Ask HN: How do I set up a HIPAA-compliant server?

68 pointsth3o6a1d11y ago52 comments

52 comments

50 comments · 23 top-level

chasb11y ago· 10 in thread

(Disclosure: I'm a co-founder of Aptible.)

As noted in other comments, most of HIPAA is not technical. Most of the requirements relate to risk assessment, policies, training, incident response, etc.

With that in mind, I'm going to quickly run down all of the major moving parts and then cover some of the technical considerations for setting up a server.

HIPAA has three main rules you need to comply with:

1. The Privacy Rule - Governs the use and disclosure of PHI (protected health information). Applies to all forms of PHI (verbal, written, electronic, etc.).

2. The Security Rule - Governs safeguards for electronic PHI

3. The Breach Notification Rule - Governs your responsibilities during a security or privacy incident

The Security Rule has a general security standard, some documentation/retention rules, and three sections of safeguards. They are:

1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

Some of the safeguards are mandatory. Some are "addressable," meaning if you don't implement them you must document why you chose not to and what other safeguards you applied instead.

Most likely, you're going to start with something like the following for your servers:

1. Sign a BAA with any service provider who is going to touch PHI for you.

2. Restrict physical and logical server access to authorized individuals. Document how you restrict access and why the methods chosen are reasonable and appropriate given the risk posture of your organization. (There's a LOT packed into this step.)

3. Log all access and data modification events. If you use a logging service that isn't HIPAA-compliant, make sure you're not including PHI data you send them.

4. Encrypt data at rest and in transit, including inside the network perimeter. Document your network topology and access points.

5. Implement backups according to your organization's HIPAA contingency/disaster recovery plan. Document the backup scheme.

A few caveats:

- I haven't addressed application-level security. The same requirements apply, but the implementation differs.

- Your customers will demand additional safeguards that aren't in HIPAA.

At Aptible, we help with all of this, plus all of the other requirements (risk assessment, policies, training, etc.), so you can get a complete handle on your compliance status.

niels_olson11y ago

> $3500/month.

> $0.10/Hour Additional App/Database Containers $0.40/GB/Month Additional Storage.

¡Ay, caramba!

Thanks for at least giving me a source to cite in grant applications!

markolschesky11y ago

Where I work at Catalyze, we offer a starting package beginning at $500/mo that includes one database container and one server. Or, if your application only required a secure backend, prices start as cheap as $100/month. We have a calculator here to compare prices: https://catalyze.io/platform-as-a-service/

We've been building applications with both startups and large healthcare organizations like the VA. I'd love to talk with you more to see what your needs are. Feel free to hit me with an email (mark@catalyze.io) with any questions.

Good luck!

1 more reply

WettowelReactor11y ago

This is all great advise. I would just strongly emphasize that HIPAA compliance has significantly more to do with the soft guidelines than meeting technical specifications.

Part of what makes HIPAA compliance challenging from a techies perspective is that there are very few proscriptive rules. A lot of implementation is left up to the provider to provide flexibility but the justification for all those decisions needs to be defensible.

A couple last items I would add: Not only do you need a BAA with any service provider you use you will also need one for any contractor who has access to PHI you are responsible for. As of the latest set of rules this also applies to any subcontractors that your contractors may use.

You will also need named privacy and security officers who are responsible for the overall program and will be the first ones HHS and OCR will ask for should you be audited.

dragonwriter11y ago

Depending on what function you are providing for HIPAA-covered entities, you may need to also deal with the Transactions and Code Sets rule, though the rules related to PHI are usually all people are aware of.

One should also note that the Breach Notification rule, through its definition of what constitutes unsecured PHI, actually sneaks in technical requirements that entities dealing with PHI probably should treat as near-mandatory for encryption, etc., since, even though they aren't strictly mandatory, significantly impact the likelihood of a reportable breach.

scdc11y ago

Curious-- do you define a running database system (e.g. MySQL) to contain "data at rest", "data in transit" or neither?

My reading says "neither". Conservative move is "encrypt everything" but curious if others have passed/failed a HIPAA audit with a standard MySQL or SQL Server system (assuming you have individual ID access & logging).

rficcaglia11y ago

note that state privacy laws, or the use of creidt cards (PCI) will largely require most of this so in broad terms, if you comply with PCI and NY/CA privacy requirements, you pass HIPAA muster.

the rest is really basic good practice for any professional-grade service that is entrusted with customer data

i respect that someone is trying to market a prepackaged solution but i would advise against shortcuts. you (the developer/owner/cto) should take the time to understand your stack from bere metal up, and be able to explain the risks that are real vs academic, the financial impact of attacks or internal employee mistakes/theft, and the real cost and benefits of devops done right.

you owe it to your customers, your shareholders, your employees and yourself to invest the mental energy to really understand the nuances.

otherwise, dont go into health care markets.

