This week on the HIPAA Vault Show we showcase the HIPAA Gauge plugin and how to use it. HIPAA Gauge is a free WordPress plugin specifically developed by HIPAA Vault to determine if your website adheres to security best practices in alignment with HIPAA compliance regulations. Plugin Info & Download here: https://wordpress.org/plugins/hipaa-gauge/
Transcript:
Adam
Hello and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine and I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Good to see you again.
Adam
Yeah, great to see you. So I’m excited today to be talking about HIPAA Gauge. HIPAA Gauge is a plugin that HIPAA Vault developed, actually, we talk a lot about in past videos, past episodes, the importance of choosing the right security plugins for WordPress, making sure everything’s up to date, checking to see if there’s any vulnerabilities. And Gil, maybe you could tell us a little bit about the origins and the thoughts behind developing HIPAA Gauge and how that process took place.
Gil
Yeah. Hi, Adam. Yeah, this is a good topic because the question comes up, am I HIPAA compliant? And we have companies that ask us that, am I HIPAA compliant? By that they mean, is their company HIPAA compliant? Or more specifically, is there technology? Is there? Website HIPAA compliant. So HIPAA compliant is all encompassing. Just because your website or your web app is HIPAA compliant doesn’t mean you as a company, are HIPAA compliant. I just want to distinguish those two things. But we’re not going to worry about the comprehensive view right now for this conversation. We just want to talk about the website. If you have a website and maybe you’re running a medical practice or you’re a healthcare app developer and you’re wondering, is my WordPress site HIPAA compliant? Then it’s not easy to find out. There’s really no magic buttons to press to find out.
Gil
Normally you have to hire a vulnerability testing company, or they call them penetration testing, pen testing company. And that costs a lot. That’s big bucks, real big bucks. So we developed the plugin HIPA Gauge to make it freely available so that anyone can grab it, download it. And I know in a bit you’re going to share that page where they can see where to download it and then install it as a plugin to WordPress and then let it run and see what it says if you’re sites HIPAA compliant.
Adam
Yeah. And for the listeners on the podcast, I’m sharing my screen now, but we’ll do our best to also describe things as we go along. So here we have Gil, the hipaavault.com website page for HIPAA Gauge.
Gil
Yes. And this is the page you can go to. And again, the motivation to create this plugin was to help the community to have an indicator of whether their WordPress site is HIPAA compliant. So this was the motivation, and we’d like to see as many people use this. They can. This is a simpler way, a faster way, and obviously it’s much cheaper than having to hire somebody to do that. Now, if you’re already going to hire a pen tester, I’m not saying don’t do that. Pen testing goes above and beyond what this tool does because pen testing involves a human engineer that will go through and do things that automation can’t do. But this is a fantastic way to get started and have a really good idea as to whether your WordPress site is HIPAA compliant.
Adam
Right. And I think the keys in the name there HIPAA gauge. So it gives you a way to gauge the level of your compliance. It doesn’t solve your compliance for you. Right?
Gil
Yeah, that’s a great point, Adam. This tool isn’t to solve the issue. So let’s say we’ll see the gauge here in a minute, but when you look at it, you might say, oh, no, I’m not HIPAA compliant. It’ll be obvious why not. It’ll give you an indicator. Well, here’s why you’re not HIPAA compliant. But this tool doesn’t have a button that you press that will fix that issue. This is a gauge that just indicates compliance likelihood from low, medium high likelihood of compliance.
Adam
Okay? So from this page, viewers, you can go to download the free plugin, and that will redirect you to the WordPress.org page for HIPAA Gauge, where you can actually download the plugin. And you can see some key features here. Gil, is there anything of note here?
Gil
I think we should just dive into the plugin. Again, while he’s loading this page, I do want to reiterate that it is free. There is a button. There is a premium feature of the plugin which lets you scan the plugin will scan your site more frequently. If you do the premium plugin again. It’s still free, though. When I say premium, it doesn’t mean it’s paying dollars. The way we did this is, if you elect for the premium, then we’re asking for a backlink. In other words, let us put a link to HIPAA vault on the bottom of the website. If you click premium, that’s all. But again, there’s no money transaction here.
Adam
That’s awesome. And so here we’ve switched now into the WordPress admin dashboard, and we’re on the HIPAA Gauge plugin that we have installed. What we can see here is what you mentioned, Gil, whereas right now we’re in the standard mode and we haven’t clicked the premium version. I think we can probably talk a little bit about what the gauges indicate.
Gil
Let’s go. First, an overview, Adam, and then we can dive into each one.
Gil
So the overview is that in order to determine whether a WordPress site is HIPAA compliant, we want to look at four aspects of the site. The first one is the WordPress core, and that’s the main engine behind WordPress. So we want to see if that core engine is compliant. Then we want to go to the plugins afterward because the plugins are where, frankly, many of the weaknesses come in. So we take a close look at the plugins, all the plugins that are installed, and then the theme of WordPress is the color, the look and feel, the background images. So we take a look at those and then finally the server. What server is all this on? Where is it running? What server? There could be some vulnerabilities at the server level. Even if WordPress is all up to Snob, the web server, apache or NGINX may be having issues.
