

Ask HN: HIPAA Hosting? - kgrin

My consulting company is working with a client to make some changes to their webapp (it's a health-care-related app - details aren't super-relevant).  One of the items on their wishlist is "make it HIPAA-compliant".  We're working with the client's lawyer to determine exactly what that means in practice, but it's clear that one of the items will be "host it on infrastructure other than the $10/mo. WebFaction plan".<p>The app itself is (relatively) simple systems-wise, so we don't really need a dedicated box and all the sysadmin and security headaches that come with it.  But from my basic read of the HIPAA Security Rule, shared hosting (which abstracts away a lot of the sysadmin issues) won't cut it.  We're primarily developers, not sysadmins, and certainly don't want to get into the server admin business on something with regulatory requirements.<p>Does anyone here have suggestions for either a host that can make this less painful (not even sure what that would entail), or a firm that specializes in the sysadmin side of things? (Preferably with HIPAA experience).
======
hmahncke
HIPAA is more about documenting your intended process, and your actual
actions, than it is about requiring any particular solutions provider. For
example, it's entirely possible to build a HIPAA compliant web app on AWS:

[http://aws.typepad.com/aws/2009/04/white-paper-creating-
hipa...](http://aws.typepad.com/aws/2009/04/white-paper-creating-
hipaacompliant-medical-data-applications-with-amazon-web-services.html)

My company is in the middle of this, and we haven't encountered any deal-
breakers so far.

~~~
Kadrith
A system built from scratch can meet HIPAA, and HITECH, without much more than
good security. The issue is often with companies that give security an
afterthought or have older software that needs to be "made secure."

The key to that link is encryption; it gets Amazon off the hook for a lot of
things.

------
keyist
Had to research this before. Firehost is one of the names that came up often:

<http://www.firehost.com/secure-hosting/hipaa>

Their plans start from $845 monthly.

No affiliation, just passing info along.

You can't just rely on the provider though. All the server hardening in the
world wouldn't help with apps that don't comply fully. Some of the audit
requirements are bound to be very specific to the nature of your app.

~~~
thaumaturgy
I was curious what $845/month got you, so just for fun I looked. From the
features part of that page:

1\. Log Monitoring and Management: Not sure what they mean by this; surely
it's something more complex than logrotate. Maybe rsyslog or something?

2\. Continuous Vulnerability Monitoring: So, they follow the usual script
sites & mailing lists.

3\. Managed Anti-Virus Protection: I hope they aren't running on a Windows
platform, and if they aren't, I'm not aware of very many current in-the-wild
viruses for the various Linux distros.

4\. 1 Gigabit Networking Infrastructure (Public and Private): Heh.

5\. Two-Factor Authentication: I see this a bit, and it's usually mis-used.
Unless they require you to physically submit a fingerprint, DNA sample,
retinal image, or some other such thing, then it's not two-factor
authentication.

6\. Application and Database Server Isolation: They're running the application
and the SQL instances on different servers, but if the application server gets
compromised, then so does the SQL server, since the application needs
automated credentials for the SQL server.

7\. Managed SSL Service: Once a year they make sure your certificate is up-to-
date.

8\. Business Associate Agreement Friendly: What?

9\. Managed Redundant Firewall Protection: Not sure what they mean by this.
Either your firewall works, or it doesn't. Layering them doesn't do squat. If
they mean that they have a hot spare ready to go in case of an outage, then
that's a little better -- but still not that helpful if the app server or db
server falls over for any reason.

10\. Managed Redundant Web Application Protection (Port 80/443): What?

11\. Managed Redundant DoS/DDoS Mitigation: This is nice, at least, since it
requires a bit of infrastructure to do it right -- assuming that they can
stand up to a multi-terabit-per-second hit, since that's what the botnets are
packing these days.

12\. Managed and Monitored Intrusion Detection: So, run-of-the-mill IDS +
Nagios + remote logging.