(i like to think we take our work as seriously as the best MDs, so would you want your surgeoun taking shortcuts or trying to build a MVP?)

jMyles11y ago

I came to this thread with the intention to say, "Call Chas and Frank at Aptible! They're nice folk with a product that does only exactly what you are asking for."

How are y'all? What's the latest?

chasb11y ago

Life is good, just hanging out on a Sunday afternoon, geeking out about HIPAA. What could be better? Pretty much normal for us :)

judk11y ago

Considering what we know about deployed systems in general, is it likely that current systems actually comply, or are merely privacy disasters waiting to explode?

rficcaglia11y ago

boom

wyc11y ago· 4 in thread

There are a few options if you want HIPAA compliance. Note that "HIPAA compliance" is somewhat of a loaded term in that there aren't many super-technical benchmarks to meet, but a general "do-good" attitude including (but not limited to) some of the following points:

- Physical server isolation: you cannot have other instances sniffing around in your deallocated garbage memory.

- Encrypted data stores: physical theft of the server should not provide access to your data.

- Server providers who can sign a Business Associate Agreement: many hospitals and firms with medical data require this in their stipulations.

- Audit trails for database modifications, access, etc. Basically, log everything, and this has to be encrypted too if it contains protected health information (PHI).

- All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.

- "Soft" guidelines such as password complexity measures, auto session expiration, disallowed multi-sessions.

Again, this is not an exhaustive list. You really need to check with a lawyer who knows this stuff. The fines are enormous (read: business-ending) if you break the rules.

How do you work to implement these? Well, find a host who is willing to sign a BAA. Here are the two major contenders I'm aware of:

- Use Amazon AWS; they're willing to sign a BAA with you and provide you the physical server isolation you need. However, this doesn't come cheap. Expect >$2,000/mo in costs to keep this configuration. Also, you'd better be a network pro or willing to learn how to manage VPCs correctly to provide proper network-level isolation for the databases.

- Use aptible.com (they happen to be a YC company, and I don't know of anyone else doing this). Frank & Chas (the founders) are very responsive and aim to provide a comprehensive package, including backups, audit trails, and even employee training. The Docker-based and heroku-like interface is very appealing:

https://support.aptible.com/hc/en-us/articles/202638630-Depl...

This option is still expensive. They host on AWS as well, so you're paying for the server costs + premium. However, this will still be a lot cheaper than hiring a competent sysadmin to make sure the execution is flawless.

laurencerowe11y ago

Does HIPAA really require "physical server isolation"? I wasn't able to find anything specifying that in my reading. (Encrypting data at rest is definitely required. I suspect the S3 functionality was built to address the requirement.)

AFAICT the whole "can't do HIPAA in the cloud" meme arose from the reluctance of cloud services to sign BAAs, Google only got on board with that earlier this year.

chasb11y ago

I'm a lawyer, but not your lawyer. This is not legal advice. :)

The HIPAA Security Rule requires that you take "reasonable and appropriate" measures to safeguard the confidentiality, integrity, and availability of electronic regulated health data.

Physical server isolation is not prima facie required, meaning there is no requirement that literally states you must isolate servers down to bare metal. Your customers' judgments about what constitutes "reasonable and appropriate" safeguards may vary, though. That decision should be driven by your risk assessment.

Encryption is also not prima facie required, actually.[0] I can't imagine a case in which it would be reasonable for a cloud SaaS provider not implement it, so I'd say it is de facto required. MFA may be moving to the same category, for most web services.

[0]: http://www.law.cornell.edu/cfr/text/45/164.312

wyc11y ago

I think this might just be a stipulation to sign a BAA with Amazon, combined with my tendency to err on the side of safety. I can't find anything to cite either. On a slightly related note, lack of memory safety happens to be how Home Depot lost all those credit card numbers.

I am not a lawyer.

rficcaglia11y ago

no it is not (i have passed VA/DoD audits without)

USNetizen11y ago· 3 in thread

It's not just the server - it's the storage, accessibility (compartmentalization), and transmission of sensitive data (PHI and PII) at all levels. There is a lot more to HIPAA/HITECH than just server configuration - there are legal agreements you have to enter into as well (BAA's), insurance requirements, and potentially a lot more.

I'd suggest you work with a company that has a lot of experience in this area before you inadvertently find yourself fined (or sued) into bankruptcy.

paco334611y ago

A lot of HIPAA complience also has to do with due dilegence. My organization recently when through a long period of training that covered everything from building access logs to the way we do employee password resets. Unfortunately there aren't hard, static rules that define it.

