HIPAA Plugins for WordPress – Part 1: Two Factor Authentication
By Gil Vidals, , HIPAA WordPress

A well-known movie line exclaims, “What we have here is a failure to communicate.” All Hollywood drama aside, we know how poor communications can complicate relationships.

When it comes to healthcare, however, the stakes can be even higher: misdiagnosis, delayed treatments, or even worse. Malicious cyber-attacks that may damage the integrity and availability of your data only add to the threat.

This is why you want all communications that pass through your WordPress site – especially if it’s protected health data – to remain private, unaltered, and available when needed. This is the primary goal of HIPAA compliance. 

Of course, just having a healthcare theme on a website does not mean it’s been configured with the proper security and controls to protect your data. Nor does hosting your site with a HIPAA-compliant hosting provider automatically guarantee compliance.

We’ve often stressed (and will say it again) that HIPAA compliance involves both the technical and administrative aspects of how data is handled.

That said, the minimum configurations for HIPAA will include the following: 

  • Encryption of PHI data, both in transit and in storage (preferably in an encrypted database outside your site) 
  • Access controls, including strong passwords and two-factor authentication
  • Audit controls for logging all system events

In this first part of our 4-part series on WordPress plug-ins, we’ll look at Two-factor Authentication. The means we can use to achieve this added security is through the use of a plug-in. 

(Note: It is always important to monitor plugins to be sure you’re using the latest version, as plug-ins themselves may be a means to introduce vulnerabilities. Be sure you’re using the most up-to-date version of WordPress as well).  

What is Two-Factor Authentication?

Standard WordPress utilizes a single sign-on (called single-factor), requiring one username/password combination. The downside of this, of course, is if anyone were to steal these credentials, they’d have full access to breach your data, install malware, and/or completely disable your site. It’s always wise, therefore, to avoid a single-point-of-failure situation.   

The Two-Factor Authentication (2FA) plug-in helps provide an extra layer of security in the sign-on process, by requiring the addition of a one-time passcode (OTP) to be entered. This can conveniently be delivered to your smartphone (Android or iPhone) by SMS or email. This way, even if someone did acquire your password, they could not gain access to your site without the OTP – and the code disappears after about 30 seconds. Two-Factor Authentication adds security as well by helping to repel brute force attacks. 

It’s important to stress here that 2FA does not do away with the need for strong passwords. Strong passwords should always be insisted upon, as phishing schemes have even allowed attackers to intercept SMS messages. (The use of a password manager can help make the use of strong passwords more feasible).

That said, there are a number of popular third-party plugins for WordPress 2FA.  Google Authenticator, and Two-Factor Authentication, are two of the better ones, which we’ll mention briefly below: 

Google Authenticator

A powerful two-factor plug-in with high ratings, Google Authenticator integrates nicely with the WordPress login page you know and love, adding that extra layer of security should your admin login credentials ever fall into the wrong hands:

With Google Authenticator, a one-time password is conveniently sent via SMS, e-mail, or QR code, with additional options available.  

You can download free Google Authenticator from the WordPress repository here, and for your Android smartphone here. (iPhone users can get it here).  

Two Factor Authentication

Another WordPress two-factor plugin that rates highly, offers strong support, and is readily available at WordPress.org is simply called Two Factor Authentication

Two Factor Authentication also allows for users to have front-end editing of settings, meaning, you don’t need to access the WordPress dashboard. The Premium version of Two Factor Authentication adds some nice features, like allowing select devices to be considered “trusted” after a short period of time, and allowing custom designing to your layouts. 

There are other great 2FA plugins, such as the free miniOrange WordPress Two-Factor Authentication plugin that integrates well with Google Authenticator and offers multisite support (for the premium version), and some which feature XML-RPC Protection and Login Page CAPTCHA. Regardless of which you choose, the important thing is to make 2FA part of a broader plan for making your site HIPAA compliant. 

If configurations and security monitoring aren’t something you want to worry about, HIPAA Vault offers a fully managed, HIPAA compliant publishing platform for WordPress that can handle all this for you. We’ll transfer your existing WordPress web content to a new, secure site, along with up to 2 databases, and you can choose from any of our customizable healthcare templates. HIPAA Vault also provides a Business Associate Agreement (BAA), a HIPAA Compliance logo for display on your website, and 24/7 live, technical support. 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, please visit our website at www.hipaavault.com.