13\. Managed Proactive Operating System Security Patches: This is a lie unless
they're personally writing and submitting patches. The most "proactive" you're
likely to get otherwise is running a nightly update.

14\. Managed Weekly Full Backups + Daily Differentials (Encrypted): I want to
take just a moment here and toot our own horn: we do weekly fulls + daily
differentials for our _regular_ web hosting customers, for a heck of a lot
less than $845 a month. They aren't currently encrypted, but that wouldn't be
all that challenging to add on.

15: Highly Secure Data Center Environment: You can probably get the same
"highly secure data center environment" from Rackspace, Hurricane Electric, or
any of a number of other really big hosting providers.

16: VPN/SSL Provided for Server Management (RDP/SSH/FTP/SQL): Nice, but again,
really not that hard to set up, especially for a turn-key environment.

TL;DR: I'm really surprised both at what qualifies as "HIPAA compliant
hosting" as well as at the price charged for it. I wonder if the bulk of the
cost goes towards paperwork or some other kind of administrative overhead? I
certainly don't see the price reflected in their technical offering.

~~~
firepowered
A few responses to this post:

1\. Log Management is required for PCI and HIPAA compliance. We use a product
called LogLogic and review all required logs on a daily basis and remediate
anything that comes up. LogLogic is the solution we put into place:
<http://www.loglogic.com>

2\. External vulnerability scans on the application and network layer.

3\. Managed A/V protection. We have customers on Windows and Linux. Also
detects malware and trust me - enough Linux threats out there as well.

4\. GB network connectivity is absolutely correct.

5\. Two-factor authentication is something you know (username and password)
and something you have (dongle, ID, etc). Our two-factor is powered by
phonefactor and is a great way to serve this need.

6\. We use other methods to ensure this doesn't happen. (Encryption and
Database Monitoring with strict rules).

7\. Correct.

8\. It's an absolute requirement for an organization going after HIPAA
compliance to have a business associate agreement (google it for more info)
and we're BAA friendly where most hosting providers are not.

9\. It's redundant meaning if there's a physical firewall fail there's no loss
in connectivity.

10\. This protects your web application from the biggest threats on the net.
Learn more here: <http://www.owasp.org/index.php/Web_Application_Firewall>

11\. We block DDoS attacks everyday. Not all of them are high bandwidth.
Google slowloris dos and learn more as an example.

12\. Couldn't be more wrong. =)

13\. Read #12

14\. Congrats for being responsible.

15\. Our datacenter meets strict requirements for redundancy and security as
would other top facilities.

16\. It's a nice security feature and integrates with our two-factor
authentication. If your network is open to SSH (or other management ports)
there's a lot to discuss.

Regarding the price, shop other managed hosting providers and you will find
none that's transparent on what they offer and display pricing. Go ahead and
secret shop them and you will see how low we've priced the FireHost's
solution.

Also, we have our SAS70. However, that's going away for the SSAE 16 standard
FYI.

Hope that helps and best of luck!

~~~
thaumaturgy
Thanks for responding! Regardless of any debate over the merits of the
specific things you guys do, it's clear that you have put a lot of work into
your service, and you are at least describing some of what you do, instead of
saying, "magic (now with hand waving)".

