Health Insurance Portability & Accountability Act (HIPPA), PCI, SOX and Web Hosting


“HIPAA” is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:

  1. Improved efficiency in health care delivery by standardizing electronic data interchange, and
  2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

  1. Standardization of electronic patient health, administrative and financial data
  2. Unique health identifiers for individuals, employers, health plans and health care providers
  3. Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.

Compliance requirements include:

  • Building initial organizational awareness of HIPAA
  • Comprehensive assessment of the organization’s privacy practices, information security systems and procedures, and use of electronic transactions
  • Developing an action plan for compliance with each rule
  • Developing a technical and management infrastructure to implement the plans
  • Implementing a comprehensive implementation action plan, including
  • Developing new policies, processes, and procedures to ensure privacy, security and patients’ rights
  • Building business associate agreements with business partners to support HIPAA objectives
  • Developing a secure technical and physical information infrastructure
  • Updating information systems to safeguard protected health information (PHI) and enable use of standard claims and related transactions
  • Training of all workforce members
  • Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer

All of these requirements apply to not only the company which owns the PHI, but also any company or contractor they work with who has access to this information. The details on how to meet the HIPAA requirements is up to the individual company, allowing the “market to dictate” the terms and conditions.

Most companies I have worked with spend a considerable amount of time generating the paper documentation they feel will meet the above requirements. That is the most important part of any security policy or plan, knowing what is important (PHI/Card Data/Financial/etc) and defining how the business will properly control that information.

Data-centers, managed service providers and other contracted service providers come into this picture when companies outsource their data-center operations or when you are partnering with a company for data-center services. If you look at the HIPAA requirements, they all can be applied in some form or another to the outsourced provider, but the validation is left up to the contracting business and there is no guidance other than “best practices”.

So what should you look for in a business partner to have that can meet these HIPAA requirements? Before I answer that, I would like to discuss a similar security standard. As you may know from regular occurrence in the news, credit card data is lost and stolen on an increasingly regular basis. To help fight this, the Payment Card Industry has created the PCI Security Standards Council whose charter is to create and maintain specific industry standards and to train qualified assessors on how to validate against those standards. Any business that stores, transmits or processes credit card data is required to abide by these standards. This means even the person with a cellular card swipe machine at the flea market has to meet the same standards as Walmart, Amazon.com, PayPal or other multi-national merchants and banks. Below is a list of 12 sections in the PCI Security Audit Procedure which which you should look for from any service provider or partner you are considering. These sections break down in detail the steps which must be taken to comply with the PCI standard. To get more information, you can download the PCI details here https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf and here https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

  1. Firewalls & Routers
  2. Service configuration (note service includes servers/applications/databases/firewalls/etc)
  3. Storage of Card data (what is/is not allowed, encryption, secure deletion), Data retention policy
  4. Transmission of card data (SSL, VPN, 802.11, etc)
  5. Anti-virus
  6. Secure Development — ** Change Management **
  7. Need-to-know
  8. Unique ID for _everyone_ – no shared root, enable, administrator & password requirements
  9. Physical Security
  10. Logging & Time sync
  11. Security Testing (security scanning, pen testing)
  12. Policies, Contracts, Security Training, Risk Assessment, Incident Response Policies, Connected Entities (partner connection) management

Additionally, depending on which services you plan on using from a contracted provider or partner, different sections will apply for example:

  • If they are going to provide router or firewall services, section 1
  • If they are going to provide any servers (virtual or real) then sections 2, 5, 7, 8, 9, 10, 11 & 12 (yes most of it:)
  • If they are going to provide development support sections 3, 4 & 6
  • If they are going to provide system management support, 2, 3, 4, 5, 7, 8, 10

I mention PCI because unlike the HIPAA requirements, the PCI Standards and process is very clearly defined. While PCI is not perfect, since it was based on ISO17799 it covers a wide range of security issues. If you take the PCI standards and replace PCI with HIPAA or Financial (SOX), then you have a great guideline and audit procedure to work with for your own and your partners security.

So back to the question for this thread. How can you determine if a data-center/service provider meets your needs for the various compliance requirements. To answer this, you need to determine the role the service provider has with relation to your business and your specific data-set requirements.

If you are looking for somewhere to host your entire “business” and then VPN back into your company network, then you have physical, network, policy, procedure and contractual security needs.

If you are looking to have someone provide a more hands-on role then the same requirements are met, but then the providers mechanisms for providing support will then need to be evaluated. This would bring the assessment into the way they store passwords, monitor systems, provide support, troubleshoot, maintain change management, key-management, security monitoring, image management, upgrades, etc.

