In this latest episode of the HIPAA Vault Show, we delve into the critical steps for safeguarding customer data on WooCommerce platforms within the healthcare sector.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello and welcome to the HIPAA vault show, where we discuss all things HIPA compliance and the cloud. My name is Adam Zeineddine, and I’m joined, as always, by the CTO and founder of HIPAA vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Good to see you again. Excited to talk about Woocommerce a little bit.
Adam
Yeah, yeah, me too. So we’ve been getting a lot of questions recently from customers about woocommerce. It seems like it’s really taking off this year in terms of adding ecommerce functionality to websites. And if you’ve been a listener for a while to the HIPAA Vault show, you know that we specialize in healthcare and protecting healthcare websites and applications. So the questions have been from a HIPAA point of view, and so excited to pose some of those questions to you, Gil, and see what kind of value we can offer in terms of answers.
Gil
Sure. Let’s do it.
Adam
So, before we dive into our topic and woocommerce, the data breach that we’re here to talk about at the beginning of the show, is pulling it up on the screen here. So the headline is, a major data breach bites into a big dental distributor’s e commerce systems. So, Henry Sheen, Inc. A worldwide distributor of medical and dental supplies, including vaccines, pharmaceuticals, financial services. Gillam, straight away thinking Phi here reported a major hack in its core systems, including for distribution and ecommerce, one of the biggest distributors of dental supplies, is sinking in its corporate teeth into the after effects of a major dental breach. They reported a major hack into core systems, including for distribution and ecommerce, and is only now getting its systems back online. So this article is the end of 2023.
Gil
Well, this is a good entree into our topic, because if you notice, this is ecommerce. They got compromised and they shut down everything to contain the pack. And so they have lost revenue because once ecommerce store goes down, they’re not able to receive orders and do transactions. So you can imagine this company or these billion dollar companies, even one or two days down, they lose a lot of revenue. So this is a good segue into woocommerce, because woocommerce is a plugin to WordPress that’s used, very popular to use as a shopping cart.
Adam
Yeah, thanks. Okay, so, ecommerce, woocommerce specifically, we’ve got a couple of questions here. So, first of all, a little bit about woocommerce. Woocommerce is an ecommerce platform, which is very popular. It’s the second most popular e commerce platform. Some of the reasons for its popularity are that it’s free, it has a lot of free tools, and it links in very well with WordPress, which is also free and open source. So it is very popular. It has close to 20% market share, so it’s become very popular. It’s really cool. There’s a lot of plugins, functionalities, in the same way that there are with WordPress. And the first question we have is, what data does woocommerce store?
Gil
Typically Gil, the data that’s stored is going to be based on transactions, because e commerce is transaction based. So you’re going to be know whatever the customer ordered, the customer’s contact information. I would consider all of that sensitive information, or maybe better put as Pii, personally identifiable information.
Adam
Yeah. Names, email addresses, maybe a product type that could link to a symptom.
Gil
Yeah. So I wouldn’t consider this Phi data, but I would consider it PIi data.
Adam
Yeah. And then. Exactly. There’s that important part as well, which is the payment method, and I believe, and we’ll get into the details on this a little bit further down, but that’s a distinction there, because if you use a payment processor, then you can set it up in a way where the actual woocommerce doesn’t store any credit card information or anything.
Gil
So that’s a good point. That’s a good point. That means it’s not PCI, which means credit card info. So that’s good. It’s just personal information. And then Phi is an interesting one. I would say it’s not Phi, but I’d say there’s always exceptions. So if a rep at your company is on the phone with any of your customers, and they’re taking notes about that customer, that they have back pain and neck pain, and so you sold them this product, a brace for their neck, then that would be Phi, because you tied a particular symptom in with the name, and now it’s Phi. But that would be more of a rep doing that, adding that information to the notes field.
Gil
I don’t think that your normal transaction, by normal, I mean the guy with the back pain or neck pain logs into the woocommerce store, your store, and orders of neck brace. There’s not going to be any Phi data because there’s no field there that talks about that. So I think it’s going to depend on how the woocommerce is configured, the categories and inventory and what notes can be taken and so on. So I think we need to leave a caveat there that it could be Phi, depending on how it’s set up.
Adam
Right. What specific. So let’s say in the circumstance where the listeners are thinking, yeah, I think there might be Phi here, maybe there’s a patient record that they’re using to tie into other systems. What specific measures in that case, where there could potentially be Phi should be implemented to ensure data encryption for that woocommerce site.
