This week on the HIPAA Vault show, we delve into the complex landscape of HIPAA compliance, especially when it comes to service providers like GoDaddy. Is GoDaddy HIPAA compliant? It’s a question that many in the healthcare sector find themselves asking, given the critical nature of following HIPAA regulations. We unpack this nuanced topic by examining GoDaddy’s offerings, particularly highlighting that their HIPAA compliance is conditional, depending on the specific products or services being used. Specifically, we explore how GoDaddy’s Business Associate Agreement (BAA) applies only to their Office 365 Email offerings, leaving their website hosting services outside the compliance boundary.

We also guide our viewers through the essential components required to make a website truly HIPAA compliant, touching on crucial elements such as data encryption, access controls, audit trails, backup and disaster recovery, and physical security. The episode emphasizes that achieving compliance is an ongoing journey, involving more than just technical solutions but also encompassing employee training and the establishment of effective policies and procedures.

Transcript:


Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine, and I’m joined, as always, by the CTO and founder of HIPAA Vault, Mister Gil Vidals. 


Gil
Hey, Adam. It sounded like you were introducing a champion boxer, like. And in this corner, we have Gil Vidal’s the Master boxer, but I’ll take it. How are you doing? 


Adam
Yeah, absolutely great. Yeah. I think I’ve said it so many times, I try and switch it up a little bit, just for my own sanity. Maybe I need to change the intro a little bit on the next episode and we’ll see how that goes. Keep it interesting. Right? 


Gil
Yeah. 


Adam
So what we’re going to dive into today, the main topic is godaddy HIPAA compliant? But before we do, we’ve got our weekly intro segment, which is the breach of the week. So let’s take a look at that and our breach of the week as I pull it up here on screen. Valleyoaks health reports 50,000 records data breach. 


Gil
Ouch. Ouch. 


Adam
Yeah. March 18, Valley Oaks Health filed a notice of data breach with the attorney general of Massachusetts. 50,352 individuals notified. Here’s the documents that they filed. The notice of data breach, fairly redacted, obviously, for privacy concerns, but, yeah, the. The interesting part of this is it states that unauthorized individuals gained access to parts of the network between June 8, 2023, and June 13, 2023. It confirmed that while it didn’t go into too much specifics, it did confirm that names have been exposed along with security, Social Security numbers, and, you know, the usual complementary credit monitoring services have been offered. 


Gil
Does it mention, Adam, if this wasn’t a breach from an employee, or was it an external attack? 


Adam
It doesn’t go into too much details other than to say unauthorized individuals gained access. It is fairly early in the like. They’ve only just submitted the data breach. So it’s still developing as a story. 


Gil
Yeah, unauthorized access, that’s the key buzzword, because if someone’s authorized to access the data, but then they copy that data to a draw, a USB drive, and they walk out and they quit. Their disgruntled employee. That’s it. That’s a different type of case, because they are authorized. Let’s say they’ve worked there for ten years and they have access to all that phi data. But then they got mad with their boss, the manager, and they decided, hey, I’m going to screw this company. I’m going to take the patient information and put on USB drive and I’m going to publish it on the Internet or I’m going to sell it or whatever. That’s an interesting case because that one that you can’t say that’s unauthorized. They are authorized, but they’re not authorized to steal the data. But they are authorized to access the data. 


Gil
So just kind of food for thought. Unfortunately, I can’t tell from that phrase. 


Adam
Yeah. 


Gil
If it was an employee or someone. 


Adam
From password stolen, device stolen. 


Gil
Can’t really tell. But it’s bad news either way, because I remember the day where I was surprised when I’d read these things and it was happening. I don’t know, I can’t remember how often, but it was happening a lot less frequently than now. And even then I was like, oh, my gosh, I can’t believe another one. But now they happen every day. Like, every day. You can read one of these. 


Adam
Yeah, agreed. I mean, good for us. Right. In terms of the research and in terms of the work that we do. Like, when I look for the most, I often look for the most interesting or largest breach to, you know, talk about. But there’s no shortage of breaches every week. 


Gil
So. Yeah, it’s concerning. Yeah, it is concerning. And we’ve already. We won’t rehash what we talk about. When we mentioned these, about calculating the cost for handling the identity, what do they call that identity? Monitoring service. The credit service and credit monitoring. Yeah. But I do think that in this case, when it talks about the data being taken and we don’t know how they got in there, what happened. But in the past, we’ve seen a pattern where many of these companies have a. A server that’s running windows, and that server has some kind of remote access. It’s a remote access server so that people from outside the company can use that service to log in. Kind of like a VPN, but it’s a little different than that. 


