SAN MARCOS, Calif. (PRWEB)
November 03, 2020
WordPress leads the global content management market, with over 450 million sites worldwide. As such, it has become a highly visible target for malicious attacks.
WordPress healthcare sites are especially prized, as hackers seek to gain access to server resources and protected health information (PHI) for illicit gain. Outdated versions of WordPress and insecure plugins invite infiltration; spam emails, rogue advertisements, and botnet attacks can also lead to devastating data breaches. Costly fines, lawsuits, loss of business, and damaged reputations can all result.
Configuring WordPress for HIPAA compliance is therefore indispensable for protecting healthcare organizations and their patients.
It’s Bigger than Your Site
It’s essential to understand that HIPAA security controls include administrative, physical, and technical aspects which extend to organizations as a whole. In other words, a secure website first depends upon these important security controls being ingrained in your organization’s policies and procedures.
Since HIPAA compliance is best understood as a process and not a one-time event, a regular (monthly) gap remediation process that includes identification of security flaws, as well as remediation (corrective actions) with reporting is invaluable. This is an important extension of a regular risk assessment, which seeks to identify all risks to PHI:
Securing Your WordPress Site
With this foundation, securing your WordPress website can broadly be covered under 3 headings:
1) A secure infrastructure
2) Assigning appropriate permissions/maintaining logs, and
3) Providing in-depth layers of defense.
1) A Secure Infrastructure
Keeping PHI secure depends upon a HIPAA-compliant infrastructure, one which will secure your data in-transit and at-rest with data-loss preventions built-in. Since such infrastructure is complex to build and maintain, it is best to leverage the expertise of a proven HIPAA host who will sign a Business Associates Agreement with you.
Note: A BAA is a HIPAA-mandated, legal contract that confirms a patient’s data will be kept confidential, both in transit and in storage on all servers. The BAA will not be with WordPress; however, you will need a BAA with your HIPAA hosting company or any business associate that handles PHI on your behalf. If your site is dedicated to blogging or providing general health information unrelated to specific patients, a BAA is not required.
In accordance with the HIPAA Security Standard, a HIPAA-compliant host will help set administrator controls to authenticate user-access to the environment. These will include:
Unique User Ids for WordPress users (Required)
Encryption and decryption for end-to-end protections (Addressable)
Automatic logoff controls (Addressable)
Emergency access (Required)
Unique User Ids
A system of unique user IDs and complex passwords for all users helps to authenticate and control user-access to the environment. Once the appropriate access and permissions are set for your team (see below), the admins can help set these unique user IDs. Secure procedures for login and logout should also be in play.
Encryption and Decryption
Sensitive medical data needs strong, end-to-end privacy protections. Numerous breaches have occurred because devices containing unencrypted PHI – including mobile phones and laptops – have either been lost or stolen. Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. Note: A WordPress database that will be used to store sensitive PHI – including text, images, and videos – must also be encrypted.
Automatic Logoff Controls
Logoffs – either manual or automatic – should always be performed when a workstation is unattended. Using a screensaver that locks your desktop after a period of time will help also prevent unauthorized access to PHI.
Emergency Access
To maintain high data availability – a requirement of HIPAA – a HIPAA Compliant host should have a secondary data center to which they can sync the backups of your site (and site’s databases). It is “HIPAA best practice” to specify who will have emergency access to your data in the event of a disaster.
2) Assigning Appropriate Permissions and Maintaining logs
Assigning appropriate permissions to your WordPress site(s) should involve the principle of least privilege – an application of the HIPAA Privacy Rule. Basically, this helps to limit access, by assigning permissions based on which individuals and associated covered entities truly require access to PHI, and which do not.
Once permissions are established, ensuring strong password policies is also vital. Password complexity helps prevent brute-force attacks, as username/password combinations are still the most common target for attack. A password manager tool can be of great help here.
A HIPAA hosting provider that offers server log management for auditing of access is also critical; these records should identify who has attempted to access PHI on your server(s) and what they’ve accessed – both failed and successful log-in attempts – as well as any security event or malicious software. Security Event and Information Management (SEIM) tools are typically employed for this, and the logs must be kept for a minimum of six years.
3) Providing in-depth (or layers) of defense
Ensuring in-depth defense of your WordPress site requires multiple layers of security. For example, the HIPAA Security Rule prescribes the use of physical safeguards which would protect a web server with PHI on it from unauthorized intrusion, as well as natural and environmental hazards. Locked doors, restricted area warning signs, cameras, alarms, etc. are all used to protect equipment that handles PHI.
An ideal host for HIPAA compliant WordPress is a Managed Security Service Provider (MSSP). An MSSP will provide additional layers of advanced security protections for your site, like standard and application firewalls, Anti-DDoS Management, Custom IP Reputation, Host-based Intrusion Detection, Advanced Security Rules, Real-time OS security patches and upgrades, and Log Analysis. All of these work together to thwart potential threats and keep your WordPress application safe.
Protected Database
A general rule is the less sensitive data you have on your site the better; this decreases the opportunity for data to be compromised in an attack. An ideal solution for this is to utilize a host encrypted database with a dedicated IP Address, separate from where the content resides. Since your data is stored offsite, it remains secure even if your personal computer fails.
Plugins
Finally, WordPress security can be significantly expanded by the use of trusted plugins. A plugin is essentially a piece of PHP software that is meant to integrate with your site and add new features. Since not all plugins come from trustworthy sources (there are thousands of free plugins, and thousands more sold by various companies) review of all plugins should be part of your ongoing risk assessments, and care must be taken to ensure the latest version and compatibility.
One plugin we’d especially recommend is the Two-Factor Authentication (2FA) plugin. 2FA helps to avoid a single-point-of-failure in the sign-on process by requiring the addition of a one-time passcode (OTP) to be entered.
Conclusion
Most healthcare providers – especially those without IT departments – lack the technical expertise and time to manage all of the above while caring for patients. Since out-of-the-box WordPress is not meant to be HIPAA compliant, finding a proven HIPAA compliant host to handle the configurations and maintenance for you is highly recommended.
A fully-managed hosted SaaS solution for WordPress that allows developers to do additional customizations of themes and features may also be ideal. Whatever solution you decide on, your goal of safely handling PHI and strengthening patient engagement with your WordPress site will be furthered by a secure, HIPAA compliant foundation. For more information on HIPAA Compliant WordPress from HIPAA Vault, visit us at http://www.hipaavault.com.