Our shared hosting packages and SmarterMail hosting packages are not HIPAA, FIPS, or FISMA compliant. However our VPS and Dedicated server offerings have the ability to meet these requirements if you have the knowledge required to manage a server and secure it to meet the requirements of these security standards.

Organizations handling protected health information, federal systems, or requiring validated cryptography cannot risk non-compliance. Shared environments lack the isolation and configurability these standards demand, while self-managed VPS or dedicated servers place full responsibility on the administrator to implement and document controls.

#Overview of HIPAA, FIPS, and FISMA Requirements

HIPAA mandates safeguards for protected health information including encryption of data at rest and in transit, access controls, audit logging, and breach notification procedures. FIPS 140-2 and 140-3 define security requirements for cryptographic modules used to protect sensitive information. FISMA requires implementation of NIST controls covering the full spectrum of information security: identification and authentication, auditing, continuous monitoring, incident response, and configuration management.

Meeting any of these standards typically requires sole control over the operating system, the ability to install and configure specific security agents, and the capacity to produce evidence of consistent policy enforcement. These cannot be guaranteed across a shared hosting platform used by hundreds of unrelated customers.

#Limitations of Shared Hosting and SmarterMail

Shared infrastructure runs multiple customer sites on the same Windows servers with common IIS application pools, shared SQL instances where applicable, and standardized security baselines. This model optimizes cost and ease of use but prevents per-customer customization of kernel-level settings, firewall rules, or cryptographic providers. ASPnix maintains uniform patching and configuration across all shared accounts to ensure stability for the entire platform.

  • No administrative access to the underlying Windows OS or IIS configuration
  • Shared network addresses and storage preventing dedicated encryption scopes
  • Restricted ability to deploy host-based intrusion detection or custom audit tools
  • Standardized account isolation that cannot be modified to match auditor checklists

#Using VPS and Dedicated Servers for Compliance

VPS and dedicated servers provide full administrator or root-equivalent access, allowing you to harden the Windows Server installation, configure role-based access, enable FIPS-validated cryptography, and implement the logging and monitoring required by these standards. Success depends entirely on your team's ability to maintain the server, apply patches promptly, and document every control.

#Key Areas to Address

  • OS hardening: disable unnecessary services, enforce strong password policies, and implement least-privilege administration
  • Encryption: deploy BitLocker for volumes, enforce TLS 1.2/1.3 only, and use FIPS-validated cipher suites
  • Auditing and monitoring: forward Windows event logs to a SIEM, enable object access auditing, and retain logs for the required period
  • Patching and vulnerability management: establish a documented schedule for Windows updates and application security patches
powershell 
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v FIPSAlgorithmPolicy /t REG_DWORD /d 1 /f

# After enabling, reboot and verify with:
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "FIPSAlgorithmPolicy"

Enabling FIPS mode affects the entire system and can break applications relying on non-compliant algorithms. Test thoroughly in a staging environment before production use. Similar registry and Group Policy settings exist for other required controls.

#Common Pitfalls and Practical Considerations

  • Treating the VPS as a set-and-forget instance instead of maintaining continuous configuration management
  • Missing required documentation and evidence artifacts that auditors will request during assessment
  • Overlooking network-level controls such as NSGs, private VLANs, or encrypted backup processes

Compliance is not a one-time setup. Plan for regular internal audits, vulnerability scanning, and third-party validation. Official guidance is available from NIST publications (SP 800-53, SP 800-171) and HHS resources for HIPAA. Our support team can assist with infrastructure provisioning and basic Windows Server guidance, but the responsibility for implementing and validating compliant configurations rests with you.

Takeaway: Choose shared hosting only for workloads that do not require these certifications. For regulated data, deploy on VPS or dedicated servers and budget for the expertise or consultants needed to secure and document the environment to meet auditor expectations.