Sensitive Information

NewCloud Networks is aware that some of our customers require HIPAA and PCI compliant environments to support their business efforts. The design of the compliant hosting environments are such that NewCloud Networks takes a “hands off” approach when it comes to what you do with your servers. Thus, to help you maintain your own state of compliance, this document details what actions NewCloud Networks takes and on which systems so you may design complementary management and monitoring practices so there are no compliance gaps.

Introduction to Information Types and Compliance

While there are numerous types of regulations and standards, this document refers largely to HIPAA and PCI compliance as it applies to medical and financial information. HIPAA is concerned with Protected Health Information (PHI), which is defined as any information, whether oral or recorded in any form or medium, that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

The Payment Card Industry (PCI) defines PCI data as any data that includes a primary account number (such as a credit card) as well as any supporting data stored with the primary data.

Both PCI and HIPAA requirements are met within the hosting environment in so far as our services run. Due to the “hands off” approach we take, respecting your privacy with regard to what you do with servers hosted on our virtual infrastructure, we are not able to manage all of the PCI and HIPAA requirements. We expect that you familiarize yourself with the expectations of your customers, auditors, and business practices and to use this guide to supplement your own compliance efforts.

Security Actions Performed on Your Behalf

The environment in which your server is hosted includes a virtual infrastructure that communicates with the Internet through internal and external firewalls. This environment is managed by our NOC employees who work on a dedicated internal network that is also isolated via internal and external firewalls.

The Virtual Infrastructure is:

  • Hardened according to the VMware vShield hardening guidelines
  • Patched on a monthly basis
  • Scanned for vulnerabilities on a monthly basis
  • Logged centrally and monitored via the Security Event and Incident Management (SEIM) system
  • On a daily basis, virtual machines are backed up offsite and encrypted

The Network Infrastructure and NOC environments are:

  • Hardened according to the CIS guidelines
  • Patched on a monthly basis
  • Scanned for vulnerabilities on a monthly basis
  • Protected by intrusion detection and prevention systems
  • Logged centrally and monitored via the Security Event and Incident Management (SEIM) system

The NOC employees are:

  • Re-verified on a monthly basis
  • Trained on data sensitivity issues upon hire and re-trained annually
  • Trained quarterly with incident response exercises
  • Trained annually with disaster recovery exercises

Verification efforts include:

  • Real-time log review with daily alarm investigation, critical alarms investigated in real time
  • External verification by an Approved Scanning Vendor (ASV), NOTE: Customer servers not scanned unless this service is requested of NewCloud Networks
  • Annual internal and external penetration testing, NOTE: Customer servers are not tested unless this service is requested of NewCloud Networks
  • Annual risk assessment
  • Annual physical review

Security Actions Available

NewCloud Networks recognizes that HIPAA and PCI compliance can be difficult for some customers to achieve, even under the secured and streamlined environment that we offer. If requested, NewCloud Networks can provide the following services for your server(s). If you wish any of these services added to your account, please contact us at +1 (855) 255-5001 or

Managed ASV scanning

  • PCI-compliant servers must be scanned quarterly by an Approved Scanning Vendor (ASV). If desired, your servers may be added to the ASV process that we use to protect our own environment.

Managed penetration testing

  • PCI-compliant servers must have an annual penetration test run against them. HIPAA-compliant environments are suggested, but not required, to engage in this activity. If desired, your servers may be added to our annual penetration testing efforts.

Managed patching

  • PCI-compliant environments must be patched on a monthly basis. HIPAA-compliant environments must be patched, though a scheduled is not rigidly defined. If desired, our engineers can patch your servers for you.

Managed log review

  • Both PCI and HIPAA rules require regular log review. If desired, NewCloud Networks could add your system logs to our log monitoring practice, in a dedicated and restricted environment. This would allow all alarms to be managed by our help desk and vetted as true concerns before you were alerted.

Managed hardening

  • By default, all servers are provided as a standardized build of Windows or Linux, as this meets most of our customer’s requirements for low to moderate security. If desired, a customized, hardened server may be provided instead. We can harden servers to CIS, DISA STIG, FDCC, USGCB, and Microsoft standards.

Managed anti-malware

  • PCI-compliant environments must run an anti-virus system that is checked regularly. If desired, your servers could be protected with our anti-virus software and monitored by our NOC.

Managed data detection

  • Though not required under PCI or HIPAA, many organizations have found that the use of data indexing and monitoring technology can be helpful to ensure that data is not accidentally leaving the hosted environment. If desired, NewCloud Networks may further protect your secured environment with a service that watches data as it leaves and alerts if indexed data (data you identify as sensitive) or known data types (such as credit card data or social security numbers) are detected.


Customers should take great care to protect the transmittal and dissemination of PHI and PCI data. NewCloud Networks is not liable for loss of or improper dissemination of customer’s data. NewCloud Networks provides the infrastructure and security to protect customer’s data within the NewCloud infrastructure. Any transit of data outside of that infrastructure must be safeguarded and protected by the customer.

Logging and data retention is required for all aspects of maintaining and safeguarding of sensitive data. NewCloud Networks also takes significant measures to implement and maintain system and firewall logs for our infrastructure environment. As required by the customer’s own contractual and data retention requirements with their customers, vendors, and partners, it is also highly suggested that the customer implements their own secured data retention and logging policy. NewCloud Networks is neither responsible nor liable for the customer’s Protected Health data retention and system logs.