Developing and hosting health-care and medical websites requires us to be up to date on laws and regulations surrounding secure hosting with https and patient information. This article covers some of the best practices to be aware of when researching health-care-compliant web servers and hosting environments.

Specifically, you need to be familiar with HIPAA’s Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and HIPAA’s Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) and how data is required to be encrypted.

HIPAA was expanded by the HITECH (Health Information Technology for Economic and Clinical Health) Act in 2009. This established a set of federal standards to ensure the privacy of protected health information (PHI).

Why Are the HIPAA and HITECH Acts Important?

These acts provide national minimum standards for protecting a person’s protected health information (PHI). Originally, HIPAA was meant to improve health-care processing and to lower costs by standardizing common health-care transactions while keeping the individual’s information safe. HITECH expanded on these security requirements, while the U.S. Department of Health and Human Services (HHS) manages and enforces these standards.

Data Encryption in the Cloud

Hosting solutions often provide resizable computing capacity in the cloud and offer virtually unlimited cloud-based data object storage. This flexibility allows businesses to choose programming models, languages, and operating systems they’re currently using or that are simply better suited for their project.

There are specific security rules within HIPAA that address implementation specifications regarding the encryption of protected health information in transmission (in flight) and in storage (at rest).

The same data encryption mechanisms used in a transitional computing environment, such as local server or a managed hosting server, also can be used in a virtual computing environment. Customers should have the option to have full root access and administrative control over virtual servers.

To protect data during electronic transmission, files containing protected health information should be encrypted using technologies such as 256-bit AES algorithms. Additionally, to reduce the risk to PHI even more and to reduce bandwidth usage, any data, including PHI, not required by applications running in the cloud should be removed prior to transmission.

If requested, a complete firewall solution can be created in the cloud by utilizing the default deny-all mode, which automatically denies all inbound traffic unless the customer opens an EC2 port. Furthermore, administrators are able to set up multiple security groups for enforcing different ingress policies as needed. Each security group can be controlled with a PEM-encoded X.509 certificate and can restrict traffic to each EC2 instance by protocol, service port, or source IP address. There is a great whitepaper from Amazon Web Services that discusses this in detail.

Large-scale server environments such as Amazon or Rackspace often host health-care websites. These companies recommend that either short- or long-term storage data be encrypted before transmission. It’s also suggested not to put any PHI or other sensitive data, including keys, in the metadata. Information can be accessed via Secure Socket Layer (SSL)-encrypted endpoints over the Internet or with assistance from a representative of the hosting company. Complying with these practices help keeps protected health information and other sensitive data safe and secure.

High-Level Protection

Data passing to and from the cloud should be safeguarded with encryption; however, information that comes in contact with administrators or third-party partners might require different control mechanisms.

It’s important to keep a close watch on security policies and processes regarding data and how customers can implement authentication, access consent processes, and audit controls to reduce the risk of compromise. All of these practices are necessary in order to comply with HIPAA’s Security Rule.

This attention to detail allows customers to understand data restriction options to their systems and to carefully monitor their systems for fast alerts and lockdowns in case of threat or attack.

Auditing and Backups

Be sure your servers can run activity log files and audits down to the packet layer on the customers’ virtual servers, just as they would do on standard hardware. Additionally, make sure they can track any IP traffic that reaches the virtual server instance. Additionally, most hosting companies are able to back up log files on your behalf onto the cloud for long-term, reliable storage.

Disaster Recovery Requirements

Under HIPAA, covered entities must have a backup plan to protect information in case of an emergency. Retrievable and exact copies of electronic protected health information (PHI) must be available.

HIPAA’s disaster recovery process of protecting an organization’s data and IT infrastructure are typically one of the more expensive requirements to comply with. Depending on the specific level of security the organization needs, we suggest having a conversation with your hosting company’s representative to ensure you are fully compliant with HIPAA’s web-server requirements.


This article is not intended to constitute legal advice. Professional legal counsel regarding compliance with HIPAA and HITECH should be taken to ensure you and your organization are fully protected. Neither Gravitate nor our partners make any representations or warranties that our services will guarantee compliance with applicable laws, including, but not limited to, HIPAA and HITECH.