This is absolutely correct. Your managed hosting company has a portion of the responsibility for HIPAA compliance which is why we say "Compliance Ready".
An organization has to have their own application specific needs met, business and process controls, database table obfuscation, etc. etc.
What's important is selecting a provider who has all the hosting needs met to achieve compliance with your auditor and will execute a business associate agreement as required.
1. Log Management is required for PCI and HIPAA compliance. We use a product called LogLogic and review all required logs on a daily basis and remediate anything that comes up. LogLogic is the solution we put into place: http://www.loglogic.com
2. External vulnerability scans on the application and network layer.
3. Managed A/V protection. We have customers on Windows and Linux. Also detects malware and trust me - enough Linux threats out there as well.
4. GB network connectivity is absolutely correct.
5. Two-factor authentication is something you know (username and password) and something you have (dongle, ID, etc). Our two-factor is powered by phonefactor and is a great way to serve this need.
6. We use other methods to ensure this doesn't happen. (Encryption and Database Monitoring with strict rules).
7. Correct.
8. It's an absolute requirement for an organization going after HIPAA compliance to have a business associate agreement (google it for more info) and we're BAA friendly where most hosting providers are not.
9. It's redundant meaning if there's a physical firewall fail there's no loss in connectivity.
11. We block DDoS attacks everyday. Not all of them are high bandwidth. Google slowloris dos and learn more as an example.
12. Couldn't be more wrong. =)
13. Read #12
14. Congrats for being responsible.
15. Our datacenter meets strict requirements for redundancy and security as would other top facilities.
16. It's a nice security feature and integrates with our two-factor authentication. If your network is open to SSH (or other management ports) there's a lot to discuss.
Regarding the price, shop other managed hosting providers and you will find none that's transparent on what they offer and display pricing. Go ahead and secret shop them and you will see how low we've priced the FireHost's solution.
Also, we have our SAS70. However, that's going away for the SSAE 16 standard FYI.
Thanks for responding! Regardless of any debate over the merits of the specific things you guys do, it's clear that you have put a lot of work into your service, and you are at least describing some of what you do, instead of saying, "magic (now with hand waving)".
If you don't mind my asking -- if it doesn't give away any sensitive or proprietary information -- where would you say the majority of the $845/mo is going? Are there tremendous administrative costs, other business expenses (insurance?), or does that actually represent your infrastructure cost?
I work in IT at a health network; specifically doing compliance, audit and IT security. We have to keep logs for decades from every system used to "transmit, store or process ePHI." A LOT of time is spent chasing shadows when a patient thinks someone might have looked at their record.
Sure there are people who abuse the system but more time is spent on the false positives. Usually there is an innocent reason someone knows why the concerned patient was in the hospital; like they were shopping for baby clothes and put on a lot of weight recently.
With changes in HITECH the requirements for reporting are going to get broader, increasing the cost. Some of this can be planned for but much of it is just man hours to gather, report and store information.
The longest case I have been involved with is just over 2 years of litigation against a physician. The physician was found innocent but all of the emails, medical records, voice mails, etc that might pertain to that specific situation have to be preserved. Access logging is the largest use of disk space in our organization; around several GB per day.
For a hosting organization there is less to save, but there is also additional work in isolating systems. We have a significant investment in datacenter operations and lease the EMR out to specialty practices in our area. Most of the effort with external organizations is talking to their auditor of choice to prove that our systems are secure and isolated, running reports to show who has access to their data or what people did and the extra process to verify each change that affects their information or part of the system. Some of the extra steps are to address Accounting for Disclosures.
The majority of our "costs" are built into our security layers. We're providing DDoS protection, Web Application Firewall Protection, Managed Redudant Firewalls, and more. The enterprise-grade level technology we purchase is in the seven-figures. So for starting at $200 a month (secure server with FireHost) you're protected by seven-figures in security equipment. So there's economies of scale which allows us to do this, it's just cannot be low-cost.
And as you said, there's of-course the environment is fully managed, we have engineer costs to ensure the integrity of your environment is constantly maintained.
Also, the SAS70 is going away for the SSAE 16. Read more here: http://www.csoonline.com/article/622277/sas-70-replacement-s...