HIPAA Compliant Hosting Checklist

HIPAA Compliance

In this guide, we outline the essential requirements for HIPAA compliant servers and how Liquid Web helps fulfill these necessities.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, was passed by Congress to protect sensitive user information related to health insurance. This act helps to reduce health care fraud and mandates a standard for handling confidential healthcare information for consumers and businesses.

HIPAA compliance protects this sensitive information and specifies proper guidelines and standards for handling health insurance data. HIPAA also establishes rules for handling, administering, and maintaining electronic servers as well as the hosting of this Protected Health Information.

Read more here: https://www.liquidweb.com/kb/what-is-hipaa-compliant-hosting/

Key Terms and Important Information:

HIPAA – Health Insurance Portability and Accountability Act of 1996

PHI – Protected Health Information

Access Control – To limit who can log in or access sensitive PHI data. Access control helps provide accountability for authorized usage and access to servers with confidential information. HIPAA requires that all users are uniquely identifiable and that the server hosting PHI data is only accessible to specifically authorized users and entities.

Audit Control – To log and record hardware, software and procedural work done to maintain and repair HIPAA compliant servers and data centers. HIPAA requires accurate and uniquely accountable logs for the type of work performed, what was accessed, and by whom. This notation is closely related to access control by limiting maintenance to authorized and uniquely identifiable persons or entities, but also refers explicitly to logging any maintenance of physical hardware or server software.  

Facility Access Control – To limit physical access to the data center from unauthorized or unaccountable persons. This control makes sure that only designated workers have access to physical servers containing PHI. Liquid Web’s data centers are HIPAA compliant and properly limit access to all servers.

To be HIPAA compliant, you must have firewalls in place. Most of the time, compliant hosting will implement hardware, software, and application level firewalls to protect the server from unauthorized users. This security applies to Access Control as well as Transmission Security, which protects PHI from unauthorized access.

HIPAA regulations state the firewalls must be system-wide. The firewall implementations are part of the requirements for limiting access to personal information stored on the server. Firewalls that are properly setup will limit or prevent accessibility from anyone who should not have access, often using explicit whitelists and blacklists. This setup prevents unauthorized employees, clients, or hackers logging into servers with sensitive data.

To be allowed through the firewall your users must have a uniquely identifiable username or identification that has been explicitly allowed access permission.  At Liquid Web, our networking team is at hand to secure your server with hardware firewalls, while our support team is ready to protect sensitive PHI data with software firewalls.

HIPAA compliance requires that remote access to the server through an encrypted VPN tunnel. This VPN protects data entering into the tunnel with an encrypted session that lasts only as long as the session exists. Work done between the remote workstation and the server is protected from interception via this encryption. At Liquid Web, our VPN services are automatically encrypted in order to protect your data.

Password management is an essential part of HIPAA compliance. Safeguarding passwords and isolating them to identifiable users is integral to the protection of sensitive data. Using multi-factor authentication is highly recommended for this process.

Multi-Factor Authentication forces users logging into the secured server system to use both a password and another form of authentication, such as a mobile device, verifying their identity for granting intended access. Authenticating makes it much more difficult for hackers and unauthorized users to use stolen or brute force-acquired login credentials to access the server, as the user will have to do a secondary verification from a device that is unique to them.

Many companies utilize Google Authenticator which allows your users to have a phone app to use as their secondary verification method. Multi-Factor Authentication falls under Access Control.

If you want to be HIPAA compliant, your server cannot be on shared hosting. You must have a server that cannot be accessed by any other business or entities, which means it needs to be private or dedicated to your business. This isolated includes requiring a private IP address that is not used by another entity.

By running on shared hosting, you are breaking HIPAA compliance by allowing non-authorized users access to the server. Hosting with Liquid Web gives you your own private, dedicated server strictly used by your business.

HIPAA requirements for limiting user access and having proper authentication. The server itself must also exist within a HIPAA compliant data center. Liquid Web has a high-security, HIPAA compliant data center that all of our clients are hosted within, falling under Facility Access Control.

An SSL certificate must protect any part of your website where sensitive information can be accessed.  An SSL provides end-to-end encryption for the accessed data and logins used, to further protect access to the server. HIPAA defines PHI as Protected Health Information and anywhere that a user can access PHI must be protected with SSL.

