Onramp Review – HIPAA Compliant Hosting
This is a paid review performed by an independent writer, according to our guidelines.
See full disclosure the at the bottom of this article.
OnRamp Company Bio
Founded in 1994, OnRamp saw humble beginnings as an ISP retailer in an Austin mall kiosk. Originally providing local businesses with dial-up, ISDN, and T1 connections, OnRamp quickly expanded their service offerings to colocation hosting and web development.
Within a few years, OnRamp had become a one-stop-shop for local businesses looking to bring their operations to the Web.
By 1998, OnRamp began work on its first purpose-built state of the art data center in Austin, Texas. This project marked the budding company’s transition into a hosting-focused model, which it has maintained to this day.
In 2003, OnRamp relocated its operations to a newly acquired data center in Austin. Beyond the additional square-footage, the new data center boasted an upgraded 2N power distribution design—a cutting-edge redundancy measure that safeguarded their servers from power failures.
In 2007, OnRamp launched one of the first commercial private clouds in America.
In 2013, OnRamp opened its first data center in Raleigh, North Carolina. And in the following year, they opened a second enterprise-class data center in Austin, Texas.
OnRamp’s Foray into HIPAA Compliance
More than 29.3 million patient records have been compromised in security breaches since 2009. Recognizing these breaches were part of a growing trend, the United States Government revised its ePHI laws in 2011 with the HITECH Act. These expanded laws placed a greater responsibility on covered entities and their business associate counterparts to keep data secure and significantly increased penalties (up to $1.5 million annually) for non-compliance.
Despite the new laws and several high-profile class-action lawsuits, HIPAA data breaches increased 138% since 2012.
The number one culprit according to experts: covered entities are failing to conduct regular risk analyses and update their policies.
Building upon their expertise in secure IT infrastructure for a variety of highly regulated industries (credit card processing, financial, international commerce, etc.), OnRamp began offering HIPAA compliant hosting services in 2012. Combining cutting-edge security measures, a highly trained team of IT professionals and compliance experts, and a proprietary Risk Management Tool, OnRamp launched one of the most powerful and comprehensive HIPAA compliant hosting services available.
OnRamp Service Overview
While HIPAA hosting is a key aspect of OnRamp’s business model, the company provides hosting for a variety of regulatory frameworks (PCI, GLBA, FISMA, FERPA, SOX and more). Because each industry is unique and no two clients are identical, OnRamp’s service list is all encompassing.
- Managed Hosting: dedicated servers, private clouds
- Cloud delivered services: managed storage, backups, and devices
- Colocation: compliant and enterprise colocation
- Managed security services: network firewalls, VPNs, encrypted storage, encrypted backups, malware protection, file integrity monitoring, web application firewalls, two-factor authentication, vulnerability scanning, log management, and intrusion detection
Each client’s IT architecture is a unique combination of the above services, tailor-made for their specific needs. This is true “hybrid” hosting.
Unlike PCI-DSS hosting providers (where validation of compliance is performed by a central authority), virtually any hosting provider with decent security can claim to be HIPAA compliant. This is because there is no recognized certification standard for compliant hosting, and the onus for ensuring that data is both stored and transmitted securely lies solely on those deemed covered entities or business associates by law.
In other words—no matter how fancy a host’s security systems are—the liability for compliance is still yours.
As such, a good HIPAA hosting provider should provide more than just security. It should assist clients in building compliant IT infrastructures. It should educate clients on industry best practices. And it should provide the necessary compliance support when needed.
OnRamp does all of this, and a whole lot more.
This is OnRamp’s first major distinction in the HIPAA hosting sphere. Whereas most hosting companies provide support for only a portion of your IT environment (data center, network, device, and virtualization), OnRamp provides 24/7/365 support for all 7 layers of your IT environment:
- Data center
- Operating system
- Application framework
- Intelligence & monitoring
By subscribing to OnRamp services, you are also hiring a team of highly trained IT and HIPAA professionals to assist you in every facet of compliant network management and maintenance.
Risk Management Tool
Unique to OnRamp, the Risk Management Tool is an excellent addition to all of their HIPAA hosting packages. Accessible through an in-browser portal, this proprietary process can be broken down into three steps:
- Information Collection
The most straightforward step—here OnRamp collects information about IT infrastructure requirements by guiding users through a simple questionnaire.
