Compliance Hosting: HIPAA Hosting, SSAE 16 & SAS 70 Data Centers
Our compliance hosting partners specialize in hosting solutions that meet the strict requirements within various high end fields – financial, medical and the government sector, for example. When it comes to compliance hosting, also known as compliant hosting, we provide you with access, information and pricing on industry leading providers who offer hosting services specializing in your highly regulated field.
By having access to industry leading compliant hosting providers, your company will always be compliant with the law in terms of physical hardware, data encryption and long term data storage. Every company we work with meets the compliant hosting standards set out by HIPAA hosting, PCI DSS, SOX and FISMA.
Please note that QuoteColo will not distribute the information to any other company for any purpose beyond the scope of this request.
Compliant Hosting Solutions
Under compliant hosting, certifications are awarded to providers to rank their level of compliance with the law. Those levels of ranking are: SAS 70 and SSAE 16.
SAS 70 Data Center Audits
SAS 70, or State on Auditing Standards No. 70, is a set of guidelines applied to audits conducted on web hosting facilities to determine their compliance with industry regulatory laws. Audits are conducted in two ways, with type one covering the overall operational controls of a facility, and type two auditing the effectiveness of the aforementioned controls over a given period of time. Typically that period of time is six months to a year.
SSAE 16 Data Center Audits
SSAE 16 hosting is the updated version of SAS 70. Basically, SSAE 16 is a new set of guidelines which verify if a web hosting facility is up to par with legal regulations within a certain industry, determining its level of compliance. The audits are still conducted in two phases, covering the overall operational controls of the facility and the way in which those controls hold up over a given period of time.
With SSAE 16, the hosting company has to supply a written statement to the SSAE 16 auditor, describing the overall infrastructure system. The system has to include all the services provided by the vendor and all the infrastructure-related activities that may have a direct impact on a client’s service.
According to SSAE 16, the service provider must legally state that the provided document accurately describes all control objectives over a given period of time.
As mentioned above, the types of hosting which are regulated by SAS 70 and SSAE 16 are HIPAA, PCI DSS, SOX and FISMA.
HIPAA Hosting is the set of guidelines and regulations which hosting companies must follow if they want to be compliant with the Health Insurance Portability and Accountability Act of 1996. The act, updated in the 2000s, lays out the regulations for medical and healthcare providers, explaining how patient records can be kept, accessed, encrypted and secured, and how patient records move from one location to the next. In addition to this, HIPAA compliant web hosting companies are responsible for maintaining patient records for an extended period of time, in case those records need to be opened for legal matters.
Most HIPAA compliant hosting providers recommend their clients to use either a single server or multiple server configurations with:
- Stringent Cisco Firewalls
- Physically locked data center cabinets/racks
- Fully managed servers with 24/7/365 support
- Geographically diverse data backup plans
- Web based servers with standalone database server configurations
- Hot swappable disk chassis
- RAID configurations applied to all utilized hardware
PCI DSS Hosting
PCI DDS hosting, or Payment Card Industry Data Security Standard hosting, is a set of rules and regulations which define how a colocation company can control and protect customer financial data. The regulations apply to major banking card brands – Visa, MasterCard, American Express, Discover and JCB.
The regulations do not apply to brands without a major logo. Compliance is determined annually by a QSA (Qualified Security Assessor) or a SAQ (Self-Assessment Questionnaire). QSA is applied to companies and institutions dealing with large volumes of card transactions, while SAQ is applied to companies managing a smaller portion of card transactions.
There are twelve specific control objectives for a web hosting organization to meet compliance:
- All networks must be protected by strict firewall regulations
- All passwords and defined security parameters must be custom, and not a product of vendor-supplied default settings
Protect Cardholder Data
- All cardholder data must be protected at all times
- All cardholder data must remain encrypted at all times when traveling within public networks
Threat Assessment Program
- All anti-virus and malware protection must be kept current and in-use at all times
- All systems, applications and created infrastructures must be kept secure at all times
Strong Access Systems
- Cardholder data should only be accessible to businesses upon a need-to-know basis
- All persons with access to cardholder data must be assigned a unique ID, for the express purpose of tracking that person’s interactions with cardholder data
- All cardholder data must be physically restricted
- All access to cardholder data must be tracked and monitored 24/7/365
- All security systems designed to protect cardholder data must be tested on a normal basis
- Information security policies must be in place
Most compliant PCI DSS hosting companies offer a wide range of server infrastructure solutions that meet the PCI DSS regulations. Much like HIPAA compliant hosting, PCI DSS hosting typically suggests using fully managed colocation servers, or a network of private cloud servers that are encrypted using stringent firewall access controls.
SOX Compliant Hosting
SOX compliant hosting is based off the Sarbanes-Oxley Act of 2002. The act established several regulations applied to financial practices, in order to protect against fraud. The SOX act stipulates how long records can be stored (typically five years), the type of business records which must be stored, and under which conditions those records need to be stored.
The SOX act mostly applies to financial companies that are in charge of keeping their clients’ financial data for an extended period of time. The three rules of SOX which impact web hosting companies are the preservation and accuracy of all the electronic records, the length at which all client financial data must be kept, and the type of business records, including communications, which must be stored.
To ensure SOX act regulations are met, all financial data must be kept with a web hosting company that complies with SSAE 16/SOC 1 and SOC 2 audited data centers.
In terms of specific web hosting criteria, we recommend utilizing a provider who:
- Supplies 24/7/365 support
- Supplies data center diversification for data backups
- Supplies managed dedicated server solutions and long term colocation options
- Supplies encrypted private cloud networks to fulfill financial data transmission within a secure environment
- Supplies a high-end availability SLA
FISMA Compliant Hosting
FISMA, or the Federal Information Security Management ACT of 2002, is the framework of laws which aim to determine how government information, operations and assets are protected. FISMA oversees the following:
- Standards for categorizing information and information systems by mission impact
- Standards for minimum security requirements for information and information systems
- Guidance for selecting appropriate security controls for information systems
- Guidance for assessing security controls in information systems and determining security control effectiveness
- Guidance for the security authorization of information systems
- Guidance for monitoring the security controls and the security authorization of information systems
In terms of FISMA compliant web hosting, most companies offer a dual compliance strategy consisting of private cloud servers and dedicated hosting solutions. Both options provide increased stability within a network, foster higher levels of data protection infrastructure, and maintain data encryption within hardware and virtual data transmission.