Gil
Anyway, some of these services have these security vulnerabilities, and then the hacker, the bad guy, gets into this server that’s set up for accessing all the assets of the company, and they’re able to abuse that. So we’ve seen many cases of that. But it’ll be interesting if we found out a little bit more detail about this one someday. 


Adam
Yeah, definitely. And although I agree we don’t want to rehash how much the costs are here, I almost think, like, maybe what we should lead with instead of, and maybe people that report on this the way they should lead in terms of the headline, instead of saying, x number of records were breached. They should say x. Millions of dollars worth of data was breached because that really hits home a lot more than just individual numbers, Mike. 


Gil
Yeah. Well, I wonder how these credit bureaus and identity management monitoring companies are doing. I should maybe buy some stock in Equifax or Transunion. I don’t know the names of these companies actually. They’re doing the monitoring. I bet you’re doing okay. 


Adam
Yeah. If you got 50,000 records and we multiply it like we do by ten as an estimate, that’s half a million. Just, just for the credit monitoring services. And that’s for probably a year. 


Gil
Yeah. 


Adam
Longer. 


Gil
Yeah. Maybe I will look at some stocks. Focus on it. I mean, it sounds like it’s like we’re making. If I did that and let’s say the stock went up, it’s kind of sad. I mean, yeah, I picked a good stock because we’re the know, we have, we’re on the inside track. But these companies would be making really good money because it’s all digital. It doesn’t really cost them any hard dollars once they have this platform built. Yeah. They’re not having to, you know, put a lot of money into it. So it’s kind of a money maker, in other words. 


Adam
Right. 


Gil
They’re just cranking it out. And these companies that are paying for this, they tap into their, to their insurance company and they said, hey, yeah, we need two, three, 4 million and they get the check. And so they’re, they are expected to spend it. So in other words, it’s not a sale, like a typical sale where you argue or you compare. No, no. It’s like, here’s the money. We need this. We buy law by demand. We have to do it. And they just write the check. Right. 


Adam
So listeners, viewers, you heard it here first, not financial advice, but if you’re looking for stock to pick credit monitoring services and cyber insurance companies. 


Gil
Yeah. 


Adam
All right. So diving in on the GoDaddy front, the question we’re answering this week, is Godaddy HIPAA compliant as an introduction, if you haven’t heard of GoDaddy, first of all, where have you been? But GoDaddy is one of the largest hosting companies on earth. It handles website hosting. It also does email hosting and a bunch of other services. And the question is it HIPAA compliance? We have to break down a little bit. GoDaddy, the brand itself. No brand is HIPAA compliant in itself. The question really relates to the products that they’re offering and the solutions and services they’re offering. So, for example, those two top solutions that we just talked about, email and website hosting, we can break down a little further. 


Adam
Before we get into that, Gil, give us an idea on the website front what it takes to offer HIPAA compliance services for websites. 


Gil
Yeah, that’s good. And I’m glad that you brought this up about GoDaddy and whether they, I do want to say, in line with your comments, that even a company as big as Google that has extremely good security, they even publish a list of what services they have that are compliant. And not every single service they have is HIPAA compliant. They have some they leave out. So that’s why like, somebody says, google, HIPAA compliant, I say, well, a ton of their services are, yes, but not every single one. 


Adam
So, so the BAa, you touched on that. 


Gil
Yeah, so, yeah, the Ba. So Google does sign a BaA with, with Hippervault and other companies that are in that space. But you were actually signed the BAA. 


Adam
And I looked into it and it covers their email products, but I didn’t see any mention of it on the website side. 


Gil
Okay, well, one reason that GoDaddy doesn’t play, and again, I’m putting words in their mouth because I’m just, as a businessman and a company owner, I know that running the HIPAA compliant service is far more costly. And godaddy is big. They want to make money based on volume. And things would slow down to a crawl if they started having to really work with compliance. So on the web, to keep it at a high level, on the web services side, you have to have certain things in place that you can automate so that you don’t have to have somebody running around doing it manually. So there’s certain security measures. You can take that automate, but then you have stuff that’s more manual. Like, for example, a compliance team that has vigilance over reports that there are scanners. 


Gil
You have some automated scanning that scans the website, and then you have to analyze that scan and say, hey, what’s vulnerable here and how do we fix it? So that usually at this level requires some engineers. It’s not like AI can just do all this magic. You’ve got to actually have real engineers that are looking at this stuff. So there is a human capital that I think is still at this day and age, maybe two years from now, we’ll look back and laugh and say, just like Amazon got rid of all their warehouse employees and they just have a bunch of robots, maybe in two or three or four years, we’ll look back and say, oh yeah, HIPAA compliance is easy. Now we just flip a switch and it’s working. But right now we’re not there yet, I can tell you that. 


