…And How HIPAA Gauge Can Help!
by Stephen Trout
Your gauges were peaking red, but you didn’t notice until the power was gone, and smoke was billowing out your hood like a 5-alarm fire. You tried to drift off the road, but that semi barreling up behind you didn’t get the memo.
Days later, sitting in your hospital bed – leg in a cast and a collar on your neck – it occurs to you:
Maybe my car engine’s health shouldn’t have been an afterthought! At the very least, a glance at the gauges might have saved the day, and prevented this serious accident…
Your WordPress Site
No doubt, caring for your car requires vigilance; but have you considered how your WordPress healthcare site also gets “taken for a ride?”
Every day, patients:
- “drive-in” to your site for provider and insurance details
- schedule important consults and conduct appointments
- transmit their personal health data to you.
Meanwhile, hackers lurk in the background, just waiting to force you off the road (offline) and seize your sensitive, medical data.
But what if you could be alerted to these dangerous conditions – including vulnerable traffic to your organization’s website – before a crash?
Now you can!
Once installed, a click of a button provides a detailed picture of your WordPress install’s current security – essential for determining your adherence to HIPAA guidelines.
It Matters for Patient Security
Just as a glance at your car’s gauges can prevent serious harm, so too, a look at HIPAA Gauge can prevent significant harm to patients that come from hackers who want to breach your data.
But how real are these dangers to your site, you ask?
You may have heard that with over 60% market share and thousands of plugins, WordPress sites are a favored and convenient target for hackers.
Healthcare websites containing protected health information (PHI) are particularly vulnerable, as sensitive data can be held for ransom or sold on the black market.
“Security is a top concern for our WordPress healthcare customers,” notes Gil Vidals, CEO of HIPAA Vault, “but serious issues can go unaddressed. For example, most know that they need to be using the most up-to-date WordPress core, but may not check for the latest version.
The same is true of their plugins and themes, which are common areas where vulnerabilities can infiltrate their sites. Additionally, most will not check for weaknesses in their web server configuration, or even know how to go about it.”
How does a Plugin Work?
A trusted plugin that will highlight these issues is invaluable. But before we go any further, what actually is a plugin, you may wonder?
A WordPress plugin is essentially a piece of PHP (open-source scripting) software that’s easy to install; no coding expertise is required. Approximately 55,000 plugins currently exist for WordPress, each designed to add greater features and functionality to the WordPress core.
Adding (and managing) security features – such as multifactor authentication for sign-ons – is especially important for healthcare sites, since “out-of-the-box” WordPress software is not designed for HIPAA compliance.
There are additional concerns, however:
1. A third of all WordPress sites are at least two versions behind.
WordPress includes some security updates with each new version release, yet many WordPress users fail to keep their sites updated in order to enjoy these protections. Risks to protected health data passing through these sites are therefore increased.
2. Weak plugins may be selected by users, opening a doorway for bad actors.
As noted, adding new plugins may enable significant changes to your system; however, it’s critical to know that certain plugins can actually alter your database, as well as introduce vulnerabilities. It’s therefore vital to monitor all plugin changes, and use the latest, compatible versions.
Choosing and maintaining trusted plugins is just one facet of HIPAA security. Here are some additional reasons that WordPress HIPAA compliance requires a managed security approach:
3. Weak passwords may be selected, without access controls.
Username/password combinations are still the most common target for attacks on websites. Ensuring password complexity will help to prevent brute-force attacks (automated attempts to crack your password).
Longer passwords with at least one lowercase, one uppercase, one number, and one special character are critical. (A password manager tool can be of great help here).
Controlling who can access your WordPress site by assigning a unique user identifier to each WordPress user allows your organization to track their activity in relation to ePHI. This activity will include when the user logs on and off the system.
4. The open-source platform of WordPress (with its many public contributions to code) may introduce new vulnerabilities.
“Open source” platforms mean that the code is freely available to the public – as opposed to proprietary software that is exclusive to its creators.
While this allows for incredible communal contributions (the insights of the whole world), sufficient security does not always accompany changes to code.
Since hackers also stay abreast of such changes, they can (and do) exploit any vulnerabilities rising from insufficient patching.
HIPAA Gauge Can Help!
The HIPAA Gauge plugin from HIPAA Vault will scan your site, then show you a dashboard with four gauges that reveal actual vulnerabilities impacting key facets of your WordPress site. These include core, plugins, themes, and web server configuration.
Each gauge consists of a red, yellow, and green zone, providing an immediate visual indicator and percent score of your website’s security health. (A premium version of the plugin is also available with an upgrade, for a more detailed report of specific vulnerabilities).
“Maintaining HIPAA compliance can be a challenge,” Vidals notes. “Now, with HIPAA Gauge, they can tell at a glance if any of these four areas need attention. And while it isn’t intended to prove HIPAA compliance of your site, it is an excellent tool for diagnosing the need for security measures that can help you achieve that.”
As a HIPAA-compliant cloud solutions provider, HIPAA Vault is committed to helping companies understand their part in the compliance process.
For this reason, we also offer a new, fully-managed HIPAA WordPress solution as part of our expanded product line, designed to simplify HIPAA’s complexities.
Our unique solution for WordPress HIPAA compliance takes the responsibility of 24/7 monitoring and scanning for malware off your plate, so you can concentrate on your business.
We ensure a secure infrastructure, take care of future updates & hardening, and guarantee the most updated security plugins.
A Final Word about Security
Good security practices should extend to all in your organization; the same is true of HIPAA compliance:
Security… transcends the WordPress application. It’s as much about securing and hardening your local environment, online behaviors and internal processes, as it is physically tuning and configuring your installation. Security comprises three domains: People, Process, and Technology. – WordPress.org
The same is true of your hosting company. When you choose HIPAA Vault, know that you’ve chosen all three: subject matter experts in cloud (people), secure WordPress administration (process), and the latest cloud expertise (technology).
HIPAA Vault is a leading provider of HIPAA-compliant solutions, including secure Linux hosting and WordPress HIPAA compliance, and is a Certified Google Technology Partner. We enable healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. For more information, please visit our website at www.hipaavault.com.