- Risk Assessment
After the necessary information has been collected, OnRamp identifies potential risks and vulnerabilities in your IT infrastructure in relation to HIPAA and HITECH stipulations.
- Risk Management
The final step provides users with actionable documentation for addressing all discovered vulnerabilities, outlining the necessary steps for ensuring compliance in their IT infrastructure.
Upon completion of the process, OnRamp’s Risk Management Tool generates several important documents for its users.
- A summary report outlining all of the information collected throughout the process
- A system diagram that visualizes your unique IT environment
- A new BAA based on any service/environment changes
This tool takes the guesswork out of compliance, giving you a bird’s eye view of your entire IT environment and its vulnerabilities.
To get a sense for OnRamp’s level of customer service, I went through their entire consultation process pretending to be a prospective client.
Less than 10 minutes after I had filled in a short form on their website, a friendly OnRamp receptionist called me. After inquiring about a few specifics (what kind of company am I representing, how quickly do I need the services set up, etc.), she put me in touch with the specialist she deemed best suited to address my hosting needs.
Following a short hold, another friendly voice greeted me by my fake name. We exchanged pleasantries and quickly dove into the deep end.
Despite having written down a dozen questions to ask the sales team, I found myself doing most of the answering.
The OnRamp representative wanted to know more about my company.
What kind of work were we doing? What sort of applications would we be running? How many users will need access? Do we have our own disaster recovery plan?
I answered as best I could, but grew exceedingly vague in my responses (I hadn’t thought that far ahead). When I couldn’t answer, he elaborated and made excellent suggestions.
“Do you have any questions or concerns?” he asked me after collecting a sufficient amount of data.
In the process of building my profile, the OnRamp representative had inadvertently answered every single question I had written down (and many more that I hadn’t.) Disarmed, I fired off whatever softball questions came to mind. He answered them all with ease.
When I could think of nothing else, we thanked each other and said our goodbyes.
Within a few minutes, I received an email from OnRamp detailing my suggested hosting plan. Everything from detailed hardware specs, software choices, and security solutions was outlined in the document.
I also received a 14-page PowerPoint-styled overview of OnRamp’s services and a 12-page whitepaper explaining HIPAA compliance in some detail.
The entire experience was pleasant, professional, and enormously educational.
While dozens of hosting companies have jumped on the HIPAA bandwagon in the last decade, few can demonstrate the level of expertise found at OnRamp.
Before you even begin your free consultation, OnRamp provides you with a wealth of HIPAA resources—blogs, news articles, infographics, and videos—to educate you on all matters compliance.
OnRamp regularly posts case studies and free whitepapers about attaining HIPAA compliance.
They offer helpful articles about becoming compliant; such as checklists for choosing the right HIPAA cloud hosting, tips on incorporating personal devices in the workplace, and compliance tips for developers.
They also sponsor health-industry conferences to educate attendees about HIPAA compliance.
In short: OnRamp is an excellent compliance resource, and an undisputed leader in compliant hosting expertise.
OnRamp Technical Overview
OnRamp owns and operates three separate enterprise-class datacenters: two in Austin, Texas and one in Raleigh, North Carolina.
OnRamp’s data centers use 2N power architecture to ensure maximal uptime. By running two parallel yet independent power configurations, OnRamp’s facilities can function even in the case of a power-grid failure. In the extreme case of a total outage, including a power-grid failure, OnRamp’s redundant generators are equipped with enough fuel onsite to generate electricity for up to 48 hours (with the potential to keep refueling indefinitely).
Network outages are equally unlikely in OnRamp’s facilities, given their utilization of mesh networking, dedicated links between facilities, and redundant fiber delivery from multiple Tier 1 backbone providers.
This combination of power and network redundancies gives OnRamp an unbeatable 100% uptime—24/7/365.
OnRamp also happens to run one of the most secure facilities in the world.
- Fully SSAE 16 SOC 2 compliant
- Bulletproof mantrap entrances
- Biometric scanners
- 24/7/365 surveillance
- Two-factor authentication at vital entry points
- Individually locking and audit-traceable racks
- Around-the-clock onsite NOC personnel
- A variety of other physical and logical security systems
This level of security goes above and beyond what is expected of HIPAA compliant organizations, and there is simply no safer place for your data to be.