Adam
Yeah, yeah. I think if we boil it down to the nuts and bolts or the server, my understanding, and correct me if I’m wrong, is that access control plays a key point when it comes to hosting. And with Godaddy, if they have one server that’s hosting multiple websites for different customers, they may be able to secure that. But the fact that it’s on the same server could lead to potential problems on the HIPAA side if because of the negligence of one customer, the rest of the customer’s data was breached. So that might play into also why they don’t provide a BAA. 


Gil
Well, that’s a valid point, Adam, because if you have what you’re describing as a multi tenant environment, yes. Then you could have some challenges there because one bad site that did get compromise could affect the other sites on there. It could, for example, an attack is happening and now it slows down that server. So all those sites on that server are affected, and if they compromise the server, then they didn’t compromise just one account, they could compromise all the accounts on that server. So multi tenancy is something that, for example, Hibbal, we shy away for multi tenancy because we don’t want to have that scenario. We rather separate our customers so that if something bad happens, it affects one customer, not 20 or 30. 


Adam
I think we could probably at this point, conclusively say that is when we’re answering the question, is GoDaddy HIPAA compliant on the email side? If you’re using the email products that are covered under the BAA, then yes, it is HIPAA compliant. And if you’re hosting a website with them, then the BAA does not cover that. And so the website would not be HIPAA compliant. Now that’s not to say that if you’re a startup and you have a simple website that is not capturing any data and it’s really just there for brochure work that you couldn’t use GoDaddy because in that case you wouldn’t need HIPAA compliance. 


Gil
Yeah, yeah, that’s a good word. It’s the brochure where if it’s just a bunch of pretty pictures and your company address and stuff, then it’s all public information, right? All that stuff’s public information, so there’s nothing for the bad guys to steal. So save your money, go to GoDaddy and you’re fine. But if you do edge up towards sensitive data, by edge up, I mean, even if you’re not hosting patient records, but let’s say you are scheduling appointments with your, if you’re a therapist and you’re scheduling appointments with your clients, then in that scenario that becomes more sensitive and technically not HIPAA compliant. But you’re starting to edge up on the, wait a minute, they can steal my patient’s name or email address and you don’t even want that. That’s just not good business. 


Gil
So you may want to, at that juncture, start to think about moving to a more compliant space. Yeah. So that’s how I would think about it. As the risk goes up for your business, that’s when you need to decide, hey, I need to spend a little bit more money on security, I should do that. And it’s always risk and reward. I mean, that’s something we actually don’t talk about. Probably enough, Adam, is it’s all risk reward. Like, if you, let’s say you own or you’re, let’s say you’re a dad or a mom, you’re in our audience and you have a teenager and your teenager says, hey, mom, dad, I’m 16, I got my driver’s license. And you’re like, oh, my gosh, you know, my kid wants to drive. 


Gil
And you look in your garage and you’ve got your brand new Mercedes, a brand new Tesla, and then out back, you have this old Toyota from 1972 that’s rusted. That’s the car you’re going to give your kid. Number one, it’s a truck, so it’s safe, it’s strong, but number two, the insurance will be much cheaper, much cheaper on an old rusted Toyota four runner. And you can let your kid run that. But see, you evaluated the risk and reward. You want your kid to be safe. You don’t want to get an accident, get hurt, but at the same time, you don’t want to pay a premium for him driving your new Tesla or Mercedes. So you’re always evaluating risk and reward, and it’s the same thing with your business and the digital business. You’ll say, okay, I have a website. 


Gil
How much should I pay to secure that site? What’s it worth to me right now? And if it’s just brochure, wear certain places like GoDaddy, no problem. But if, as you get more sensitive data in your website, you need to notch it up a bit and start paying more for the security. 


Adam
I hope that gives a good overview of GoDaddy and whether it’s HIPAA compliance. Do drop us a like if you enjoyed this video and share it as well. 


Gil
Was there, besides the email that we did find it is HIPAA compliant if it’s under their BAA, was there any other service that it claims is HIPAA compliant? 


Adam
As far as I can see, it’s just the email through and office 365 email. 


Gil
Yeah, got it. All right. 


Adam
Fantastic. If you have any questions, drop us a comment or reach out to us at podcast@hipaavault.com. And until next time, thanks for stopping by. 


Gil
All right, see you later.