New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
AFAIK the DCs need to be HIPPA certified. You need to check with Vultr on this. All the biggies (Azure/AWS) have HIPPA certified offerings. Not sure about Vultr though.
Vultr sent me this:... I am still trying to unravel its meaning.
Thank you for your inquiry. SSAE-16 [any SOC] and other compliance objectives [e.g., HIPAA, ISO 9001] are the responsibility of the Organization in question and they are non-transferable. While Vultr has no specific compliance requirements as an Online Service Provider, the facilities/infrastructure we provide ought to be able to support any organization's efforts in this regard. Please note, our self-service model requires the organization to support itself/ensure everything is configured properly and secured.
A similar philosophy holds true regarding PCI-DSS in that our facilities and infrastructure can support any organization's compliance/certification efforts. Vultr is PCI-DSS certified [SAQ D], a fact that is non-transferable to subscribers.
Vultr MAY achieve SSAE-16 SOC 2 and/or ISO 9001 at some point down the road but again, even if we had it, the certification would not be transferable to subscribers' organizations.
Vultr is not and will not ever be HIPAA* compliant. You need to think about storage, accessibility & virtualization.
If your client has a breach of data and it's found it was on a multi-tenant KVM VPS that admins are able to mount your LVM file system at a whim, you're screwed, as the fines for HIPAA violations can start in the $10,000 range and up, depending on the negligence of the provider or person who chose that provider / setup. Goes far beyond this, but just one example.
There's a TON of due diligence required by a provider of HIPAA solutions, and none of DaveA's setups would be close to compliant. Nothing proprietary there, but they're more setup for the $2.50 crowd and game-server kids.
Real companies like Datapipe and LiquidWeb would be better for this. It's not cheap, but neither are the fees that go along with a breach.
You need a specialized provider that boasts & can provide actual HIPAA compliance. A cheap KVM isn't close.
HIPAA , you already started with the wrong foot.
Step 1: Hire a compliance officer.
Step 2: Work with your new compliance officer.
Step 3: Start your project.
That's the longest canned reply I've seen without actually saying anything.
No, they aren't even SSAE-16 SOC Type 2 compliant, or ISO-9001, but they sure would love to one day, and even if they did achieve it, it's not transferable to your server.
Don't put that data near this server.
I love how they toss PCI back at you as a response when anyone with half a clue would realize that a VPS will never fucking be compliant for PCI or HIPAA (but until your data is breached, nobody is likely to care).
If you are doing HIPPA you should be charging enough to get professional advice and not rely on LowEndOpinion™ . Go with a proper solution: Azure or AWS.
What about HIPPA audits?
Well, they get fined, and you fired!
As far as I know they aren't even close either. The HIPPA compliance means only certain people have access to the information there in, meaning NO NO NO virtualization software will ever work for this. To easy to breach the containers, from the centers end. Most that need this kind of thing run their own infrastructures to achieve it, and then they can limit the number of people who have access to it.
LOL. Yeah. I believe there is an audit before the whole project starts and ideally the OP's infrastructure provider (Vultr in this case) might be rejected based on what others have already said. Setting up infrastructure to be HIPPA compliant is expensive and maintaining it is even more. Any client looking for compliance would be better off getting infrastructure from the well known biggies.
Yep. that's why so many places use Microsoft's HealthVault and similar products- the necessities for compliance are often beyond the scope of the provider's abilities and expenditures.
I had a client last year that had a very lazy network topology, and was hit by one of those lovely encrypting malware tools. I caught it before it hit their NAS, but they were damn lucky they didn't get more than a couple days of downtime to restructure and rebuild- they deserved to be shut down for their apathy and mishandling of client records.
Oplink.net has HIPAA compliance as an image in their footer. Maybe be worth contacting them.
https://www.oplink.net/dedicated.html
@Oplink
HIPAA compliance is kind of tricky, but very doable. There's a few public datacenters that do it, and it isn't cheap. AWS will also do HIPAA compliant stuff, but the fee to switch that on was around $8,000. Our private datacenter (at a University) recently went through an audit, so you will need to be well prepared.
That is completely untrue. You can certainly use virtualization with HIPAA data.
This.
Show me one virtualization (out of the box, with no mods) that passes the encryption guidelines. Just one and I will retract that statement.
Show me where HIPAA mentions encryption. Here's the act:
https://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/html/CRPT-104hrpt736.htm
You can search forward for the string 'ncryp' but I'll save you the time: it isn't there. Nothing about virtualization either. Heck, even "electronic" only appears 29 times in all those thousands of words. There's discussion about required security but it's 30,000' feet above actually dictating technical choices.
You can design a HIPPA-compliant system with virtualization. HIPPA like most regulations is primarily about controls, auditing, and testing those controls. HIPPA says things like "secure storage". What does that mean? Depends. That's where industry guidelines come from but they're still at the "must provide these characteristics" not at the "RHEL 7.1 is certified but 7.0 isn't" level.
Your statement also seems technically narrow. "Virtualization" includes things as diverse as VMware, OVM, IBM z/OS, HP NonStop, etc. Random VM on public node on GreenValueHost? Probably hard to pass. But a VMware server in your own DC with rigorous access controls and that security tier has its own farm...
That is what I said most have their own infrastructure for this kind of thing because of the mandates. The rules itself says nothing, but the audits are another thing entirely. Those auditors are a PITA, and I should know I have been through them. They want everything just right and encrypted on both sides.
In a standard datacenter there are way too many people with access to the boxes. You can use virt of course but not the way it is, or out in a regular datacenter. There has to be some kind of control and you will not get this from joeblowsdatacenter.com
When dealing with HIPPA you are dealing with over regulation, not just the regulations. Sorry I suppose I should have explained it better, but the OP was asking about Providers here and did not think I had to really.
This is true, we use VMWare and Citrix products within a secured DC. The center and building need to comply with access controls. You can't have a VPS on any non-certified machine/DC and call it HIPAA compliant. You should ensure you need to meet HIPAA vs other security standards depending on the data you wish to hold there.
Regarding charging enough, I don't "charge" I am salaried full time. I get paid he same for easy jobs and complicated projects.
My org has in house HIPPA people, but I am tasked with the software development... wanted to get a sense of hosting options.... may need to just host on our internal servers (always a pain because many IT layers to go through).
HIPAA , get it right god damn it LET.
Atlantic offer HIPAA compliant dedicated server hosting... you cannot have a VPS because HIPAA compliance mandates full box dedicated to a single company. No sharing of resources or cross linking of data is allowed.
The hosting would be upwards of $600/mo and you will need a compliance consultation for your software system as well. You will also need compliance on the way you upload data to your server(s).
Also the compliance policies differ in assessment from state to state and the counselor... it literally is a pain to comply. Been working with US healthcare industry for last 7-8 years, I've seen millions being spent over to HIPAA systems while everyday the Doctors, NPs, PAs and other accounting staff ridiculously and unknowingly breaking the rules.
This has been my experience as well. I don't think LET can give you a $1/mo deal on this, it's just not financially possible. The cheapest I've seen for a compliant dedi is around $350/mo, and it's not the latest and greatest hardware.
Yeah, ditto for anything with auditors...I think HIPAA, SOX, etc should be renamed "the Auditor Full Employment Acts".