I had not heard of dnanexus before. Looking forward to checking it out.

------
pagade
You may want to check out BladeLogic Server Automation:
[http://www.bmc.com/it-solutions/bladelogic-server-
automation...](http://www.bmc.com/it-solutions/bladelogic-server-
automation.html)

Datasheet:

[http://documents.bmc.com/products/documents/27/36/242736/242...](http://documents.bmc.com/products/documents/27/36/242736/242736.pdf)

------
byoung2
Here is some info about doing it on AWS

[http://aws.amazon.com/compliance/](http://aws.amazon.com/compliance/)

------
czczcz
We have been very pleased with the True Vault solution and the responsiveness
of the team when needed, worth looking into for your needs.

------
kevin_morrill
One missing point in this thread: there is no such thing as HIPAA compliant.
There is no government organization that will sanction your set up as
"compliant". The HIPAA legislation imposes fines if you leak data, but does
not prescribe how you prevent that.

That said, the thread does have some great safe guards and industry best
practices you should look at.

------
Gelob
(Disclosure: I work at FireHost, not in sales!)

We sell cloud but focused on security, compliance, and performance. Check us
out.

[http://www.firehost.com/secure-
cloud/compliant/hipaa](http://www.firehost.com/secure-cloud/compliant/hipaa)

------
th3o6a1d
@voska "Starting at $3499/month with an annual contract" \-- Seems like
security experience comes at a price... That said, it's worth taking every
precaution to protect patient data.

------
mp99e99
We have audited HIPAA compliant hosting, at a reasonable price:

[https://www.atlantic.net/hipaa-compliant-
hosting/](https://www.atlantic.net/hipaa-compliant-hosting/)

~~~
dsl
I hope you point out to your customers that compliance is a lot more than just
a hosting account. Everything from specifications of the design of your office
network to policies for employees talking while on smoke breaks.

~~~
markolschesky
Agreed. Anyone that you choose for HIPAA-compliant hosting should be able to
outline their policies. Where I work at Catalyze, ours are here:

[https://catalyze.io/hipaa/](https://catalyze.io/hipaa/)
[https://catalyze.io/policy/](https://catalyze.io/policy/)

And we've gone through a HITRUST audit to validate these claims:

[https://catalyze.io/compliance/](https://catalyze.io/compliance/)

------
StephenGL
We used to use a hosting company Layered Tech that had a HIPPA compliant
offering. If you need HIPPA compoanxe I suggest getting it as a managed
service.

------
snorkel
If one big customer is demanding you be HIPAA compliant then they probably
want to see a certification, and depending on size of customer they may be
willing to provide funding for that certification. It takes months but the
certifying service will provide consulting and training. Essentially it all
about tight access controls, encrypting data at rest, and documenting
everything and everyone who has access to the internals.

~~~
kutienoo
There is no such thing as a HIPAA certification.

~~~
rficcaglia
correct but hospitals and other buyers dont seem to know that and some _do_
insist on "certification"....you can try to convince them but in my first hand
experience the (uninformed, misinformed) customer is always right so you do
have to provide something that claims to be a "certified" solition...typically
by providing an outside audit report

------
gomathinayagam
Microsoft biztalk server has strong HIPAA connector/accelerator, just have a
look overthere.

------
philip1209
It's not an easy process .

Check out TrueVault - HIPAA-compliant data store that is a YC grad.

