HIPAA Hosting in 2026: Key Findings
In 2025, large-scale healthcare breaches affected more than 35 million people, according to TechTarget.
The 10 largest incidents alone exposed over 20 million records, with organizations such as Yale New Haven Health, Episource and DaVita among those targeted.
As more healthcare moves online, cyberattacks have become routine threats with serious operational fallout. Boardrooms are left managing crisis response while IT teams race to protect patient data.
According to Pete Cannata, COO of Atlantic.Net, a cloud provider specializing in HIPAA-compliant infrastructure, the healthcare sector is at risk as it holds some of the most classified data in the world.
And unfortunately, attackers know this.
“The numbers tell a story that healthcare teams know too well, where breach frequency has climbed, hacking has surged, and record exposure has exploded,” Cannata says.
Editor's Note: This is a sponsored article created in partnership with Atlantic.Net.
“And while incident counts may fluctuate year-to-year, the trend over the last decade shows a sector under sustained digital siege.
“This means that infrastructure must be evaluated with far more scrutiny than a compliance checkbox,” Cannata says.
Who is Pete Cannata
Cannata is the Chief Operating Officer at Atlantic.Net, a leading cloud and hosting provider based in Orlando. He oversees global operations across the company’s data centers, driving scalability, efficiency, and customer success. With deep expertise in IT services, infrastructure, and compliance, Cannata helps deliver secure, high-performance cloud solutions for healthcare, finance, and tech clients.
The Numbers Behind Healthcare’s Breach Pandemic
According to the HIPAA Journal, large-scale breaches involving 500+ healthcare records have become a persistent reality.
Between 2009 and 2024, nearly 6,800 of these breaches were reported to the Office for Civil Rights.
Impacting nearly 847 million individuals, this equates to more than 2.6 times the U.S. population.
In 2018, these breaches were reported at roughly one per day, and by 2023, that rate had climbed to 1.99 times per day.
That’s an average of nearly 365,000 records per day.
In 2024, despite incident counts remaining similar, the impact surged.
So much so that nearly 277,000,000 had their health information exposed, which averages to nearly 760,000 affected records per day.
The evidence is clear that healthcare breaches are no longer isolated IT incidents but have become mass data-exposure events that are happening at scale.
“The trend shows that while incident volumes are leveling off or dropping, the criticality of these events continues to climb. in other words, fewer attacks but they hit much harder,” explains Cannata.
“And this places increased pressure on hosting providers to demonstrate safeguards that can withstand real-world scrutiny and not just contract signatures.”
ePHI Protection Starts With Specifics
As Electronic Protected Health Information (ePHI) continues to be targeted, IT leaders can’t afford vague compliance claims from hosting providers.
Hosts can no longer simply state that they’re HIPAA compliant, with IT leaders needing proof to substantiate this.
This includes tested safeguards, documented processes, and infrastructure designed to survive both cyber risk and audit scrutiny.
“These must be anchored in specifics such as network isolation, encryption that extends to backups, monitoring that never sleeps, recovery plans tested under fire, and offboarding processes built to leave nothing behind,” Cannata explains.
Cannata’s 30 years of experience in compliance-driven cloud and infrastructure hosting culminated in a belief that healthcare organisations need to evolve the manner in which they evaluate hosting providers.
“One of the biggest misconceptions is that some healthcare organizations assume that HIPAA-compliant hosting means that compliance is solved,” Cannata says.
“However, in reality, it's a shared responsibility, and it’s constantly evolving.”
10 Questions Every Healthcare IT Leader Should Ask
Interviews with compliance officers who represent infrastructure providers continuously reveal the same failure points.
These include encryption that doesn’t extend to backups, segmentation that can’t be demonstrated, logs that exist but can’t be produced, and offboarding practices that leave forensic or logical residue behind.
To avoid these outcomes, Cannata advises IT leaders to vet hosts using questions that demand precision.
1. How do you guarantee PHI isolation at the physical, network, and administrative layers?
Look for answers that clearly explain layered controls.
At a minimum, this should include dual-factor data centre access, segmented network environments, default-deny firewall policies, strict role separation for administrators, and auditable privileged actions.