Gil
Yeah. So a couple of things come to mind. One is what you just said, the encryption. So the SSL certificate, for our customers that aren’t, for our audience, that’s not necessarily tech savvy. The SSL certificate is what we call the, I guess that certificate is what we call the measure that we use to install the encryption. That’s what you need to do. Encryption is an SSL certificate. So usually you purchase those from a vendor.
Adam
So that would need to be installed and to make sure that the data is encrypted on the server that the woocommerce is hosted on.
Gil
Yeah, on the server that the woocommerce is being serviced by. And also, we have to be specific, that is encryption in transit. So when the customer hits the submit button, the user and it transfers their order or their information to place an order, then of course, that’s what we mean by in transport, the tunnel between the end user and the woocommerce store. Now, that doesn’t necessarily mean anything about the server being encrypted at rest. At rest is when you power off the system, like you literally shut it down. Woocommerce is down, the software is not running. Everything’s down. Is it still encrypted at rest? And for most public cloud vendors, Adam, the answer is yes. By default, it’s encrypted at rest.
Gil
Now, if you’re not in the big cloud provider like Google, AWS and Azure, then you need to probably ask that question of your vendor and say, hey, if I power off my system, is it encrypted at rest?
Adam
How can a customer configure access controls and authentication mechanisms in woocommerce to comply with HIPAA and specifically the minimum necessary access rule?
Gil
Okay, so access controls. What we’re talking about is what activities can different users do depending on their access and their permissions. So some users may have a higher level of access than a different user. So you can have access controls within woocommerce for posting pages, for content sections, and for widgets. So that’s where you have to get granular and review. And to put this in practical terms, let’s say you have a team of three people that are going to be working on your commerce store. Maybe one’s a developer, one is an inventory person, the other one’s a sales guy. You’re not going to give the sales guy the same access you do to the developer. The sales guy shouldn’t be trying to update content and add programming features. That’s not his job.
Gil
So you need to use the access controls to give the appropriate level of access to each person. Yeah. What does this have to do with HIPAA, though? Well, in HIPAA you have best practices. You never want to give too high of access. The other way to say it is called minimal privileges. That means you’re giving the minimum privileges needed for a user to get their work done. You don’t want to give them more privileges than that.
Adam
Yeah. And woocommerce, because it is largely popular, it has fantastic documentation. So we’ll link some of that documentation in the description below for you to check out in terms of how to set up the right access controls for the users. All right, moving on to the next question. What are some best practices for conducting regular security audits and vulnerability assessments for the woocommerce platform?
Gil
Yeah, I think a good practice would be for the use of a scanning tool. So the scanning tool would check the plugins, would check the WordPress core, a tool like HIPAA Gauge, and then full disclosure, HIPAA Vault is the creator of HIPAA Gauge, so obviously we’re going to recommend that one. But there are other tools too. It’s free, by the way, HIPAA Gauge is free. So even though it’s full disclosure, it’s free. We make that to anyone to use that for free. There’s no charge. And what HIPAA Gauge does is it just looks at the WordPress core. What version are you on? Is it the latest version? It looks at the plugins. It could check every plugin that you have and tell if it is vulnerable, if it’s known to be vulnerable. And so that’s good.
Gil
And you also want to check the web server settings, some of the basic settings. Sohipication is a good one. You can also install other, there’s other great tools. Wordfence is a good one that you can install that will help protect the site and tell you if there’s vulnerabilities found. By the way, I’m always big on this. You always hear me say this or something similar to this during the podcast. I’m a really big believer that the administrator, even the business person, that doesn’t have to be technical should be able to look at these reports. So if you’re a business owner listening out there, don’t rely exclusively on your text to tell you if you’re HIPAA compliant, you should have a login yourself into the back end and you should be able to pull up the report yourself. You’re a manager, you’re the owner.
Gil
You should be able to look at that report yourself and say, yes, I see everything’s green or no, I see a lot of red checks here. We got problems. And then you’re the one that talks to your tech team. Now, you do go talk to your tech team and say, hey, guys, we got to fix these issues here. But the responsibility lies primarily with the manager and the stakeholders, not with the tech team to do that.
Adam
Right. And a little bit of a sub question here. I’m assuming that this depends on the size of the company, the size of the application, but what would be a good go to when it comes to the frequency of these checks, the scans and the checking of the scans and all that stuff?
