Search Google for “HIPAA compliant hosting” and you’ll see dozens of sites that say they have the best HIPAA compliance or the most advanced cyber security.
Putting your company’s healthcare data “in the cloud” is a scary thought, and you’re right to be nervous. You’re trusting someone else to keep you safe from hackers, disasters, and even their own employees.
If you’re careful in your selection process, though, the benefits far outweigh the risks. HIPAA compliant hosting companies can actually improve your security in ways you’d never be able to afford on your own:
- Close to 100% uptime during a natural disaster
- Fantastic physical security, much better than you can build locally
- High-quality audit results that you can use to save money on your own security audits
Here are 5 steps to follow to pick the best HIPAA compliant hosting provider for your company.
Step 1: HIPAA Business Associate Agreement
The hosting provider must be willing to sign a HIPAA business associate agreement. Full stop. If they don’t, move on to another company.
When we’re building a list of companies, we use the power of Google to speed our research along. For example, searching for:
Gets a pretty clear answer:
Step 2: ISO 27001 Certification
This is one that really separates the wheat from the chaff. It sounds overly technical, but ISO 27001 is the closest thing that we have to a global cyber security standard. You can dive into the details if you’d like. You can be confident that a company with ISO 27001 certification has a strong cyber security program and they’ve paid an independent auditor for a thorough review.
Again, we can use some Google-fu to cut some companies from our list. If you just search for “hipaa compliant hosting” on Google:
You get tons of results:
But these aren’t the most secure companies. These are just the companies who are best at Search Engine Optimization!
But we can use Google against them. If I take one of these companies and search for any reference to ISO 27001 on their website:
We get a pretty clear answer on just how seriously they take their cyber security:
Step 3: SSAE-16 SOC 2 Audit
OK, here’s another one that’s going to really narrow down your list.
Only work with companies who can give you a recent SSAE-16 SOC 2 report. SOC 2 reports (unlike SOC 1 or SOC 3), are specifically geared towards “… today’s cloud computing, Software as a Service (SaaS),and technology related service organizations” (according to SSAE16.org).
Contact each company and request an actual copy of the SSAE-16 SOC 2 report. This is where vendors may try to confuse you with terminology. They may offer to give you a copy of their SOC 1 or SOC 3 report, and tell you they’re just as good, but they’re not.
You don’t need to necessarily read the SOC 2 report (it will be dozens of pages of cyber security content). If they send it to you, you know that they’re serious about security (and not just good at marketing).
The big boys make it super easy to get this report, giving you a link right on their website. You’ll probably have to sign a non-disclosure agreement to get it.
Wait, can’t I just look for “HIPAA certified” on their website?
Here’s the thing: there is no such thing as “HIPAA certified.” HIPAA is a loose set of guidelines subject to interpretation. Also, there is no governing body that goes around granting people “HIPAA certified” status. If anyone claims that they’re HIPAA certified, run away. Fast.
Me, I’ll take ISO-27001 compliance and a SSAE-16 SOC 2 report any day over any claims of “HIPAA compliance” or “HIPAA certification.”
Step 4: Disaster Neutral Locations
Next, let’s look at your business, and make sure you’ll never get hit with a double whammy.
Take a look at the maps on this page, and consider how they relate to your company. There are two ways to approach this:
a) Try to pick a location with no major natural disasters.
The first map gives us a few locations to try.
Consider Michigan, northern Ohio, northern Indiana, northeastern Montana, and southwestern Texas. It’s ideal if your list of HIPAA compliant hosting providers has a data center in one of those locations.
b) Pick a location with disaster diversity.
If you can’t find a location with low risk, find a location with different risks from those that you face in your primary location. For example, we’re based in New England, where there is risk of hurricane and blizzard. We’d opt for locations in the midwest or west coast that won’t be down at the same time we have severe weather.
People in LA have a high risk of earthquakes. Consider locations in the midwest or east coast that would still be live in the case of “the big one.”
Even the Rock worries about his hosting provider when the San Andreas fault acts up.
Step 5: Pick from your shortlist
By now, you should have a nice, short list of possible providers to contact. Now is the time to swing into traditional vendor selection mode, and consider:
- Monthly Price
- Startup Price (if any)
- Encryption of your data at rest (disk encryption)
- Encryption of your data in motion (secure VPN connections, IP address whitelisting)
- Data backups, ideally to remote data centers
- Dedicated Servers if possible, to prevent lateral attacks from tenants on the same machine
There are lots of other factors that you can consider, if you want. Lots of companies make a big deal about their physical security (Keycard access! 24×7 cameras!). These are all important, but we don’t see it as clear differentiators. Pretty much every company that advertises HIPAA compliant hosting has strong physical security.
Also, definitely talk to customer references. Be skeptical, though. It’s rare for a company to give you customer references who will say negative things.
Conclusion: Picking the Right HIPAA Compliant Hosting
At the time we wrote this article, more than 50 vendors were advertising on Google for “hipaa compliant hosting.”
By following the steps in this article, you can make short work of finding hosting providers that are truly secure.