“If isolation is described without architectural or procedural specifics, the answer is incomplete,” says Cannata. “Make sure to clearly review and verify, as you are responsible for the approval of the final design, not the provider"
2. What encryption standards are enforced for data at rest and in transit, including backups, snapshots, and replicas?
Strong responses should explicitly reference AES-256 encryption for storage at rest, and TLS 1.2 or higher for data in transit, with modern cipher support and blocking of legacy or insecure protocols.
Cannata adds that encryption must apply to backups, snapshots, and disaster recovery (DR) replicas, not only primary storage.
“The response should also include access controls, tight firewall policies, and logging for key operations.”
3. What monitoring systems are used to detect anomalies, unauthorised access, or integrity changes 24/7?
Expect clear mention of centralised log ingestion, defined alert sources, continuous monitoring, escalation ownership, and structured incident response playbooks.
Any reference to monitoring that cannot be explained in terms of tooling, coverage, or accountability is a red flag.
4. Do you offer dedicated or bare metal environments, and will core HIPAA controls remain consistent during a scale-out?
Responses should clearly explain whether the host offers dedicated or bare metal hosting for high-sensitivity workloads.
Furthermore, they must confirm that safeguards like encryption, identity access, logging, backup and DR, audit support, and incident response remain consistent across all architectures.
“While isolation differences can exist, compliance control cannot disappear during growth transitions,” explains Cannata.
5. How is compliance risk minimised during migration into dedicated or bare metal environments, and how is downtime avoided?
Look for answers describing parallel environment builds, encrypted asynchronous data movement, and integrity verification.
This must also include a live cutover strategy aligned to RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
Migration without encryption guarantees or formal cutover planning is unacceptable for ePHI workloads.
6. How do you protect healthcare workloads that extend into AI/ML, portals, telehealth, or imaging systems handling ePHI?
“A green-flag answer should demonstrate real healthcare fluency,” says Cannata.
“These include credential-abuse risks, privilege boundaries, exfiltration paths, secure jump hosts, web application firewalls (WAF), micro-segmentation, de-identification options for analytics, and a clear understanding that safeguards must evolve as workloads do.”
7. What redundancy is built into the environment, and how often are restores and DR failovers tested?
Expect responses that clearly cover power redundancy (UPS + generator), network failover, environmental controls like HVAC, redundancy for firewalls and storage systems, encrypted backups, optional cross-site replication, documented DR plans, and scheduled DR and restore testing.
Having backups is not enough, and restores must be tested on a cadence that can be proven.
8. How is anomaly detection audited, how is ownership assigned, and how are logs retained for forensics?
Cannata adds that good answers should clearly explain audit-log availability, the detail level of log events, centralisation into SIEM, alert triage, containment authority, and long-term forensic log retention.
Furthermore, there needs to be increased monitoring with deep system visibility.
This includes using logs, metrics, and traces to proactively detect, investigate, and respond to threats by understanding the why behind events, not just what happened; thus improving threat detection, incident response, and overall security posture.
It moves beyond simple alerts to provide context for anomalies, revealing system behavior and potential attack surfaces, enabling faster, more data-driven security decisions
“Scattered logs or unassigned alerts are major failure points in compliance investigations,” Cannata says.
9. What audit support do you provide during HIPAA investigations or formal reviews?
Green-flag answers will reference technical evidence sharing, HIPAA control mappings, architecture narratives, access to subject matter experts (SMEs) for auditor or regulator calls, and a clear explanation of accountability boundaries.
Audit support that excludes narrative or evidence-level collaboration is incomplete.
10. What happens when we leave, and how is data exported, validated, and destroyed, including logical assets like backups and snapshots?
The safest answers should include encrypted data export via VPN or SFTP, integrity validation via hashes or checksums, NIST-aligned media sanitisation or destruction, scheduled purging of logical data (snapshots, backups, object storage), and destruction logs or certificates when required.
Offboarding must cover all logical and physical data assets, not only primary storage.
The Strategic Role of Due Diligence
“If a provider answers vaguely, dodges documentation, or leans on non-existent certifications, the conversation should stop.
“However, if they encourage you to validate their claims through logs, encryption tests, network segmentation walkthroughs, restore cadences, and offboarding certificates, then and only then have you found the right provider ,” says Cannata.
In the end, HIPAA hosting isn’t about simply choosing a vendor, but choosing the right partner with the ability to substantiate and prove every answer, every control, every time.
