from Hacker News

Ask HN: How do I set up a HIPAA-compliant server?

by th3o6a1d on 9/21/14, 3:56 PM with 52 comments

  • by USNetizen on 9/21/14, 4:25 PM

    It's not just the server - it's the storage, accessibility (compartmentalization), and transmission of sensitive data (PHI and PII) at all levels. There is a lot more to HIPAA/HITECH than just server configuration - there are legal agreements you have to enter into as well (BAA's), insurance requirements, and potentially a lot more.

    I'd suggest you work with a company that has a lot of experience in this area before you inadvertently find yourself fined (or sued) into bankruptcy.

  • by wyc on 9/21/14, 5:35 PM

    There are a few options if you want HIPAA compliance. Note that "HIPAA compliance" is somewhat of a loaded term in that there aren't many super-technical benchmarks to meet, but a general "do-good" attitude including (but not limited to) some of the following points:

    - Physical server isolation: you cannot have other instances sniffing around in your deallocated garbage memory.

    - Encrypted data stores: physical theft of the server should not provide access to your data.

    - Server providers who can sign a Business Associate Agreement: many hospitals and firms with medical data require this in their stipulations.

    - Audit trails for database modifications, access, etc. Basically, log everything, and this has to be encrypted too if it contains protected health information (PHI).

    - All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.

    - "Soft" guidelines such as password complexity measures, auto session expiration, disallowed multi-sessions.

    Again, this is not an exhaustive list. You really need to check with a lawyer who knows this stuff. The fines are enormous (read: business-ending) if you break the rules.

    How do you work to implement these? Well, find a host who is willing to sign a BAA. Here are the two major contenders I'm aware of:

    - Use Amazon AWS; they're willing to sign a BAA with you and provide you the physical server isolation you need. However, this doesn't come cheap. Expect >$2,000/mo in costs to keep this configuration. Also, you'd better be a network pro or willing to learn how to manage VPCs correctly to provide proper network-level isolation for the databases.

    - Use aptible.com (they happen to be a YC company, and I don't know of anyone else doing this). Frank & Chas (the founders) are very responsive and aim to provide a comprehensive package, including backups, audit trails, and even employee training. The Docker-based and heroku-like interface is very appealing:

    https://support.aptible.com/hc/en-us/articles/202638630-Depl...

    This option is still expensive. They host on AWS as well, so you're paying for the server costs + premium. However, this will still be a lot cheaper than hiring a competent sysadmin to make sure the execution is flawless.

  • by sebst on 9/21/14, 4:17 PM

    It's a big task on its own and it seems a bit in-transparent to me.

    However, you may want to have a look at TrueVault[0] which has been featured on HN[1].

    [0]: https://www.truevault.com/

    [1]: https://news.ycombinator.com/item?id=7033188

  • by michaelmachine on 9/21/14, 8:39 PM

    As some people have mentioned here, there are other issues to think of besides the IT aspect. There is employee training, risk assessment, policy development, and the business account agreements. Accountable is a company that focuses on these type of issues to make them easier by providing things like employee training, ready to use policies and procedures, and business association agreements. I found them while learning about HIPPA compliance, and I have not actually tried the product but it looks like it could be useful for you, so I thought I would mention it here. http://accountablehq.com/index.html

  • by th3o6a1d on 9/22/14, 6:55 PM

    Surprised no one has posted this. From the folks at TrueVault. https://github.com/truevault/hipaa-compliance-developers-gui...

  • by th3o6a1d on 9/21/14, 4:45 PM

    @USNetizen -- You're right...I should have clarified that I want to know how to get an entire stack up and running, although I don't trust myself to do this unassisted.

    I'm just surprised at how few resources there are that explain what it takes, and I hope that someday soon, healthcare startup CTO's will be referred to clearly documented open source solutions that are fairly fool-proof, rather than paid-for services (@sebst). Amazon's compliance page is unfortunately uninformative (@byoung2).

  • by voska on 9/21/14, 5:29 PM

    If you want a HIPAA-compliant server setup for you: https://www.aptible.com/ (S14)

  • by chasb on 9/21/14, 6:10 PM

    (Disclosure: I'm a co-founder of Aptible.)

    As noted in other comments, most of HIPAA is not technical. Most of the requirements relate to risk assessment, policies, training, incident response, etc.

    With that in mind, I'm going to quickly run down all of the major moving parts and then cover some of the technical considerations for setting up a server.

    HIPAA has three main rules you need to comply with:

    1. The Privacy Rule - Governs the use and disclosure of PHI (protected health information). Applies to all forms of PHI (verbal, written, electronic, etc.).

    2. The Security Rule - Governs safeguards for electronic PHI

    3. The Breach Notification Rule - Governs your responsibilities during a security or privacy incident

    The Security Rule has a general security standard, some documentation/retention rules, and three sections of safeguards. They are:

    1. Administrative Safeguards

    2. Physical Safeguards

    3. Technical Safeguards

    Some of the safeguards are mandatory. Some are "addressable," meaning if you don't implement them you must document why you chose not to and what other safeguards you applied instead.

