This week on the HIPAA Vault Show, we delve into Strategies for Enhancing WooCommerce Security. We kick off with our Breach of the Week, spotlighting a significant incident impacting over 16,000 patients. Then, we escalate our WooCommerce security conversation, moving beyond the basics to explore plugin security, compliance practices, and a live vetting demonstration of healthcare-related plugins. From essential security plugins and deep dives into selecting the right plugins, to advanced compliance strategies and leveraging access controls, this episode is packed with expert insights to fortify your e-commerce site and ensure it remains HIPAA compliant. Join us for invaluable tips and a proactive approach to secure your online healthcare services.
Transcript:
Adam
Hello and welcome to the HIPAA vault show, where we discuss all things HIPAA compliance in the cloud. My name is Adam, and I’m joined as always, by the CTO and founder of Hipervault, Gil Vidals.
Gil
Hey, Adam, welcome to Friday and welcome to the podcast.
Adam
Happy Friday. Thank you. Yeah, looking forward to diving into it with you. So our subject and topic that we’re going to cover today is strategies for enhancing woocommerce security and compliance. So we’re going to dive in a little bit deeper. We’ve done a couple of shows on woocommerce at a higher level, but yeah, looking forward to diving into woocommerce a bit more today with you all. But before we get started with that, we have our regular segments, the breach of the week. And today, the breach of the week is one CM data breach impact 16,000 patients. RCM stands for revenue cycle management. It’s a well known system within healthcare on basically how they bring in the patient’s requests and process payments for patients. It’s called revenue cycle management and r1 systems. R1. RCM Incs, system reported a breach of PhI of 16,121 individuals.
Adam
So, Gil, were, you know, 16,000 individuals. What are we, what are we multiplying that by in terms of dollars?
Gil
I think we multiply that by, I think, five and then by two. We’ve explained that in other videos before. Why $5 and why buy two that just a cursory level? Because this boils down to this organization, in this case, dignities. Dignity health will have to pay for an identity monitoring service like from Equifax or one of those big companies. And that’s part of breach resolution. So we say, well, what are those costs?
Adam
Yeah, they’ve offered two years of complimentary credit monitoring and identification.
Gil
When it’s complimentary, obviously. Yeah, the date. So dignity health buys at wholesale from a, like Equifax. They say we need 16,000 identity monitoring subscriptions and we need it for two years. So then instead of paying, like, if you go to equifax, you pay, you know, dollar 24 as a single user. As a single user, you know, but if you’re buying 16,000 at a time, you get the price down to four or five.
Adam
So 16,000 times $10, right. Okay, so that would be $160,000. But then that’s just for the credit monitoring and identity theft services. Then you got to look at potential fines.
Gil
Yeah, well, there’s pen testing that they’ll have to do. The potential fines absolutely. From the. What is it? The office of civil Rights. Ocr.
Adam
Yeah. For those, you’re talking anywhere between 100 per. $100 per violation all the way up to 50,000.
Gil
So these things escalate very quickly to becoming a multimillion dollar affair. Yeah.
Adam
And in terms of the source of the breach, unauthorized access by a third party.
Adam
It says, not due to the hospital network being compromised.
Gil
So they’re telling us it wasn’t. What they’re telling us here is like, look, it wasn’t some brilliant hacker that came in from the outside. But what this. If we read between the lines, that could mean that an employee, for example, a disgruntled employee, could have taken data from within the network.
Adam
Or a contractor.
Gil
Or a contractor. Yeah. So we don’t know. I mean, they didn’t say that, but you have to start reading between the lines and go, well, if it wasn’t from the outside, through the network, then maybe it was from the inside. Yeah. Anyway, these. These things are always quite alarming, of course, for the company. Now, dignity health is a huge health network, and they have teams of lawyers and they have probably a lot of insurance, so it’s still a very intense event for them. But they do have the deep pockets. If you’re a smaller company, though, you don’t have those deep pockets, and that becomes a real challenge to get through that.
