How to Securely Host ePHI on a Public-Facing Website
The rules and regulations of HIPAA Compliance must be adhered to when securely hosting ePHI on a public-facing website. Of course, hosting ePHI on the Internet is perfectly acceptable. Still, it’s essential that the hosting platform and the web application adhere to the strict rules surrounding the physical, technical, and administrative safeguards of HIPAA.
Atlantic.Net has been providing HIPAA compliant hosting services for decades, and several of their clients offer web services for patients to access results, request medication, and review their treatment plans. Their HIPAA hosting service removes most of the complex compliance challenges that leave clients with the time needed to develop their applications to meet and exceed HIPAA legislative requirements.
This article will discuss the hardware and software requirements of hosting ePHI in the cloud on a public-facing website. In addition, you will have a high-level overview of some of the requirements of application design. We will also offer insight into how Atlantic.Net engineers secure their HIPAA compliant hosting service.
How to Secure a Web Server Application to HIPAA Compliant Standards
Healthcare organizations use web servers for all sorts of reasons, usually for forms, booking appointments, or perhaps just information about the practice. The covered entity can choose whatever web application they want. Many opt for WordPress or Drupal web servers, while others decide on Apache, Nginx, or IIS.
Here are some essential considerations when designing your HIPAA compliant application:
- Access Controls: Preventing unauthorized access to your application is a fundamental design requirement. The application needs access controls to prevent unauthorized visibility to ePHI, including administrators, staff, and the general public.
- Audit Controls: Detailed logging is a technical requirement of HIPAA. This includes auditing user access and changes made to ePHI data. Logging on the application stack starts at the firewall and WAF, going to the application and backend databases. This will create mountains of logs, so having a SIEM application to process the records into usable data is wise.
- Data Integrity: Application controls are required that prevent PHI from being altered by unauthorized users and ensures the backup, restoration, and deletion of PHI are possible.
- Secure Data Transmission: The application should have security controls to protect ePHI uploads and downloads, such as TLS certificates, encryption, and auditing.
- Encrypt The Webserver Data: All data must be encrypted to industry standards.
How to Secure the Infrastructure That Hosts a Public-Facing Website
Securing the application is only half of the task to complete. First, it’s essential that the hosting infrastructure is HIPAA Compliant. Outsourcing to a HIPAA compliant hosting provider like Atlantic.Net immediately creates a compliant environment for your app.
Here’s a breakdown of how that’s done:
1. Everything Starts With a BAA
It’s vital to get the paperwork resolved ASAP, and a business associate agreement (BAA) is a necessary step for compliance. First, the BAA defines how the Business Associate interacts with protected health information, including how the data is used and if any disclosure occurs. Next, it sets clear limits on what the third party must not do with the data. Finally, it clarifies the security technologies and protocols used to guard against any unauthorized disclosure of ePHI.
2. Protect the Network Perimeter
The first line of defense is the network perimeter and edge protection services. DDoS protection and CDN are needed to ensure the availability of ePHI. A managed Web Application Firewall provides network security. This managed service automatically blocks the latest vulnerabilities and exploits.
3. Managed Networking
Managed networking must provide around-the-clock protection and expertly defined redundancy, load balancing, and security for all internal network traffic. This includes stateful filtering that automatically blocks fake URL requests. VPN traffic must route through the managed network using IPsec or OpenVPN for the ultimate flexibility and privacy standards. Every piece of the network should be monitored and reported on.
4. SSL/TLS Certificates
Secure certificates are mandatory for public-facing applications. TLS is used to protect sensitive information in transit. The certificate is used to validate the authenticity of the connection to your website. Not only does this help to protect you from a data breach, but is also essential for building customer trust, broadcasting to clients that your business takes security seriously and you are taking steps to protect them from identity theft.
5. Intrusion Prevention System
An IPS monitors network traffic for any activity that strays from ‘normal’ conduct or traffic that violates security policy. All violations are reported to an administrator via reports or collected centrally using a SIEM platform. If the IPS identifies an intrusion, it signals an alarm to a 24/7 technical team.
6. Managed Security
Cybersecurity is a serious concern in today’s digital world, and a security-defined infrastructure is the baseline of a secure service. Managed security software such as antivirus, antimalware, and endpoint protection will harden all external devices on the network to increase your business’s security posture and identify any concerns.
Multi-Factor Authentication is essential when hosting ePHI on an Internet-facing website. It’s a highly effective way to ensure only authorized access to IT systems and defend well against a data breach. In addition, MFA is one of the best ways to protect against remote attacks such as phishing, social engineering, weak or stolen credentials, and other attempts to take over or hijack your accounts.
8. HIPAA Compliant Certification
Gaining HIPAA Compliance is a lengthy process, which is why outsourcing is so popular. First, choose a hosting provider that offers compliance as standard, audited, and certified to the required standards of the HIPAA Security Rule by an independent third party. Next, choose a service architected for enhanced privacy and ultra-secure access controls; the result is all the benefits of the cloud in a consumable, compliant service.
Choosing a HIPAA Compliant Managed Provider
We have just scratched the surface of some of the complex requirements of HIPAA compliance when securely hosting ePHI on a public-facing website. Of course, it is possible to go it alone and create an environment, but why embark on that difficult journey when you can opt for the award-winning Atlantic.Net HIPAA compliant hosting service?
With Atlantic.Net, you get 25 years of service excellence and experience in providing HIPAA Compliant hosting to the leading healthcare providers in the United States.
Richard Bailey is the Lead IT Consultant at Atlantic.Net, a growing and profitable cloud hosting company specializing in HIPAA compliance.