It is also important to reiterate, unlike many smaller HIPAA compliant hosts, OnRamp runs their own data centers. They are not renting out racks from another company. There is no middleman. This gives you several key advantages:
- All the support staff (from your data center layer to your monitoring layer) are on the same page
- Support escalation and issue resolution are as quick as can be
- Everyone with access to your servers is trained in HIPAA compliance
- Government auditors can be granted full access to the facilities
As expected, OnRamp facilities boast some of the best technologies in the IT space. They offer HP and Dell enterprise-class servers, SolidFire SSD storage, and Cisco networking gear. While the specs are entirely dependent on your firm’s requirements, the potential configurations are virtually limitless.
As is the standard for enterprise-class providers of virtualization, OnRamp servers run VMWare vSphere.
OnRamp supports a wide variety of Linux, Unix, and Windows server OS’s.
OnRamp HIPAA Compliant Hosting Services
The standard approach to hosting has become one of standardization; tiered pricing structures, packaged services, and all-encompassing solutions. Sure, every hosting provider offers some level of customization—but it must be explicitly requested in most cases (and is usually not without some caveats).
OnRamp strays from the pack in this regard—they recognize that one size does not fit all.
From the moment of your first consultation, OnRamp begins engineering a unique hosting solution for you. Nothing is assumed. From hosting type (dedicated, private cloud, colocation), hardware (CPU, RAM, storage, bandwidth etc.), software (operating systems, applications, etc.), and security (firewalls, disaster recovery, monitoring etc.), every facet of the solution is custom-designed with your specific requirements in mind.
What kind of applications will you be running on the servers? How many people will be accessing the data at once? Does your organization keep its own backups?
No stone is left unturned.
For serious health organizations that have done the proper due diligence (security assessments, internal audits, etc.), this level of granularity is a must. Not every HIPAA stipulation applies to all organizations equally. In some cases—assuming your organization can prove it with the required audits and documentation—some rules may not even be applicable. In other cases, your organization may be required to take additional steps to secure its ePHI.
With OnRamp, you don’t have to be an IT expert to find the best solution for your organization. Their excellent support will guide you through every step of the process, providing recommendations and elaborating on points of confusion.
By the end of the sales process, not only will you have a tailor-made hosting solution, you will also have a much better understanding of compliant IT infrastructures.
This is where OnRamp’s true value comes to light.
While it is hard to generalize on price due to the uniqueness of every solution, OnRamp services don’t come cheap.
You won’t find $99/month HIPAA hosting here.
In my consultation with OnRamp, I was quoted a monthly price of $1,464 for the following setup:
- Managed Dedicated Servers with Private Cloud
- Quad core CPU
- 16 GB RAM
- VMWare vSphere virtualization
- High availability Cisco ASA context firewall
- 500 GB SSD with built-in at-rest encryption
- 10 Mbps bandwidth (burstable to 1000 Mbps)
- Managed security services (with audits, log monitoring, etc.)
- Full7Layer Support
- HIPAA Risk Management Tool
- All other best-practices compliance measures
This falls comfortably in the mid-range for the quoted specifications.
While not a price-leader by a large margin, the value is nevertheless phenomenal. The granularity of OnRamp’s services ensures that you won’t be paying for things you don’t need, easily shaving a few hundred dollars off of your bill.
While startups and smaller health organizations might overlook OnRamp on price point alone—this would be a grave mistake.
The cost of managing and maintaining a truly compliant IT environment can quickly overshadow OnRamp’s reasonable managed hosting rates. The costs of non-compliance are worse yet.
If you are covered entity in need of compliant hosting, OnRamp’s fees are a small price to pay for peace of mind (and all the support you could possibly need). OnRamp offers one of the most complete and encompassing HIPAA compliant hosting services available, and it does so at a very reasonable price.
Blog posts by OnRamp:
“Warning: HIPAA Audits Set to Increase in 2017“, Blog post by Chad Kissinger, founder of OnRamp
Full disclosure: This is a paid review performed by an independent writer, according to our guidelines. Minor edits were made to this review to clarify certain findings and to correct terminology used before it was published.