Adam
Yeah. And that brings us on to woocommerce, really, because woocommerce is used by smaller businesses to be able to sell products online. And when it comes to healthcare, you might have specific medical devices that you’re selling are online. And woocommerce can play a very good role. But obviously, to avoid similar kind of hacks, you want to make sure that it’s as secure as possible. So let’s talk a little bit about what we can do to secure woocommerce. Gil, at a high level. What. What are we. What are we looking at to make sure that.
Gil
Well, yeah, again, we, like, we always use that term at a high level because, you know, our audience isn’t necessarily all technical, and we don’t. We don’t want to leave them out. So for everyone involved, whether you’re technical, whether you’re the owner, a key point to remember, and I know people cringe sometimes when they hear this, but security is not one and done. It’s not something you can. Yeah, you can’t buy a package from somebody like magic and say, oh, look, you know, I hit this magic button and all my security is good forever. It just doesn’t work that way. The reason it doesn’t work that way is because the bad actors, the attackers, are always evolving, they’re always trying new ways to get in.
Gil
Therefore the tools that are used and the knowledge that people have it has to also evolve along with the attacker. So that’s the reason why it’s not just magic bullet one and done. And so even companies that come to us and say, well, we have a healthcare application, we want to host it with HIPAA Vault, well, they’re one and done in the sense they’re paying us so they don’t have to worry about it, but we’re constantly working on it on our end and they’re paying us to do that. So that’s really what it comes down to. So if you have the right mindset and you’re not getting disgusted that, well, last month we added this tool. Why do I have to do something else this month? You have to expect and have the right expectations, I think.
Adam
Yeah, definitely. And because woocommerce is essentially a plugin of WordPress, if you’re listening, watching and you haven’t already checked out our WordPress specific videos, I’d encourage you to do so because we go into a lot more details on WordPress as a whole as a content management system and what security needs to be in place for that in other videos. While you’re at it, give us a like and subscribe. So let’s dive a little bit deeper. Gil, I can pull up the WordPress dashboard if that’s useful for a visual.
Gil
Sure. Yeah. You were telling me you found a plugin that’s called Kivicare. What does Kivicare do?
Adam
Kivicare is a clinic and patient management system built on WordPress and it’s the most simple self hosted clinic and patient management solution based on the WordPress platform, which allows you to set up your online clinic instantly. It’s also got mobile functionality, so you can have the word kivika plugin for WordPress and then do things for like build a mobile app if you want. And yeah, it’s, yeah, it’s quite popular. So I was just looking at it as an example of potentially, you know, if you’re a healthcare provider and you want to add functionality, let’s say a portal or anything to your WordPress existing WordPress site, then you might choose Kivika. You know, we’re not sponsored by Kivaker or anything, but I just thought it’d be a good example. So what are we looking for when we’re assessing whether a plugin is secure?
Gil
Well, there’s a couple of telltale signs. So one is who is the author of this thing? Now when I say author, you say, well, it was Joe Blow. Well that doesn’t help you determine if they’re a good programmer, but some of these are made by companies. So if you say, oh, this was written by a particular company, then that gives you more confidence than if it was written by some twelve year old. So you would want to see that it’s supported by a group, even if it’s a two or three developers. That may not be a company, but it’s two or three developers. So that’s always good. You want to have some depth there. The other thing is you want to see what version it is. Are you the guinea pig? Are you testing this for them? Are they on version 0.1?
Adam
So here, that would be at the top on the screen. Version three, 6.1.
Gil
Yeah. Yep. And then you see that the author igonic, if you press on that. Is that a company or what is the.
Adam
It is a company, yeah.
Gil
Okay, so you went to iconic. Okay, so that kind of passed. Now remember these are just cursory evaluations. This doesn’t mean that it’s super secure, but it starts to give you a sense of for this tool. Right now I have a good sense for it. It’s a mature products, been around for a while. It’s made by a company, supported well, has a good rating. So we’re off to a good start. We’re off to a good start. That’s important.
Adam
Active installations.
Gil
Yeah, they got a lot of installations. So they got a good user base. And of course someone could read through the low stars to find out, you know, if there’s some.
Adam
Yeah, just like if you saw problem or something.