    Most likely, you're going to start with something like the following for your servers:

    1. Sign a BAA with any service provider who is going to touch PHI for you.

    2. Restrict physical and logical server access to authorized individuals. Document how you restrict access and why the methods chosen are reasonable and appropriate given the risk posture of your organization. (There's a LOT packed into this step.)

    3. Log all access and data modification events. If you use a logging service that isn't HIPAA-compliant, make sure you're not including PHI data you send them.

    4. Encrypt data at rest and in transit, including inside the network perimeter. Document your network topology and access points.

    5. Implement backups according to your organization's HIPAA contingency/disaster recovery plan. Document the backup scheme.

    A few caveats:

    - I haven't addressed application-level security. The same requirements apply, but the implementation differs.

    - Your customers will demand additional safeguards that aren't in HIPAA.

    At Aptible, we help with all of this, plus all of the other requirements (risk assessment, policies, training, etc.), so you can get a complete handle on your compliance status.

  • by th3o6a1d on 9/21/14, 5:51 PM

    Thanks for all of your comments so far. Synopsis is...it's complicated. There are basically no straightforward guides and no reliable, tried-and-true open source solutions that can be deployed with minimal security expertise, at least with respect to the technical setup.

    Options are to go with a service company like Aptible or TrueVault, or fumble through vast amounts of obtuse technical and legal documentation, then hire a security expert to audit your homemade system and hope that everything goes OK. Both options, as they currently exist, require a fair amount of $$$.

  • by jeffasinger on 9/21/14, 4:54 PM

    I'd just have someone else do it for me. There are many "enterprise" level hosting companies that can help you with that.

    I believe that rackspace has a pretty program around compliance.

  • by HIPAATraining on 9/22/14, 7:08 AM

    Hi,

    training-hipaa.net provides Server Disaster Recovery Plan Template which is the part of HIPAA Compliance.

    This Server Recovery Plan documents the strategies, personnel, procedures and resources necessary to recover the server following any type of short or long term disruption. You can find more information about this over here http://www.training-hipaa.net/template_suite/Server_recovery...

  • by ak217 on 9/21/14, 8:43 PM

    If you are trying to set up a service for processing or storing PHI, you may be interested in DNAnexus (https://dnanexus.com/), which focuses on compliant high throughput data analysis and storage for genome information, but can be used to store other types of PHI data. (Full disclosure, I work at DNAnexus). Email in profile if you want to go into specifics.

  • by pagade on 9/21/14, 5:29 PM

  • by byoung2 on 9/21/14, 4:06 PM

    Here is some info about doing it on AWS

    http://aws.amazon.com/compliance/

  • by czczcz on 9/21/14, 4:38 PM

    We have been very pleased with the True Vault solution and the responsiveness of the team when needed, worth looking into for your needs.

  • by kevin_morrill on 9/21/14, 7:48 PM

    One missing point in this thread: there is no such thing as HIPAA compliant. There is no government organization that will sanction your set up as "compliant". The HIPAA legislation imposes fines if you leak data, but does not prescribe how you prevent that.

    That said, the thread does have some great safe guards and industry best practices you should look at.

  • by Gelob on 9/21/14, 7:44 PM

    (Disclosure: I work at FireHost, not in sales!)

    We sell cloud but focused on security, compliance, and performance. Check us out.

    http://www.firehost.com/secure-cloud/compliant/hipaa

  • by th3o6a1d on 9/21/14, 5:38 PM

    @voska "Starting at $3499/month with an annual contract" -- Seems like security experience comes at a price... That said, it's worth taking every precaution to protect patient data.

  • by mp99e99 on 9/21/14, 6:03 PM

    We have audited HIPAA compliant hosting, at a reasonable price:

    https://www.atlantic.net/hipaa-compliant-hosting/

  • by StephenGL on 9/21/14, 4:52 PM

    We used to use a hosting company Layered Tech that had a HIPPA compliant offering. If you need HIPPA compoanxe I suggest getting it as a managed service.

  • by snorkel on 9/21/14, 5:28 PM

    If one big customer is demanding you be HIPAA compliant then they probably want to see a certification, and depending on size of customer they may be willing to provide funding for that certification. It takes months but the certifying service will provide consulting and training. Essentially it all about tight access controls, encrypting data at rest, and documenting everything and everyone who has access to the internals.

  • by gomathinayagam on 9/24/14, 1:53 PM

    Microsoft biztalk server has strong HIPAA connector/accelerator, just have a look overthere.

  • by philip1209 on 9/21/14, 5:22 PM

    It's not an easy process .

    Check out TrueVault - HIPAA-compliant data store that is a YC grad.