If you don't mind my asking -- if it doesn't give away any sensitive or
proprietary information -- where would you say the majority of the $845/mo is
going? Are there tremendous administrative costs, other business expenses
(insurance?), or does that actually represent your infrastructure cost?

~~~
Kadrith
I work in IT at a health network; specifically doing compliance, audit and IT
security. We have to keep logs for decades from every system used to
"transmit, store or process ePHI." A LOT of time is spent chasing shadows when
a patient thinks someone might have looked at their record.

Sure there are people who abuse the system but more time is spent on the false
positives. Usually there is an innocent reason someone knows why the concerned
patient was in the hospital; like they were shopping for baby clothes and put
on a lot of weight recently.

With changes in HITECH the requirements for reporting are going to get
broader, increasing the cost. Some of this can be planned for but much of it
is just man hours to gather, report and store information.

The longest case I have been involved with is just over 2 years of litigation
against a physician. The physician was found innocent but all of the emails,
medical records, voice mails, etc that might pertain to that specific
situation have to be preserved. Access logging is the largest use of disk
space in our organization; around several GB per day.

For a hosting organization there is less to save, but there is also additional
work in isolating systems. We have a significant investment in datacenter
operations and lease the EMR out to specialty practices in our area. Most of
the effort with external organizations is talking to their auditor of choice
to prove that our systems are secure and isolated, running reports to show who
has access to their data or what people did and the extra process to verify
each change that affects their information or part of the system. Some of the
extra steps are to address Accounting for Disclosures.

------
zfierstadt
I work for a managed infrastructure firm that specializes in scaling out
secure platforms for customers that require HIPAA compliance - might want to
check it out.

<http://www.lightcrest.com/security/hipaa>

Ex Myspace/Microsoft folks - lots of in house experience building high-volume
sites that get pounded with malicious traffic.

Cheers

------
kls
The first company that gets to a certified HIPAA and PCI hosting cloud is
going to have to figure out what to do with the buckets of cash they have
lying around. I think for the enterprise PCI certification will be the event
that gets the big (non-tech) guys out of running their own infrastructure. I
would imagine that it would be the same for medical. As for you immediate
question, I am sorry I can't help I don't know who if anyone is doing this. I
am still looking for a PCI certified cloud as a portion of my customers are
Public companies and not having to work on all their different infrastructures
and being able to provide them a hosted solution would be great for me, but
there is no way I could get into managing a PCI certified hardware
infrastructure just to achieve that goal.

~~~
16s
As a point of clarification... HIPPA is a federal law. PCI is an industry
standard (VISA, Mastercard, etc). That does not mean one is better than the
other, I just wanted to clarify.

~~~
kls
Yes, I am aware of the difference but thanks for the clarification. My point
was more to the fact that a specialized cloud provider could really fill a
needed void here on both counts.

------
justlearning
Depending on your fit/needs, it may be worthwhile to check out if the end
client would like to maintain this box. That way, you are on their network.
The disadvantage is of course the administration.

We did this on a pilot project with one of our clients with hipaa
requirements. We asked for box with the minimum requirements with
admin/firewall setup and used this server as our end point for our app. hope
this helps.

------
16s
One other issue to consider is that just because your hosting provider's
infrastructure is HIPPA compliant doesn't mean your application is. There are
still a ton of privacy issues within the application, plain text HTTP, user
authentication, etc.

~~~
kgrin
Yep - we're aware of all that, and we can handle the various app-level
changes... we just don't want to be in the "ongoing server maintenance"
business.

------
notmyname
No shared hosting seems to imply that VPS won't cut it either--depends on what
"shared hosting" really means. So you are left with looking for a dedicated
hosting plan. I'd say check out a company like Rackspace (disclosure: I work
there).

~~~
kgrin
Happy to use Rackspace or another dedicated server provider... the trick is
that we _don't_ want to be responsible for, say, security patches to the
kernel.

So really the question is: is there a company that'll manage the damn
server(s) for us so that we get to deal with a nice, clean abstraction similar
to shared hosting?

Basically I want a HIPAA-compliant Heroku (though in this case not for Ruby).

~~~
patrickgzill
There are plenty of companies that will do this for you, probably from about
$250 per month; what I would recommend is a reasonably powerful dedicated
machine on which you install your own VPS solution.

Give one large VPS to your production app, and create other VPSes for testing
or development purposes.

The reason you want to use a VPS on top of your own dedicated hardware is to
gain the benefits of VPS control, including easy archiving of the entire
system, snapshots, easy moves to new hardware even if the hardware is
different, etc.

