Is your HIPAA hosting provider compliant?

Picture of Tim Davis

Tim Davis

Senior Cloud and Security Engineer

Share Post:

Hipaa-Health

Is your hosting provider compliant?

HHS Enforces New Regulations for HIPAA

Hospitals and their software developers are now at risk for losing millions. If you signed a Business Associate Agreement (BAA) with a provider, you should ensure your provider is up to speed on all the latest regulations. Read on to learn a subtle way to test your hosting provider’s HIPAA expertise.

 

What Hackers Target

In late 2016, the HHS allowed doctors to exchange private health information (e-PHI) through instant messaging apps like pMD, Output Messenger, and Netsfere. But they must use apps whose data flows through a HIPAA compliant server. And for most hosting providers, encrypting IMs is a low priority task. Their main focus is usually securing storage of e-PHI, not communication of it. Here’s why:

 

E-PHI storage is the hacker’s goldmine. Access to this provides abundant identifying information useful for committing fraud. By contrast, the occasional text message contains limited information.  That’s why a text message breach is much less harmful to an entity than a storage breach. But HIPAA doesn’t discriminate.

 

$3.5 Million Fine

 

In February 2018, the HHS revealed that Fresenius Medical Care North America owed $3.5 million for failing to abide HIPAA policy. According to the HHS, “FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its e-PHI” (HHS 2018).

 

$3.5 million for lack of thorough risk analysis. Your client would owe that amount because you hired an incompetent hosting provider. And where is your hosting provider least likely to be thorough? Their encryption methods for communication software.

 

 

A Simple Solution for Software Developers

 

You want to ensure your provider has a reputation for following the nitty-gritty details of HIPAA compliance. After all, their reputation becomes your reputation. So what are some ways you can test if your hosting provider abides the HITECH Act’s fine lines?

 

  1. Ask how they encrypt for instant messaging apps.

Leave it open-ended. You want to hear that they use TLS. Any other security method is sub-par.

 

  1. Ask what type of software they host for.

If they only mention one kind, they have narrow HIPAA expertise.

 

  1. Look at their list of clients.

Here you can confirm that they’ve worked with a variety of developers, which ensures they know all aspects of HIPAA law.

 

But after all those measures, you might still be unsure. After all, HIPAA audits for nuances that go beyond instant message encryption. And doing all these tests can be a time consuming headache. What’s an easier way?

 

Revion and HIPAA compliance

 

Revion knows to use TLS encryption on all cloud services. We cross-train our systems engineers to stay on top of every aspect of HIPAA law.

 

We make sure to stay 100% HIPAA compliant, no matter what service you provide. Securing our clients’ data is our priority.

 

Contact us for a free quote.

 

 

References

https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html

https://www.hipaajournal.com/new-hipaa-guidance-2017-texting-social-media-case-walkthrough-8702/

https://www.hipaajournal.com/new-hipaa-regulations/

http://www.healthcareitnews.com/slideshow/biggest-healthcare-breaches-2017-so-far?page=1

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html

https://www.healthcare-informatics.com/news-item/cybersecurity/2017-breach-report-477-breaches-56m-patient-records-affected

 

Stay Connected

More Updates

Log4j2 Vulnerability

Revion is not using Log4j2 tool for apache-tomcat, we are using default lightweight API – Java logging API — java.util.logging. Additionally, we are not exposing

Bind/DNS services upgraded

To address security vulnerability discovered in Bind 9.8.1. we have upgraded all bind dns servers to 9.8.1.-P1