Web Hosting - Restricted Data, PCI, HIPAA
The Web Hosting Service has designated Linux and Windows hosting platforms that are specifically designed to secure restricted data, as defined by the Office of Cybersecurity.
These platforms are more secure for several reasons:
- They reside on designated restricted data sub-nets and have more restrictive firewall rules. For example, Web-based access to the Administrative Control Panel, Secure FTP publishing, and MySQL databases are exclusive to the static IP addresses of the developers requiring access.
- Individual administrative accounts (Secure FTP, Admin Control Panel, etc.) are supplied to each developer who will require access.
- Additional security software tools are used to monitor the restricted data platforms.
- All sites are required to use TLS/SSL certificates and encrypt server-client data transactions.
- Web applications are segregated. For example - Each website on the restricted Windows/IIS and Linux/Apache platforms runs under dedicated application pools.
Hosting Restricted Data
Hosting restricted data requires special precautions. If your site needs to handle restricted data, you must sign up for a Platinum Service Level account.
In addition, before your web hosting account is in production a review with Office of CyberSecurity staff and DoIT's Web Hosting team will take place.
It is incumbent upon the restricted data account contacts to apprise the Web Hosting Service as to when a staff member with access, no longer requires access--we will remove the account(s) and firewall access and update our records.
-- The restricted data platforms are NOT fully PCI compliant to process, store or transmit credit card data directly but offer limited PCI compliance for storefronts that send the processing of the credit card payment to the E-Commerce provider. UW-Madison departments with E-Commerce needs are directed to utilize the CashNet service provided by Business Services.
- The restricted data platform is NOT fully compliant with HIPAA security standards. However, if patient data is de-identified per the policy https://policy.wisc.edu/library/UW-114 and doesn't fall under full HIPAA it can be accommodated.
- De-identification using HIPAA’s Safe Harbor method must be verified by the HIPAA privacy officer (or individuals designated by the HIPAA privacy officer), a HIPAA privacy coordinator, or the School of Medicine and Public Health’s honest broker (or individuals designated by the SMPH honest broker) when the data will be disclosed outside of UW–Madison or the UW HCC.
- We recommend reviewing these FAQ's and if any clarification is required for HIPAA it should be addressed with the Office of Compliance: https://compliance.wisc.edu/hipaa/
- See Approved Tools for Exchanging and Storing PHI