Gil
Yeah. Well, generally speaking, a month is a good time frame. The longer the time frame, the more the risk. So it’s a spectrum. There’s no magic number. If you wait and only do this a year, your risk is very high that something is wrong, that you haven’t caught whole years gone by, so year is too long. I can tell you that with certainty. Once you get down to a month, you’re in pretty good shape. Somebody might, if you have the time, people do a weekly check maybe, or every two weeks. Yeah.
Adam
And then maybe a month. And then also straight after any major changes to the site as well.
Gil
Well, that’s a good point. Yeah. Let’s say you install a new plugin to enhance and extend the capabilities of your woocommerce platform. Then you’re probably going to want to run a scan and see if that plugin has created a new vulnerability. So that’s a good point, Adam. I think that’s right. Okay.
Adam
And what steps should the site owner of Woocommerce take to create a disaster recovery and data backup plan for the site in compliance?
Gil
Well, everybody knows about backup, so you want to have a backup plan that’s usually going to be your cloud service providers responsible for backing up your entire web servers if you have more than one. So that should be part of your plan to make sure that there’s a policy in place where you have daily backups if you like, and you want to go above and beyond, you could install a plugin like duplicator that can create a backup. Create a backup for you specific. Yeah, woocommerce specific. But you have to be a little careful with that, Adam, because it depends where this duplication plugin stores the data. If you’re storing it somewhere on the same server, you’ve just doubled your backup space. Right, because your hosting provider is backing up. Plus you have a plugin that’s backing up.
Gil
And if you have a large store, you’re going to be sucking up a lot of disk space, going to cost you more money. You may have to tell your hosting provider, hey, we’re running a disk space, give me some more space. You got to pay more money for that. There’s nothing wrong with having a backup, especially if your store is very important to your business and it’s generating revenue. But I will end with this comment that you want to have a backup that’s stored off site. What does off site mean? Offsite means that if your data center you’re in burns to the ground, you still can retrieve your backup.
Adam
Okay, so that’s the disaster recovery portion of the question, right? Yeah.
Gil
And normally, again, with the large cloud providers, Azure, Google, AWs, those have capabilities to take a backup and store it somewhere off site. In other words, you’re storing, say you’re in the Seattle data center, it’ll store it in the Kansas City data center. So you know it’s there. But you have to configure that. Someone has to go in and do that. The tools are there. You have to make sure someone knows what they’re doing has configured that properly.
Adam
Okay, great. How about how to effectively log and monitor user access and activities on the woocommerce site to ensure HIPAA compliance?
Gil
Sure. Well, you can get, there’s always a lot of plugins, Adam. And generally speaking, with WordPress, there’s more than one plugin for every imagination, every idea you have. Right. So in this case we’re saying, okay, I need to know who logged in, at what time did my developer log in, did my manager log in, did the sales guy log in, who’s logging in, when and what did they do? So you could use Wordfence. That’s a great plugin that we’ve already mentioned once. Woocommerce administration area has some buttons you can press to audit, and there’s also WordPress security audit log. That’s a plugin that you could use, or woocommerce logger. So there’s multiple solutions. Essentially they do the same thing. They’re tracking who’s logging in at what time.
Gil
Some of them will track what was done, but that starts to get a little bit difficult to track everything that the person did, but at least you should know who logged in at what time.
Adam
Yeah, one point on that as well, because we’ve mentioned a couple of plugins there, and so there’s going to be quite a few plugins on the site that are specifically dealing with the security aspects of it. And what can come in there as a follow on issue is plugin bloat. Right. What I recommend is if you have a woocommerce site and it’s not currently set up for HIPAA compliance and you want to convert it to that, keep in mind that you might be running a fair few more plugins than you normally would. So account with that when you speak to your hosting provider. When you speak to us, account for that. Go over a little bit on the spec.
Adam
So if you have, let’s say, 20gb of disk storage, maybe go for a little bit more on the site when it’s being migrated, and likewise with cpu and ram and those kind of things.
Gil
Yeah, that’s good, Adam. And I have to admit, that’s one of my pet peeves when I get calls from would be customers and they’re like, but Gil, why do we need to pay you guys these fees when at HIPAA volume we can go to GoDaddy and pay $20 a month? Well, as I always say, you get what you pay for, right? If you need to have HIPAA compliance, you have to add security tools and security measures and compliance managers and knowledgeable engineers. All that costs money, and you can’t get that for $20 a month. It’s not going to happen. So you have to be careful, choose wisely. Make sure you’re spending an adequate amount to secure your site. And that’s important. It’s like buying insurance, right? When you buy insurance, you do it. You hope you never need it, but you always buy it.