For more information about SSL and how it works, click here: https://www.liquidweb.com/kb/how-does-an-ssl-work/

A BAA is necessary for HIPAA compliant hosting as it designates the role of the hosting company and defines responsibility for different parts of HIPAA compliance. It does not resolve your business of its HIPAA related duties, but it represents the roles that your business and the hosting company partake.

This Business Associate Agreement allows a hosting company the necessary access to servers to maintain them, while still preventing any other businesses’ unauthorized access to Protected Health Information.

See our HIPAA BAA policy here: https://www.liquidweb.com/about-us/policies/hipaa-baa/

HIPAA compliance requires that all Protected Health Information must have an exact backup ready for restoration. These backups must also be located offsite and not on your server for recovery in the event of disaster or server malfunction. At Liquid Web we have two solutions for this, Guardian and DPM Backups.

By having an offsite backup, you are protecting the Protected Health Information and ensuring that no data loss will occur on restoration. Fully restoration is often achieved with continuous backups notating any changes of information on the server.

Read more about our different backup services here: https://www.liquidweb.com/products/add-ons/storage-backups/

To be HIPAA compliant, the appropriate methods are necessary for getting rid of hardware. This disposal usually requires that the data be wiped entirely and destroyed in a manner that will not allow for restoration.

Data destruction is typically peer-reviewed and documented to state precisely the method of destruction. This process is to prevent any future use of the hardware from being able to recover sensitive PHI data.  Often called Integrity Control it ensures that data is properly altered or destroyed.

All logins and maintenance must be fully documented. Any repairs on the physical servers must be logged, especially those related to the security of the server and who logs in to servers for software maintenance and reviews and applies to Audit Control.

At Liquid Web, all of our work is logged and appropriately recorded with HIPAA compliant standards.

HIPAA compliance is an integral part of your business. While it can be confusing, our technicians at Liquid Web can ensure you that your Protected Health Information is appropriately handled and follows HIPAA compliant standards. While we have only reviewed a portion of the requirements of HIPAA compliance, feel free to reach out to our HIPAA Specialists for more information about how we handle our data centers and servers.

If you would like to speak with a HIPAA Specialist, start here: https://www.liquidweb.com/solutions/hipaa-compliant-hosting/

How to Use IPMI

IPMI (Intelligent Platform Management Interface) is a great way to manage your server remotely. Having IPMI combined with a Liquid Web VPN is similar to having a remote Kernel-based Virtual Machine (KVM) attached to your server. You’ll be able to perform actions remotely which traditionally accomplished when physically present at the machine. This process includes viewing the startup process, changing BIOS settings, installing the OS, and even power cycling your server. This guide is intended to walk you through the IPMI web interface, and explain the various pages. If you need help accessing IPMI, try this Knowledge Base article instead!

Note:
Some functionality of the IPMI portal has been locked down by Liquid Web. As a customer, you have “Operator” level permissions. Only IPMI “Administrators” can perform specific actions in the web portal. This article covers what is primarily available to IPMI Operators!

This view is the first page displayed when you log into the IPMI web portal. There are a few important pieces of information on this page, including your IPMI IP address, the firmware revision of the IPMI BMC, and your system’s MAC addresses. The “Remote Console Preview” page gives you a small thumbnail display of what the video display would look like if directly connected to your server. Also note that you can perform some power cycling actions from this page, including “Power On,” “Power Down,” and “Reset.”

System Info within IPMI

 

While there is not much to look at on this page, it is one of the most important pages on the web portal! Clicking the “Launch Console” button will allow you to remotely connect to your server as if you had a KVM installed. When you click the button, your browser will prompt you to download a new file called “launch.jnlp.”

Note:
You will need Java installed to run this application.

Console Redirection page shows the "Launch Console" button

 

The “Event Log” page displays some fundamental logging information from the IPMI console. This page will keep a record of IPMI logins, and some other information on who accessed the system.

Note:
IPMI Operators will only be able to view these logs. Only IPMI Administrators maintain the ability to clear the logs.

Event Log shows who has accessed the server.

 

On this page, you can mount a CD-ROM ISO stored remotely on a Window share which can be useful if you would like to install a custom operating system remotely.

Note:
Installing a custom operating system may hamper Liquid Web’s ability to assist you! We have many officially supported operating systems available, ask your sales representative for more info.

IPMI gives you the ability to add your own OS.