Gil
Yeah, just like if you’re on Amazon, you click on a couple of the lower stars, see if. If it was just a customer raging about something of a no consequence or if it’s really truly something important. The other thing you want to see. Yeah. The changelogs go to. You want to see how often this is being updated. So this was updated last in March. That was just a week ago. Yeah. And then before that it was updated in February and then before that the year. So getting, you know, fairly regular updates, that’s another good sign. Means they’re actively working on it. If you saw on the other hand that the last time they touched this was, you know, two years ago, then you would start thinking, oh, it sounds like this project’s been abandoned.
Adam
Oh, and then also, what is it to say about the, you know, the WordPress version and the PHP version?
Gil
I think that’s a valid point. You want to see if it’s compatible with some of the versions that you may have installed. You may be on a slightly older version of WordPress, but the main thing there is just to make sure that it’s compatible with whatever WordPress version you’re.
Adam
Using and should be using a more current one. Right?
Gil
Right. So if you have an application and you look and say, wait a minute, I’m using version 5.2 and this one says it’s compatible with 6.4, that means you can’t use it. But also as a hint to yourself, you say, wait a minute, why am I on version five point x? I should be on something much more current. You need to go talk to your tech team and say, hey guys, what is going on here? Why are we on this ancient version of WordPress? That’s not good.
Adam
That was Kivika. Was there anything else when it comes to the plugin specifically?
Gil
Yeah, there is something else that we need to talk about for a minute, and that is the pay version. WordPress is available for free. Anyone can just use WordPress. Don’t get sucked into the mindset of hey, I want it all for free because you’re running a business. There’s a lot of liability here. Pay for the plugin for sure. In fact, if a plugin only has a free version, that would be one of my concerns. I would tend not to go with the plugin that doesn’t have a commercially supported version.
Adam
Why is that?
Gil
Well, because you’re running a business, and if you have a problem with that plugin, whether it’s security related or functionality related, you want to be able to reach out and say, hey, I’m Doctor Smith, I’m a paid customer of yours, I need some help, and you want someone to respond on the other end. If it’s free, there’s a very high chance that when you email them you’ll never hear back. There’s no monetary incentive for them to do anything. So very important that you have a paid licensed plugin.
Adam
Anything to say about the access controls with these plugins? Like who should have access to installing them, removing them?
Gil
Well, a typical scenario is that you have an administrator who has the access to reach out into everything, and then from there you have a different level maybe you have access just for your search engine optimization person that just has to do SEO, and then you have another level of access for just say, the person that’s going to be your editor, that’s going to be adding and removing pages. So the technique there, that’s best practices is only give the amount of access that’s required for that person to do their job. You don’t want to give them too much. You don’t want to give the editor of your content access to add and remove users, for example. They don’t have any business doing that, so you shouldn’t give them that access.
Gil
And that’s usually there’s levels of access and you could just choose the right level for whoever you’re adding to the back end of WordPress.
Adam
That’s the least lease privilege, right?
Gil
Least privileges. That’s what that philosophy or that protocol is called, least privilege.
Adam
Anything else that I missed out?
Gil
This may fall out of the scope of this conversation, but it’s worth mentioning briefly that you want to have a scan of your site on a regular basis to find any vulnerabilities. So HIPAA gauge, and then full disclosure, HIPAA vault created a plugin called Hipagage and you can install that. That’s a tool that will just simply tell you whether or not your site has some vulnerabilities. It’s a tool that is really an indication, it’s an indicator. So you can use that or you can pay. Yeah, there you go. HIPAA Gauge. You can also pay a scanning pen testing company that can do, that can be expensive, but I mean, I’m just giving you the different options. So you can scan it for free.
Gil
You can pay someone to scan it, but you should have somebody scanning your site on a regular basis at least, you know, best practice every month. But if you can’t afford that, you know, maybe every three months.
Adam
All right, great. Well, that’s it for this episode. Thank you, Gil, and thank you, viewers and listeners for checking out the episode. Please do like subscribe and share the content with anyone that you think might be interested. Until next time, thanks for stopping by.