HIPAA Data Centers, Cloud and Colocation – HIPAA or the Health Insurance Portability and Accountability Act, provides a set of extremely strict standards for securing medical information. To be certified, a data center must comply with several steps including training, government audits, reporting, and guarantees for data security. Any breach of these standards could result in hefty fines and penalties. HIPAA Law provides the basic level of privacy and security in a unified manner throughout the country.
These days we hear a lot about “The Cloud”. Everyone is moving to the Cloud, or so they say. But what about enterprise organizations where restrictions on data integrity and confidentiality are governed by strict standards? Standards such as 
HIPAA make moving to the Cloud very difficult. An organization would need to guarantee security of their data at every point of data movement. Any “insecure” connection between data origin and data destination opens the organization to the potential of a data breach, and is therefore a recipe for disaster.
HIPAA Data Centers Location
There is hope. HIPAA Data centers and colocation facilities provide private, caged environments where hospitals and medical organizations store their data for off-site backup such as hot and cold backup sites. HIPAA compliant data centers provide these organization with a guaranteed level of data security and ease of mind.
Data centers provide physical security in terms of access restrictions with biometrics, man traps, monitoring, and fraud detection. Data centers provide network security through use of firewalls and switch ACLs (access control lists) to protect health data as it is transmitted. If there is a data breach, HIPAA compliant data centers are required by law to report any detected data breaches. Hospitals, insurance companies, medical billing organizations, and vision/dental/medical care providers all are required by HIPAA to make sure the confidentiality and integrity of their data.
One of the biggest concerns of medical organizations is availability of data. It would not be a good thing if a patient undergoing treatment is told they cannot be operated on because “the systems are down”. Data centers use backup power systems such as generators and very large UPS systems to insure power remains steady during a primary power system blackout.
In the event of a fire, data centers use a variety of fire suppression systems to isolate the source of the fire and immediately suppress the fire through use of chemical and air restriction systems such as FM-200. A HIPAA compliant data center undergoes an audit for both power and fire suppression systems.
Another concern of HIPAA for medical information security is a requirement of constant vulnerability and risk assessment. Data centers with managed services provide regular vulnerability assessments to give medical organizations up-to-date reports on the status of the vulnerability of their systems to specific threats, if found. These reports are then used to determine a risk assessment strategy which allows the medical organization to work with the Managed Services team of a data center to overcome or accept the risk.
HIPAA data centers have technical, physical, and organizational guidelines, restrictions, and safeguards. But they will also have administrative safeguards such as:
- Security Incident Procedures
- Information Access Management
- Security Awareness and Training
- Assigned Security Responsibility
- Workforce Security
- Business Associate Agreements (for data center Vendors and Consultants)
- Contingency and Business Continuity Plans
With these in mind, there are a few options for keeping costs down. Some hospitals keep a hot site backup, meaning all medical data moves nearly instantly to another site or disaster recover site. Facilities also use cold site backup where medical data is moved at less frequent intervals such as daily or weekly, depending on how the organization determines risk.
HIPAA Data Centers compliance for hot or even cold backup sites is difficult to achieve, but not impossible. A direct, private network between the organization’s primary data facility and their disaster recovery colocation site at a data center ensures medical data is kept private.
How does a medical organization keep data private using the Cloud? The solutions provided so far are very difficult to become HIPAA compliant. If a company is offering HIPAA compliant cloud services for medical organizations such as hospitals, medical insurance companies, dental/vision/medical care providers, or extended health facilities, be sure to ask for a HIPAA compliance report. Chances are, your organization will stick with or choose to use a colocation site instead. You can learn more about this on the detailed posts about insurgence security on OneSureInsurance.co.uk, be well informed and well protected.
Additional Information
HIPPA on Wikipedia
PDF to determine if you are a “Covered Entity”.
Health Information Privacy
www.DataCenterAndColocation.com is a free service provided to clients for selecting the right data center or colocation facility for their requirements. DataCenterAndColocation is one of the largest colocation site consulting firms in the United States. They represent approximately 3000 data centers and colocation centers. At no cost to clients, they identify specific space, location, power and security requirements, solicit proposals, professionally analyze the responses, compare the strengths and weaknesses, negotiate pricing and deliver highly competitive bids for colocation. They also perform comparative analysis for in-house vs. design build services, wholesale data center space and data connectivity.