Episode 8: Is WooCommerce HIPAA Compliant? E-commerce for Healthcare.

This week on the HIPAA Vault Podcast we talk about Woocommerce and its HIPAA compliance.
WooCommerce official FAQ: https://woocommerce.com/document/woocommerce-security-faq/
HIPAA Security Services for Woocommerce: https://www.hipaavault.com/managed-services/

Transcript:

Adam
Hello, and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance for WordPress. My name is Adam Zeineddine, and I’m joined by Gil Vidals, the CTO of HIPAA Vault. Hey, Gil. 

Gil
Hey, Adam. Thanks for inviting me again. I’m looking forward to it. 

Adam
Yeah, I’m really excited to dive into our topic for the day. So last week we talked about optimizing WordPress for performance. This week we’re going to talk about WooCommerce. And our question for the week is WooCommerce HIPAA compliant? Before we dive into the topic, please, like, subscribe and share this content wherever you’re viewing it. It really helps us a lot. So when it comes to the question, is WooCommerce HIPAA compliant? We’ve reached out to WooCommerce, and hopefully we’ll be able to get an episode with someone from WooCommerce to really go into it from WooCommerce perspective. Their website says that the data retained from WooCommerce, like the rest of your WordPress installations, data is stored in your WordPress database. But to unpack this a little bit, Gil, from a technical standpoint, what should our audience know about making WooCommerce HIPAA compliant? 

Gil
Sure, Adam. I think there are several points, and true HIPAA compliance is very comprehensive, so we’re going touch on some of the more important points. Ultimately, you want to be aligning yourself with the HIPAA compliant hosting provider who will take care of this for you. But some of the things you’re looking for is encryption. There’s three kinds of encryption at Rest, and you have an encryption in flight or in transport, they like to call it, and then encryption in use. So those are three. It’s the same encryption, but you’re using it really in three different ways. So at Rest would mean that when the system is powered off, the virtual machine you have, when you power it off, is it encrypted at Rest? When you turn it back on, it decrypts, and that’s how it runs. 

Gil
And then you want to know when you access your site through Https, you want to make sure that you cannot access it through Http, please, to our audience, please don’t just check and say, okay, can I get to it through HTPs? And you say yes, and you check the box. But don’t forget to go back and check for Http. You don’t want that on at all. Or if you do go to it, some hosting providers will redirect it to Https right away, and that’s okay as well. So I would say look for that and then data retention. How long is your phi data needs to be retained for quite a number of years, depending what state you’re in. Usually it’s around seven years. Could be a little longer. Some ten years, some maybe six years. So what about the retention of your data? 

Gil
Who’s retaining that data? Is that your provider? Is that you? You have to consider that. These are good questions to consider. And logging and monitoring, you have to have somebody always some system should be monitoring your website at all times to make sure it’s up and running and making sure you scan it for vulnerabilities as well. So I would say those are some of the without overwhelming the audience, these are some of the core things to look for that are valuable. 

Adam
Okay. And we’ll include a full list of the services that go into making WordPress and WooCommerce HIPAA compliant in the description below. And then we’ll also share the video on the show as well. So what about when it comes to ongoing HIPAA compliance, with HIPAA being something that is maintained and not necessarily something that’s secured as a one and done? What goes into it from that aspect? 

Gil
I think a really good and robust foundation is to ensure your WordPress site, the WordPress core, is being updated on a regular basis. If you want to think about it in terms of time, you could just say, well, every month I want to make sure my WordPress core is updated. So you would want to check you as a medical practitioner or a business administrator, you want to make sure that it’s done. So really the responsibility, Adam, is a little bit more nuanced than some people think. In other words, don’t just pick a HIPAA compliant provider, even HIPAA vault, and just forget about it. It’s really up to the medical practice business owner to ensure these things are happening. So, yes, you’re paying them to do it, but it’s trust and verify. So check yourself to say, hey, is my WordPress site up to date? 

Gil
Is it at the latest version or maybe the next one below that? And every month you’re making sure you’re updated. I would say that’s a really important thing. And then the other one is to you, is your provider onshore that’s important? Keep in mind, HIPAA is a US only compliance protocol. And so you don’t want and it’s frowned upon in the security community to have a hosting provider that’s offshore in some other country. And it’s not that we’re opposed to other countries. It doesn’t matter which country if it’s not the US. That’s the main point, needs to be the US. And that means the staff accessing, it should also be in the US. So let’s say you find a provider that is in the US. They confirm that, but then all their support staff are located in common places like the Philippines or India. 