On the positive side- I've learned to love the compliance. Most of it is common sense things (like not giving out info over the phone to any random person) and has made our organization more efficient.

rficcaglia11y ago

+1 do these things because they are actually good engineering practices. be a good custodian of any user's trust.

i think some companies try for the quick buck and in the name of cost savings run a shoddy operation. ymmv.

ps - do not try making said quick buck in health care. contrary to VC bets otherwise, it doesnt exist. plan for a very very long haul.

drez11y ago

This exactly. It's not like there are just a few commands to run in Linux that gets you a HIPAA-compliant server. It is a pretty long and arduous process that involves several business-level requirements, in addition to the technical ones.

mp99e9911y ago· 3 in thread

We have audited HIPAA compliant hosting, at a reasonable price:

https://www.atlantic.net/hipaa-compliant-hosting/

mkopinsky11y ago

As a potential customer, I want to let you know that you really should fix all the typos and the like on your website. It really gives a poor first impression when I see things like:

    * 5 X VPN's (no apostrophe needed; what does this even mean?)
    * 1 Dedicated IP Addresse
    * Header/footer links open in a new tab.
    * Some numbers are listed as 800, some as 1-800.
    * Data center addresses have a comma at the end of the first line. That's not how US addresses are written.
    * Headquarters address is all on one line.

All of these indicate, in my mind, a lack of attention to detail. This is absolutely the last thing I'd want in my compliance provider. (More charitably, it probably indicates a lack of familiarity with either English or certain US conventions, which is I'd forgive in some vendors, but not when it comes to HIPAA compliance.)

Please don't go and fix the specific things I listed and think you're done. You need to significantly rethink the impression you're giving.

dsl11y ago

I hope you point out to your customers that compliance is a lot more than just a hosting account. Everything from specifications of the design of your office network to policies for employees talking while on smoke breaks.

markolschesky11y ago

Agreed. Anyone that you choose for HIPAA-compliant hosting should be able to outline their policies. Where I work at Catalyze, ours are here:

https://catalyze.io/hipaa/ https://catalyze.io/policy/

And we've gone through a HITRUST audit to validate these claims:

https://catalyze.io/compliance/

th3o6a1dOP11y ago· 2 in thread

@USNetizen -- You're right...I should have clarified that I want to know how to get an entire stack up and running, although I don't trust myself to do this unassisted.

I'm just surprised at how few resources there are that explain what it takes, and I hope that someday soon, healthcare startup CTO's will be referred to clearly documented open source solutions that are fairly fool-proof, rather than paid-for services (@sebst). Amazon's compliance page is unfortunately uninformative (@byoung2).

chasb11y ago

I'm the co-founder of Aptible, a HIPAA-compliant PaaS that just went through YC. I'd be really happy to talk to you and help figure out what kinds of resources we could publish, for free, that would help CTOs in your position figure this out. Email is in my profile.

USNetizen11y ago

You're absolutely right in that regard. I actually started my company to help out others in a similar situation, but there should be an easier way to go about getting set up initially. Even many small/mid-size medical offices don't know what it takes from a technology perspective to be fully compliant, let alone other startups.

The only reason I have been able to navigate HIPAA/HITECH is because I've worked many years previously as a software engineer and then a senior technology manager for a very large hospital network and dealt with these requirements daily.

th3o6a1dOP11y ago· 2 in thread

Thanks for all of your comments so far. Synopsis is...it's complicated. There are basically no straightforward guides and no reliable, tried-and-true open source solutions that can be deployed with minimal security expertise, at least with respect to the technical setup.

Options are to go with a service company like Aptible or TrueVault, or fumble through vast amounts of obtuse technical and legal documentation, then hire a security expert to audit your homemade system and hope that everything goes OK. Both options, as they currently exist, require a fair amount of $$$.

PeterisP11y ago

Isn't "no solutions that can be deployed with minimal security expertise" just about the whole point of this compliance?

If you have minimal security expertise, then you're supposed to be treated as noncompliant. There are two valid options: have the security expertise (and be prepared to legally vouch for it that you have, and get insurance for cases if it turns out that your expertise wan't enough), or get the security expertise from someone else. Oh, and the third option is to stop handling any sensitive data at all if you aren't equipped to handle it.

The reason why HIPAA (and similar compliance issues in other domains) exist is to try to eliminate what you're proposing. Random companies with minimal security expertise shouldn't be handling such data themselves, period.

rcoder11y ago

This, +1000: 'Isn't "no solutions that can be deployed with minimal security expertise" just about the whole point of this compliance?'

