By Gil Vidals, , HIPAA Blog, Resources

Of all the things that make up a website, the most basic and low-level is the webserver. This is the application that serves the hypertext markup language (otherwise known as HTML) content to the user and makes a document that lives on a server somewhere viewable by a user with a web browser.

Hypertext Transfer Protocol (HTTP) and HTML are the two protocols that make up a webpage. The term ‘web server’ can refer to two things: the actual physical server where the HTML documents reside, or the program that serves these documents to the public. In most cases, web servers (the program) also have many other functions in addition to just serving the content. The benefits and drawbacks of each type of web server are often in these nuances.

When it comes to HIPAA compliant hosting, the nature of the implementation can affect the decision of which webserver to choose. By far, the most common two types are Internet Information Services (IIS) and Apache. While IIS is developed by Microsoft and is closed-source, a paid license is required to use the product and Microsoft technical support is provided.

Apache, on the other hand, is an open-source software project. This means that the code for the webserver is freely available to be developed and improved upon by the community, and because of this, Apache is often more versatile and potentially supports more features.

However, because of the Open Source nature of the project, there is no guarantee or support if something were to go wrong. It is also worth noting that Open Source software does not have licensing fees and is free to use and distribute whereas IIS requires purchasing a license from Microsoft. As of 2014, Apache has a 38.6% share of all publicly-facing websites but IIS only has 31.1%. Clearly, the two pieces of software are matched particularly closely in terms of popularity.

When choosing between Web Servers, it is imperative to look at the task to be performed and gauge the requirements of the software based on the scenarios to be encountered.

Choosing between IIS and Apache could dictate the hosting environment. IIS will only run on Windows servers; though Apache can run on both Windows and Linux, traditionally it is used with the Linux/Apache/MySQL/Python configuration (also called the LAMP stack).

Linux servers are often faster and consume fewer resources than Windows systems. If the web application used for development will call on any of the components of a LAMP stack, it’s often best to use Apache as the designated web server. Apache can be further pared down by using only those modules that the web application actually requires. Apache is also known to be very modular and can work well in both small/simple and large/complex implementations.

Many believe that Apache is more secure than IIS because Microsoft has a known reputation as a popular malware target, plus community interaction enables quicker fixing of vulnerabilities in Open Source projects.

If Windows-based software (such as .NET, ASPX, or Windows SQL) is used instead of Linux, then IIS would certainly be a better choice. Many people consider a closed-source application with support to be a more enterprise-ready tool. Theoretically, the quality control on a corporate application is more stringent, which many believe leads to a more stable solution. IIS is used in many large-scale applications, primarily by Microsoft, such as Bing and Live.com.

When it comes to HIPAA hosting in particular, security is obviously of the utmost concern. Protected health information (PHI) should never be available in an insecure manner when being served by a public-facing website, as this could result in hefty fines.

But a web server can still be used to serve PHI data through a health portal, such as an e-care database or doctor-communication tool. In this situation, the choice between IIS and Apache is not an easy one.

There are different viewpoints for what design principles make a piece of software more secure. Secure Socket Layer (SSL), the most widely-used encryption software in the world, was considered bulletproof and the de facto standard for many years, but recently was compromised via the Heartbleed bug. OpenSSL is the most common implementation of the protocol and is an Open Source project.

On the other hand, Windows is a piece of closed-source, corporate-developed software, but because of its ubiquity (and perhaps its design) is known to be less secure than other operating systems. Ultimately, the best idea is to look at the situation in which an application will require a web server, and weigh the options between these two contenders based on the factors that are deemed most important.