Giving all of these considerations, as a business you need to determine how you wish to handle the requirements. If you are a large merchant or service provider, you typically get ISO or SAS70 audits. Any data-center should be able to provide that assessment as you are trying to determine who you wish to work with. Keep in mind that with these assessments, the company has hired the auditor to validate a “specific” item, so the audit report will be focused only on that and may not take into consideration other processes or areas within the facility.

If the company has been through a PCI or other audit they should be able to provide some documentation regarding the audit and the controls they have in place that they used to go through the audit.

If they are a service provider (providing services to PCI organizations) and have been through a level 1 audit then they will be listed here: http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

Not many ISPs or Data-Centers have been through a level 1 PCI audit as they are usually very costly and if you read through the SAP you will find time consuming in the details that need to be met.

So what can you hope to find in a service partner you are looking to host with:

  • A physical location that has good security controls
  • 24×7 guard & locked doors
  • Sign-in required and only authorized visitors
  • at least 3 months camera data (90 days) on all entrances & exits to data-center facility
  • Security for the physical servers (do not use shared cages)
  • Policies
  • Standard configuration documentation for all services you are getting services for (servers, firewalls, load balancers, certificates, etc)
  • Network & server security – IDS / IPS / Host IDS / Log Monitoring / Internal & External Scanning / ASV Scanning
  • Change Management that includes
  • Documentation of impact
  • Management sign off – colo should notify of customers of changes (good communication, as it was mentioned in a previous post, most providers that provide HIPAA or other services tend to have more communication with their customers)
  • Back out plan / procedure
  • Functional testing

If you are looking for more advanced services to ensure that not only is the machine physically secure, but also have you deployed your application architecture properly, then you may want to also be sure the service provider can also provide:

  • Firewalls
  • Private Networks
  • VPN
  • Load balancers
  • 2 factor authentication
  • IDS
  • Log Monitoring
  • Centralized logging
  • Monitoring (Security & Availability)
  • Development services
  • Code review
  • Time services (NTP)
  • Senior Security & Architectural staff as well as Sr systems staff

Many of the people I have worked with have needed just about all of the above services when they are either building, expanding or migrating their applications into data-center facilities.

I know I did not stick specifically with the HIPAA question, but hopefully this information will help those are looking for new hosting facilities.

Now for those who are wondering, well do you provide those services? The short answer is yes. However not all are immediately activated “web dashboard” ready services and require a direct relationship with our senior architects and systems folks.

Our San Francisco data-center is through a partnership with ColoServe who provides the physical security and raw bandwidth to our secure cabinets. While the physical center has not been through any Level 1 PCI audits, ZZ servers has been through 2 bi-annual security audits by American Express for one of our customers and the facility has a SAS70 certificate and has the added security of also hosting the 911 systems for the city of San Francisco so our structural, power and data systems are a step above par.

I myself consult with a QSA out of San Meto (http://www.drgsf.com) and perform Level 1 audits and Security Assessment for payment applications as specified by the Payment Applications Best Practices following the PA-DSS (https://www.pcisecuritystandards.org/tech/pa-dss.htm

After spending 20 years building and working with small to large companies and founding 3 previous ISP services I wanted to bring a level of business service to the hosting community. So in founding ZZ Servers with my brother, Peter – a 20 year Navy vet currently spending his last year in the service stationed in Bagdad), we specifically created the infrastructure to be able to provide many if not all of the requirements mentioned above.

We are focused on providing services that are priced to compete with the largest players (rack-space, one and one, etc) but to also have the value added services I discussed in the requirements listings above.

We currently have customers utilizing the following services:

  • Co-located servers
  • Leased Servers
  • Virtual Private Servers
  • Private Networks
  • Multiple firewalls (internal & external)
  • Load Balancers
  • Managed monitoring & support
  • Centralized Logging & monitoring
  • IDS
  • VPN
  • 2 Factor Authentication with CryptoCard
  • Time services (NTP)
  • Senior Security & Architectural staff as well as senior systems staff

And we are in the midst of deploying a full change-management system that will be available to any customer using any service which will fully integrated into all hosted services (schedule changes for firewalls or clusters of servers, and track status of each individual change).

We have also just signed an agreement with DRG to provide integrated ASV scanning which will be integrated into our order wizard allowing customers to sign-up and manage their PCI compliant scans and automatically send results to your merchant bank. This service will also include an on line form for creating and submitting the Self Assessment Questionnaire.

We are a small family-run business focused on slow growth and providing tools for both the smaller & larger customers to grow into whatever their business has potential for.

For more details about HIPPA, please visit (http://www.hipaadvisory.com/regs/HIPAAprimer.htm)

Regards,

David