Every time we discuss HIPAA server security issues it opens a debate about where is the best place to keep your servers.  There are three options that we are going to discuss today. Should I use a local, data center, or cloud server under HIPAA?

Help Me With HIPAA by HIPAA For MSPs Should I use a local, data center, or cloud server?
00:00:00 00:00:00

 


local, data center, or cloud server

Today’s topic

Should I use a local, data center, or cloud server?

New breach announcement

Breach Announcement By Surgical Dermatology Group in Birmingham, Alabama

On June 7, 2017, Surgical Dermatology Group in Birmingham, Alabama (“SDG”) received notice from its cloud hosting and server management provider, TekLinks, Inc., of a security breach at its Birmingham facility that hosts our server. We immediately initiated an investigation and learned that external hackers had gained access to our server possibly as far back as March 23, 2017. TekLinks has assured us that all unauthorized access was terminated on May 1, 2017 and that monitoring by TekLinks from April 22, 2017 through May 1, 2017 showed no further malicious activity during that time period. SDG has worked with the assistance of third-party forensic investigators to determine the full nature and scope of the security incident and to confirm the security of its servers and the integrity of its patient information. We are taking additional steps to ensure the privacy and security of its patients’ information including contacting the Federal Bureau of Investigation.

TekLinks statement concerning the breach

Teklinks statement

According to the statement: TekLinks infrastructure was not breached and there is no evidence that any files were actually exfiltrated or viewed during the attack. The incident combined two common cyberattack strategies: A brute force attack on an external customer server, and ransomware. Brute force refers to a trial and error hacking method that attempts to decode encrypted data such as passwords or PINs. Ransomware is software designed to lock data in exchange for a ransom to release the data.

“This incident targeted a small number of our customers,” added Akerhielm in the statement. “We are proud of our technical team who identified this threat and remediated the situation quickly. While there is no guaranteed protection for internet-based systems, we are continually focused on ways to improve threat detection and response.”

The reaction many people have is that is why we should have our server at our office where we can control it. Is that really the answer? There are pros and cons to every decision. Let’s look at some of them.

First, let’s be clear. We will not be digging into tech details here. Don’t send us all kinds of messages about what we missed or should have included. This is a high-level discussion. If you are an uber tech person don’t tune out. You probably need to learn how to discuss things at this level anyway.


Definitions:

  • Local server – one you keep in your offices and control everything about it.
    • I build my own house on my own property that I own
  • Data center – where you have your own devices but you store them at a facility that takes care of physical security, high-speed connections, generators, etc.
    • I build my own house in a gated community
  • Cloud server – you buy access to a server that is “built” on the equipment that a cloud service provider runs. Thousands of servers are running in their huge data center but they are mostly virtual servers running on physical servers.
    • I live in a high-rise condo that I have options to fully furnish if I want.

One thing in general that you should consider is if your cyber insurance provider prefers one of these over the other. It is worth asking them if they see them differently. We expect that may become a more important as they continue to involve.


Local server

I build my own house on my own property that I own

Pros

  • You have complete control
  • You don’t pay a monthly fee you just buy it one time
  • It is usually very fast if you are working locally

Cons

  • You are responsible for the physical security
  • You are responsible for having the available network connections at your site so that all of your interfaces and remote access can take place as needed
  • You are responsible for the management of access to the server and how the network traffic to and from it is secured
  • You are responsible for keeping all of the software including OS and apps up to date with all security updates and settings
  • You must carry the maintenance on the hardware to make sure it is repaired quickly
  • You have to be sure it is backed up properly and your DR and BC plans include how that will be moved or replaced
  • You must budget for all the maintenance above and plan for upgrades to all of the software and hardware at appropriate times.

Data center

I build my own house in a gated community

Pros

  • You still have control of the hardware
  • You outsource the physical access controls
  • You outsource the remote access controls
  • You pay a monthly fee here but it covers you internet connection plus much more so you offset some of the other costs

Cons

  • You are responsible for the management of access to the server and how the network traffic to and from it is secured
  • You are responsible for keeping all of the software including OS and apps up to date with all security updates and settings
  • You must carry the maintenance on the hardware to make sure it is repaired quickly
  • You have to be sure it is backed up properly and your DR and BC plans include how that will be moved or replaced
  • You must budget for all the maintenance above and plan for upgrades to all of the software and hardware at appropriate times.
  • You must properly vet and continue to review the third party

Cloud server

I live in a high-rise condo that I have options to fully furnish if I want.

Pros

  • You outsource almost all of the management of the OS, apps, physical security, network access controls on your server, DR and BC portions taken care of as part of the deal
  • ability to spin up another server if needed
  • ability to add memory and storage as needed
  • tech support for the server is built into your monthly fees

Cons

  • You always pay a monthly fee
  • You must have adequate connectivity to the device in the cloud to account for the traffic that will be included.
  • You must properly vet and continue to review the third party

The decision between local, data center or cloud servers is not an easy one.  Each organization should spend appropriate time and effort in a thorough risk analysis to determine what is reasonable and appropriate in their environment.  We touched on the pros and cons to consider in general terms but you may have other concerns relating to your business model, partnerships, applications, etc.  Clearly, it is worth the time to make the right decision not just A decision, though.