• Tweet
• Sharebar

   1. Information Security Policy?
   2. Business Associate Agreement (BAA) HIPAA
   3. Encrypted Data
   4. Password Management
   5. 2 Factor Authentication
   6. Compliant Data Center
   7. Web Application Firewall

INTRODUCTION:           
Cyber crime is on the rise as the internet permeates our every day lives. And HIPAA Compliant Hosting is no exception. Cyber criminals are searching to access valuable information. When sensitive information such as personal credit cards and medical data is stored on behalf of the customer, it is important that you consider these seven factors when selectig a third party HIPAA Compliant Hosting Provider  a stores customer information and outsources the hosting to a third party, there are seven factors that should be considered:

ONE:   
The HIPAA Compliant Hosting company needs to have an Information Security Policy. This policy will guides the company, up to the smallest detail, about proper security procedures. It will give information on the fire suppressant system, how information is backed up, and who is allowed to access the information that will be on their servers. Ask for a copy. You don’t have to read the entire document, but scan it to make sure it looks reasonable.
       
TWO:   
Does the HIPAA Compliant Hosting company have a Business Associate Agreement or BAA? A BAA is a contract between the hosting company and the covering entity (that handles the medical data) and it clarifies each parties responsibilities. It is what legally binds the company to its customer in case of a security problem.
       
THREE:   
Ask the HIPAA Compliant Hosting company what is being encrypted. There are three potential areas that should be encrypted:
a)      The transfer of the data over the internet via HTTPS
b)      The actual physical hard drive can be encrypted
c)      The database fields can be encrypted

FOUR:
Password Management: HIPAA requires that the HIPAA Compliant Hosting company have a secure way of storing and managing passwords. The most common method of complying is by storing the password on a remote application. These programs store the company’s passwords and using encryption. In addition, a password management application will produce compliance reports showing which passwords are out of compliance and need to be updated.
          
FIVE:
The HIPAA Compliant Hosting company should also use a secure login method known as Two-Factor Authentication (TFA). TFA uses the “something you have + something you know” concept. Besides the normal password, the two factor system will produce a random string of numbers that must be used like a second password.
          
SIX:
Where the HIPAA Compliant Hosting company houses its servers is something else to take into consideration. Do they store it in their own office or do they store it at a data center? Typically, most companies will store their servers in a data center. Before choosing company to host with, one should find out what type of security these centers employ. Does the center have 24/7 staff, cameras, armed guards, back up generators and man traps.
         
SEVEN:
The last thing a company has to consider before committing to a HIPAA Compliant Hosting company is its intrusion detection system. Hardware firewall are once fundamental piece; however, it is not enough. An additional Web Application Firewall (WAF) should be provided by the HIPAA Compliant Hosting company to ensure that malformed requests and other potential attacks on a web page located on the same network as the sensitive data is being properly scrutinized. Other services include  intrusion detection systems, rootkit detection, log analysis, integrity checking, and Microsoft Windows registry monitoring.

Gil Vidals is the CEO of VM Racks. He spent 12 years in web hosting industry. VM Racks is a VMWware hosting service provider and offers HIPAA Compliant Hosting at affordable prices.