If you aren't a trained, competent security analyst/engineer (or working with one) then don't accept sensitive information. PHI, credit card numbers, even contact lists: all of these are considered "sensitive" for a reason, and you are being reckless in the extreme if you accept them from your customers without the proper protections in place.

I have seen and even been responsible for (many years ago) the implementation of some horrifyingly bad "security controls" by people who simply didn't understand the field.

It's not just crypto, or disabling root logins via SSH, or preventing XSS on your web forms; you need to plan for a multitude of possible attack vectors, internal and external. Many of those aren't likely to be intuitive without some real training and exposure to best practices.

snorkel11y ago· 2 in thread

If one big customer is demanding you be HIPAA compliant then they probably want to see a certification, and depending on size of customer they may be willing to provide funding for that certification. It takes months but the certifying service will provide consulting and training. Essentially it all about tight access controls, encrypting data at rest, and documenting everything and everyone who has access to the internals.

kutienoo11y ago

There is no such thing as a HIPAA certification.

rficcaglia11y ago

correct but hospitals and other buyers dont seem to know that and some do insist on "certification"....you can try to convince them but in my first hand experience the (uninformed, misinformed) customer is always right so you do have to provide something that claims to be a "certified" solition...typically by providing an outside audit report

ak21711y ago· 1 in thread

If you are trying to set up a service for processing or storing PHI, you may be interested in DNAnexus (https://dnanexus.com/), which focuses on compliant high throughput data analysis and storage for genome information, but can be used to store other types of PHI data. (Full disclosure, I work at DNAnexus). Email in profile if you want to go into specifics.

markolschesky11y ago

Cool! I had not heard of dnanexus before. Looking forward to checking it out.

sebst11y ago

It's a big task on its own and it seems a bit in-transparent to me.

However, you may want to have a look at TrueVault[0] which has been featured on HN[1].

[0]: https://www.truevault.com/

[1]: https://news.ycombinator.com/item?id=7033188

michaelmachine11y ago

As some people have mentioned here, there are other issues to think of besides the IT aspect. There is employee training, risk assessment, policy development, and the business account agreements. Accountable is a company that focuses on these type of issues to make them easier by providing things like employee training, ready to use policies and procedures, and business association agreements. I found them while learning about HIPPA compliance, and I have not actually tried the product but it looks like it could be useful for you, so I thought I would mention it here. http://accountablehq.com/index.html

th3o6a1dOP11y ago

Surprised no one has posted this. From the folks at TrueVault. https://github.com/truevault/hipaa-compliance-developers-gui...

voska11y ago

If you want a HIPAA-compliant server setup for you: https://www.aptible.com/ (S14)

jeffasinger11y ago

I'd just have someone else do it for me. There are many "enterprise" level hosting companies that can help you with that.

I believe that rackspace has a pretty program around compliance.

HIPAATraining11y ago

Hi,

training-hipaa.net provides Server Disaster Recovery Plan Template which is the part of HIPAA Compliance.

This Server Recovery Plan documents the strategies, personnel, procedures and resources necessary to recover the server following any type of short or long term disruption. You can find more information about this over here http://www.training-hipaa.net/template_suite/Server_recovery...

pagade11y ago

You may want to check out BladeLogic Server Automation: http://www.bmc.com/it-solutions/bladelogic-server-automation...

Datasheet:

http://documents.bmc.com/products/documents/27/36/242736/242...

byoung211y ago

Here is some info about doing it on AWS

http://aws.amazon.com/compliance/

czczcz11y ago

We have been very pleased with the True Vault solution and the responsiveness of the team when needed, worth looking into for your needs.

kevin_morrill11y ago

One missing point in this thread: there is no such thing as HIPAA compliant. There is no government organization that will sanction your set up as "compliant". The HIPAA legislation imposes fines if you leak data, but does not prescribe how you prevent that.

That said, the thread does have some great safe guards and industry best practices you should look at.

Gelob11y ago

(Disclosure: I work at FireHost, not in sales!)

We sell cloud but focused on security, compliance, and performance. Check us out.

http://www.firehost.com/secure-cloud/compliant/hipaa

th3o6a1dOP11y ago

@voska "Starting at $3499/month with an annual contract" -- Seems like security experience comes at a price... That said, it's worth taking every precaution to protect patient data.

StephenGL11y ago

We used to use a hosting company Layered Tech that had a HIPPA compliant offering. If you need HIPPA compoanxe I suggest getting it as a managed service.

gomathinayagam11y ago

Microsoft biztalk server has strong HIPAA connector/accelerator, just have a look overthere.

philip120911y ago

It's not an easy process .

Check out TrueVault - HIPAA-compliant data store that is a YC grad.

j / k navigate · click thread line to collapse