A LEMP stack is a collection of applications that work seamlessly together to create a powerful open-source web server. Unlike a LAMP Stack, which uses Apache, a LEMP Stack is powered by Nginx (pronounced Engine-Ex, hence the E in LEMP).
Nginx is about 2.5x faster than Apache for high traffic websites with static content, so if you have a popular website that serves multiple concurrent connections, then Nginx is what you need. The stack is completely free, and Nginx has many additional modules built-in, including the popular reverse proxy.
Best Practice to Secure a HIPAA-Compliant LEMP Stack
Any LEMP stack that will host or process Protected Health Information (PHI) must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through a website or application.
Linux – Hardening the Operating System
If you are a relative newcomer to Linux, Atlantic.Net recommends you let our one-click LEMP application handle the deployment for you. However, if you want to take the plunge and try it yourself, here is what you need to do:
- Update the operating system monthly
- Utilize the built-in hard drive encryption tools
- Only use very strong passwords, and never reuse passwords within the LEMP stack
- Only use sFTP encryption to transfer files to and from the webserver
- Update file permissions so that no user can change or modify files
- Ensure no system services or applications run as the root user
Nginx Best-Practice Tips
- Ensure Nginx is updated regularly
- Obfuscate Nginx server information from the public
- Enforce HTTP Strict Transport Security (HSTS on TLS) to add a layer of encryption in communications
- Disable deprecated SSL standards and weak cipher suites
- Disable unwanted modules to reduce the attack surface
- Enforce cross-site scripting (XSS) protection
MySQL Best Practice
The database is where many users will save protected health information. There are strict regulatory compliance rules regarding the masking and de-identification of data, as well as encryption.
- Invoke MySQL Enterprise Data Masking and De-identification routines
- Data must be encrypted at rest
- Enable SELinux for mandatory access controls to protect the MySQL daemon
- Implement MySQL plugins to authenticate users and restrict access by user, password, and approved IP address
- Enable MySQL Enterprise Audit plugin to enable standard, policy-based monitoring and logging of connection and query activity executed on the 8MySQL servers
PHP Best Practice
PHP is a popular programming language used by websites to display enhanced content. PHP can either run as an Apache plugin or as a standalone CGI binary. No HIPAA legislation relates directly to PHP; instead, PHP must adhere to access and transmission security, and the browser connections must be secure.
- Ensure PHP is kept up-to-date
- Use PHP to hash and verify all passwords entered by users; BCrypt is included with PHP 7 onwards
- Use PHP to enforce a user registration system and prevent access to unauthorized users
- Use PHP to protect against Cross-site scripting (XSS) and Request Forgery XSFR
Ready to get started with setting up a HIPAA-Compliant LEMP Stack? Choose Atlantic.Net for a one-click LEMP installation that will set you well on your way to a HIPAA-Compliant LEMP Server – get started today!