Thank you for joining us today with VM Racks. My name is Gil Vidals and I welcome you for the second installation of video series entitled HIPAA hosting. The last time we covered the fundamentals of HIPAA, what it means and how you go about learning more about it and getting started. Today our focus is going to be on the data itself, the Protected Health Information that you’re so concerned about and you want to protect.
I’m going to be drawing some images on the whiteboard so that you can get a better idea as to what we’re talking about. I noticed on the web there’s a lot of information about Protected Health Information and Electronic Health Records but it seems to be little stale. I don’t see a lot of imagery and graphs. I’m going to go ahead and draw a few things for you so you can get a mental picture of what we’re discussing.
First of all let me back up for just a moment and define what we’re talking about. The data we’re specifically addressing here are patient health records known as PHI, Patient Health Information. Some call it ePHI for Electronic Patient Health Information and others refer to it as EHR, Electronic Health Records. The bottom line is that we’re talking electronic digital data. In our world of hosting medical software, we don’t print the records. We don’t worry about that. There are some hospitals of course that are printing records from patients and they have to worry about those things but in this series and in this talk, we’re not worried about the paper trail.
I’m going to first draw a picture of a personal computer that is then at an office for say a doctor, a medical professional. They’re typing in some kind of health information, health record. We’re going to watch it traverse through the internet and finally reach the data center and this is just to draw a path so that you can see all that’s involved and what the different measures that are taken for the data.
Let’s start off. I just drew here a PC and next we’re going to draw the internet. So the health professional’s here. They’re typing in a medical record. The first thing we have to be concerned about is as they’re typing it in, can anyone see what they’re typing in? Can a passerby come by here and view what’s on the screen. We have to make sure that these medical professionals are situated in such a way that the general public can’t walk by a window here or walk around just casually. Other staff members that’s okay, so we have to think about that. The other thing is the screensaver. Once that medical information is on that screen and they decide to go to lunch, they can’t just leave the record there wide open. They should have a screensaver. Typical timeout value is 15 minutes. If no one is touching the keyboard, it goes to screen lock mode. Right away we’re concerned about the security here.
Before it hits the internet, there’s going to be some kind of a firewall that’s placed between this PC and the internet. That firewall is meant to protect anyone from accessing this personal computer from the outside. This can get quite extensive. I’m not going to go into that detail just yet. We’ll cover that a little bit later on. The PHI data, the Protected Health Information, traverses the firewall, hits the internet and it’s going to go across the internet to another point on the internet where it’s going to enter a data center. DC stands for data center. The Protected Health Information is now at this level. Once it hits the data center, there is a firewall and from this firewall it can traverse down into the server.
So this is a simplistic diagram that just shows the traversal of information from the internet to the data center, firewall, server. This is something that you see a lot of hosting providers give you and it’s kind of the default. It’s not enough for Protected Health Information. I’m going to erase part of this and I’m going to draw the pieces that are missing so you can see the difference.
We’re back to the drawing where the PHI data left the PC through the internet and now we’re going to see that it hits the router. The router is where the data center entry point is. Once it hits the router, we see that there is an appliance called the Anti-DOS appliance. Anti-DOS is very important these days as the level of denial of service attacks increases, it’s important for your hosting provider, hosting your medical appliance and application, to have a perimeter device that protects against denial of service attacks otherwise when your clients try to access your application and if that hosting provider is under attack, your clients won’t be able to reach your application. This is an important device.
The other layer is identity protection.There are appliances that can protect based on IP reputation. We call it identity or IP reputation. You can Google that and find out those who sell it but these appliances help filter out the bad, known IP addresses. Those are IP addresses that are used by hackers. They have a bad reputation and this layer will block that.
Finally we get to the firewall. You can see we’ve added a couple of different layers. Once you get to the firewall, here you have the standard rules of who can access what. The firewall is protected by these two outside layers and that’s important because firewalls aren’t good at blocking denial of service attacks and they will go down during an attack so the Anti-DOS appliance is important. Also we don’t want to overwhelm the firewall with doing a lot of IP checking, IP reputation checking. Let’s let the firewall do what it’s good at and that’s opening ports and blocking ports.
In here I drew a square that says server. Finally it hits the server, but this server itself will also have a firewall. We have another firewall on this server where the application is. This firewall, I call it the web application firewall (WAF). It’s different than the other firewall. Its job is to examine the web pages as the request come through. It examines it and it sees if there’s something anomalous. Is the URL too long? Does it have funny characters in it? Are they asking for something that they shouldn’t be asking for on that website, etc? The web application firewall is very good at trapping those kinds of errors and then finally you get to your server where the application lives. The server itself must be hardened. That’s a security term meaning that when the server was built, certain services and ports were opened and others were closed. Those aren’t being used for anything should be closed. So you have server hardening.
This is more of what it looks like for a hosting provider who’s involved in supplying services to keep the site running, to keep it running securely and most importantly to keep it HIPAA compliant. Thank you for joining us today. I look forward to seeing you again.