 

The Virtual Media page allows you to upload a small binary image, (1.44MB max size,) directly to the IPMI controller in your server, allowing you to boot from legacy “floppy disk” images. While mostly un-necessary in today’s tech landscape, this option can still be helpful to some users.IPMI gives you the ability to add binary through floppy disk.

 

The Server Health page displays a small amount of information mostly permitting you to see some version information on the IPMI product.

Note:
Under normal circumstances, many of these fields will be blank, and there is limited information available on this page.

Check the version of your IPMI instance.

 

This page displays information gathered by sensors on the motherboard. You can see information on many physical aspects of your server here. For example, some data here includes fan speed, component temperatures, voltage readings on the CPU and RAM, and more.

Sensor Readings show fan speed, temps, CPU and RAM.

 

The “SOL” Console (Serial Over LAN Console) is a serial console connection to your server. With particular use cases, it is only useful for redirecting serial input/output over LAN.

The serial console connection, useful for redirecting serial input/output over LAN.

 

So covers the functionality available to IPMI Operators. When appropriately used, IPMI can be a valuable tool in maintaining your server. It provides similar level access as if you were physically present in front of your server. It used to be that this capability was only possible when purchasing additional expensive KVM hardware. Liquid Web Dedicated Servers have this functionality as a standard at no extra cost! Give us a call if you have any questions, or would like to discuss getting an IPMI capable server.

 

IPMI Dedicated VPN

IPMI stands for Intelligent Platform Management Interface. It is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities on the host systems CPU, firmware, and operating system. It defines a set of interfaces used by system administrators for out-of-band management of computer systems.

As an example, IPMI provides a way to manage a server that is powered off or unresponsive by using a network connection to the hardware rather than to the operating system or login shell. This means you can bypass the operating system and log in via console to troubleshoot and get your server back up and running if it goes unresponsive for any reason.

Continue reading “IPMI Dedicated VPN”

What is IPMI?

Customer Access with IPMI

Remote Desktop Protocol or SSH shell are great for managing your server remotely. But what if you need to do something outside the operating system, like changing network settings or adjusting the BIOS? Those tools cannot help you because they depend on the server’s operating system to function. Wouldn’t it be great to have KVM-like console access to your remote server? With IPMI, you can get browser based access independent of the operating system.

Continue reading “What is IPMI?”

Log In to Storm VPN using ShrewVPN on Windows 8, 8.1 & 10


Using a VPN connection to manage your server can have a handful of benefits. Generally the most important benefit to using a VPN is security. When you connect to the Storm VPN your internet traffic to the Liquid Web network will be encrypted.

Your computer will be connecting to your server using a local VPN IP address. If your home IP is blocked you can still use your VPN connection to access the server. It’s important to note that Storm VPN connections cannot be used to access servers outside Liquid Web’s network.
Continue reading “Log In to Storm VPN using ShrewVPN on Windows 8, 8.1 & 10”

How to Configure Your Liquid Web VPN

Liquid Web offers a free Virtual Private Network (VPN) user with every account. A VPN uses encryption to secure your computer’s connection to the Internet and guarantees that all of the data you’re sending and receiving to the Liquid Web network is secured from any potential prying third parties.

Be security-minded.

A VPN will secure and encrypt inherently insecure communications (such as HTTP, FTP, SMTP, etc.) to the Liquid Web network, even while using an untrusted public network.

Who uses a VPN? People just like you.

The Professional: Whether working from a permanent home office, or simply getting a few important projects done from home, a VPN will provide secure access to files stored on your dedicated server.

Remote Developers: Do you have a fleet of remote WordPress, Joomla, PHP, Drupal, or other developers that need secure access to your hosting infrastructure? If so, a VPN is not only perfect, but should be required.

The World Traveler: Working on your top secret startup from abroad? Or perhaps uploading photos from your most recent adventure? Prevent snooping by using a VPN.

Once you’re logged into your Liquid Web Manage account, follow the steps below to create a VPN user and get connected! Continue reading “How to Configure Your Liquid Web VPN”

How To: Log In To a Cisco VPN on Windows

A Virtual Private Network (VPN) can be extremely useful when administering your servers, which is why Liquid Web offers Cisco VPNs with our firewalls. Logging in to the device can vary among operating systems. Here are some instructions for logging into a VPN from Windows systems:
Continue reading “How To: Log In To a Cisco VPN on Windows”