Gil
You would never go out and drive your car around your city without having insurance.
Adam
Yeah, I know we’ve flat out chosen not to move forward with certain projects because we’ve said this is the minimum that you’re going to need when it comes to your hardware specifications. And the project owner has said, we don’t need that. We’re currently running on half that amount. It’s like, well, yeah, okay, but then let’s try and get it running and then let’s see what the horsepower looks like. I think sometimes it’s better to choose to not engage from the start rather than to find out that were right halfway through the project later.
Gil
That’s, that’s a good point, Adam. And that’s what business is. It’s evaluating risks and returns. Right. What’s my risk? What’s my return? You always have to evaluate that.
Adam
Getting back on track. We’ve got two more questions, so we’ll keep it brief. What are the specific HIPAA requirements for securing Ephi? Stands for electronic protected health information. So what are the specific HIPAA requirements for Ephi that one needs to consider when configuring woocommerce? This question specifically, I had one of our techs look into it and they pointed out something really interesting, which was, I thought, a really good point. And that is limit the information that is configured to be sent out in notifications. So if an order comes through in the woocommerce system and the order is for a certain product and there’s a customer name and there’s all this information, limit the amount of information going to whoever’s processing that order by email, because you could be doing all these great things on the server side to make sure things are HIPAA compliant.
Adam
But if all that information is just going to get sent to an unsecure inbox, then that creates an extra problem that should really be avoided, unless you want to also add HIPAA compliant email functionality. If you need to send all that information by email, but usually an order, number, the amount, something along those lines makes sense. Gil, anything that you want to add on that?
Gil
No, I thought what you were going to say was the safeguards. The safeguards for HIPAA, which are the three safeguards, the administrative safeguard, the technical one.
Adam
Oh, yeah, definitely. So the administrative, technical and physical safeguards are a very good, high level way to judge what’s needed for HIPAA. And what you’ll find typically, is that the administrative safeguards, most of them are within your organization as the site owner, whereas the physical and the technical can typically be delegated out to vendors. So, for example, the physical data center, you don’t own the data center, so you want to make sure that you’re going with a hosting provider that has a data center that complies with HIPAA, whereas administrative could be this staff member within your organization is trained to not share certain information externally and so on and so forth. Yes. So the last one is, how can I integrate a secure payment gateway with Woocommerce?
Adam
And this wraps up because at the beginning, we did talk about that payment portion of the data. So what are your thoughts on that, Gil?
Gil
Well, the e commerce gateways, that’s the financial transaction where they’re purchasing with us dollars or credit card.
Adam
Yeah, authorized. Net. Stripe, all those payment process that usually.
Gil
Falls outside of what we talk about for HIba because that’s PCI. But essentially that’s still good for audience to know that when they’re using a credit card processing company like the ones you mentioned, I think one of the more popular ones is, like you said, stripe authorized. Net but those companies have an option where it’s tokenized. So in other words, you’re not storing the credit card on your server, you’re just storing a token, a number, and that number is sent to the provider, the gateway provider, and they reference that number and then they look up the credit card so they store the credit card. You stored the token. Again, this is not related to Phi, but it’s still a good security measure.
Gil
And by the way, if you do this, you don’t have to worry about being PCI compliant because you can claim, rightly so, that you’re not storing credit card information.
Adam
Yeah, and even if the application wants to allow for the customer to be able to save their information in an account that can also be configured to be stored with the payment processor and not sit on the woocommerce site, and then through, like you mentioned, the tokenization, it’ll be able to recall the customer information once they log back in to purchase another product.
Gil
Great. Yeah, we covered a lot more than usual, woocommerce. Like you said at the top of the call, it’s already popular. And then when you mix it in with the considerations of Phi, it can be a good solution as long as you’re following the basics. Well, the best practices for protecting the Phi data.
Adam
Yeah, thanks a lot, Gil, for helping us get through into the nitty gritty a little bit. And thank you all for joining and listening. If there was anything specific in those questions that you’d like further clarification on, feel free to reach out to us through our website, HIPAA Vault.com. You can email us directly at podcasts@hipaavault.com, or leave a comment if you’re watching on YouTube. And we’d be happy to get back to you and answer your questions. So that’s it for this episode. Thanks again, and until next time, thanks for stopping by.