Gil
So those are the four aspects we’re looking at. And we decided to go for the gauge model here where you can see if your needle is at the green area or yellow, which is a warning. We just find some issues or red. Red means that, hey, we found some pretty strong signals that you have a problem with the site. So in this particular case, if you notice the needle across the board for the core plugins, themes and server are in the green area. So this site here with the gauges anyway, is looking pretty good right off the bat.
Adam
Fantastic.
Gil
Yeah.
Adam
The first thing I see is everything’s 100, except on the WordPress plugin side, I see 94%, which is in the green. It looks like anything below 90%, above 90% rather, is in the green, and below it goes to yellow. How would one kind of investigate this one plugin vulnerability a little bit more?
Gil
Right? So in this case, as Adam said, you look through it quickly and again, this tool was written to be easy to use. So you don’t have to be a technician, you don’t have to be an engineer, an owner, a business owner who doesn’t know about technology. Come and just look at this and then say, hey, I’ve got problems here, let me talk to my web developer and have them take a look. But anyway, so if you’re that kind of a business owner, you’re looking at this going on our channel’s technology. But I see here the plugins has a vulnerability. And then you could look at the more detailed report. So there’s a link.
Adam
So we’re going to upgrade to Premium in order to do that. Let’s go ahead and do that now. There we go, instantaneous.
Gil
Okay.
Adam
And we’ll click on the detailed report. There it is.
Gil
Okay, so the detailed report is going to show you some messages. Includes some messages there so you could take a look to see where you are. Now, if you notice at the bottom, it’ll say a score. Again, the core is 100%. That means the WordPress core is fine. The plugin score was 94 there’s where you want to take a look at themes and servers had a good score. So the 94, you can click the little arrow and take a closer look and find out what’s going on. And you’ll notice here, as you scroll through these plugins, that sites usually have many plugins, right? It’s rare to see a site that has less than three or four plugins. They usually have dozens, sometimes too many, actually.
Adam
Right.
Gil
But Adam’s scrolling through slowly, just kind of going through. So far, nothing pops out. But then you get to this one. You see some red banner there. So we can pause at that one that says simple history. And if you notice it’s on a version, 4.3.0 is the version that’s installed, and the latest version is also 4.3. So it’s on the latest version, but there’s a vulnerability that says there’s a CSV injection vulnerability. Okay. A CSV injection vulnerability. So that’s not a good thing. There’s some vulnerability that exists for that particular plugin, and it gives you a suggestion what to do. It says, well, contact the plugin author, the publisher of that plugin. Tell them, hey, there’s a vulnerability. When are you going to have a new version released that patches this vulnerability and mitigates it? And then if you scroll down, you’ll see the other plugins, but they don’t have any red band.
Gil
They seem to be okay.
Adam
So fairly easy to find where the issue is lying, and it gives you a detailed reason as to what the vulnerability is that can then be investigated further. I really like that.
Gil
Yeah, that’s right. So the owner, the manager of the site, could easily take a screenshot of this or copy paste and send it to their program or their web developer and say, hey, we need to take care of this.
Adam
That’s awesome. HIPAA gauge free plugin, and it’s available through WordPress.org for you to install. Now, Gil, did you have any other comments about HIPAA Gauge, maybe anything else that it should be used in combination with?
Gil
Well, I do want to mention that the HIPA gauge is one really strong tool you could use for WordPress in particular, because, again, it’s freely available. It’s easy to use. You just install it and then you go to the reporting. But I do want to say it’s not a certification tool. Sometimes we’ll have companies or developers that want a certificate. They say, hey, how do I show a certificate that I’m fully HIPAA compliant? And so this HIPAA gauge is not a certification system. We’re not certifying anything. We’re using it as a tool to show if you’re likely to be compliant. And that’s all. So there is no certification for websites like that. Now, HIPAA Vault, as a company, we do have a way to share our shield that shows, hey, if you’re hosted with HIPAA Vault, then we could share that. But this gauge doesn’t provide that.
Gil
There are other things that you can do besides this. We’re not suggesting that the only thing you should do. There are other steps and other measures that you should take for HIPA compliance. One plugin that we like is Wordfence. Wordfence is a great security plugin that you can install and it will help provide, like the name implies, a line of defense to protect your WordPress site. So Wordfence would be a good thing to install to boost the security. And the other thing is to do another type of scan, a security scan that many hosting providers that are into the HIPAA space for security, I should say, can provide a security scan. So for our customers at HIPAA Ball, we do scan their sites once a month and then report back to see if we have any findings, and we have a compliance manager that will review that as well.
Adam
Fantastic. They’re great recommendations there. And thank you, Gil, for walking us through the plugin. So if you have any questions about the plugin or HIPAA compliant WordPress hosting in general, feel free to reach out to us at podcast@hipaavault.com or “X” us at HIPAA hosting. Make sure to also subscribe and leave a review if you enjoyed the episode. And until next time, thanks for stopping by.