Gil
That’s very common. Well, that’s still not good enough, right? I mean, the servers are here in the US. That’s good. But all the members, all their staff, help desk and engineers, they’re all foreigners. 

Adam
Does that apply to the development team as well? Or is that a separate well, the. 

Gil
Development team could be offshore. And that’s actually not so uncommon to have a development team or have some developers offshore, some onshore that’s. Okay. Because normally what you would have is a staging server. The enterprises, larger companies have a staging server, and it’s developed that you don’t have any phi data, so anyone can log in there that you trust onshore offshore. But once you take the site and you’ve tested it and it’s good to go, and you copy it to production server, well, that server itself, you only want your onshore team accessing it. 

Adam
You want that locked down to us. 

Gil
Yeah. Now, I understand many medical professionals and healthcare developers that have developed an app, I know they’re on budgets like everybody, and they say, well, Gil, I don’t have two servers. I just have the one production. I don’t have a staging environment. Well, that’s not ideal. I mean, in technology world, you want a staging platform you can test in a production one. But if your budget is thin and you need to keep it one, then that’s going to be tougher for you because now you’re saying, hey, when I have an issue, I have to reach out to my developer in some foreign land and have him access it. But he shouldn’t really be on there because your data is there. 

Gil
Now, if you’ve split off the database from the web server, maybe you can get away with it, but it’s basically going to be frowned upon if you have a single server and you have four nationals logging into that. Now, I want to be careful with what I’m saying because some people that are very astute might say, but Gil, where does it say in the HIPAA regulations that you shouldn’t have four nationals? I’ll talk to my compliance manager and see if I can find that. But even if he says Gil, it doesn’t stipulate that precisely. It’s still very well known best practices in the security world, in the robust security world, that foreign nationals should not be accessing servers that are either PCI compliant, HIPAA compliant. I mean, you name the compliance. 

Gil
If it’s a US compliance standard, then that’s the normal and robust path to follow. Even if you say Gil, it doesn’t say explicitly for HIPAA vault or not HIPAA vault, but HIPAA, that you can’t have foreign nationals doesn’t mean that it’s a good thing to do. Right. Just keep in mind, HIPAA are kind of a wide guideline. They’re just to try to keep you from falling off the cliff. And so you have to be mindful of these different regulations. 

Adam
Right. And how about moving on a little bit still on WooCommerce? But extensions, I’ve heard that they could potentially be a source of vulnerability, is. 

Gil
That, you know, WooCommerce is an extension, a plugin that you can enable for WordPress. So just like WordPress has literally hundreds of thousands of plugins to extend the functionality of WordPress WooCommerce also has extensions by third party providers, third party publishers or authors. And you as the owner of your website will have some access and you may find some nifty widget that you say, hey, this is really cool, I’m going to enable this extension. Well, guess what? The bad actors try to get in through the weakest point. So if you enable an extension that was written last week by some high school kid and it’s got some vulnerability and the hackers are all getting through that’s no good. That’s really no good. So make sure that any extension that you enable, make sure that it’s actually a robust extension. 

Gil
You say, well, how do I do that? I’m not a technologist, I’m a medical practitioner, I’m an administrator. Well, it’s just common sense. You look at the list of options for extensions and you want to find one that has a version that’s not 0.1 or 1.0. You can find one that’s been around for over a year and has had multiple fixes and updates. That’s one thing. So that’ll get you a long way right there. And the second one is that developer? Is that publisher? Are they available? Do they have a paid license for that extension? And it doesn’t have to be a lot of money. We all know we’re in a recession. You want to pay a ton of money, but sometimes it’s a very small fee. But with that fee you get access to support and that’s important. 

Gil
You say, well, why does that matter? Well, it matters because when we go to update the extension, a lot of times they won’t allow you to update to the next extension version unless you have paid support. They’ll just lock you into that lower level one. Oh, you want to go higher? Okay, well then pay us the subscription fee. So it’s important to have that. And these fees sometimes are very small, so I don’t think that’s going to stop you. But it’s mainly awareness. A lot of people just aren’t aware. They just install it and they forgot about it. Oh, everything’s going to be fine. Well, what about the next month when the author found a vulnerability and he’s upgraded? 

Gil
He’s updated and patched that you need to make sure that you have the license so that our team or whoever’s doing the hosting can then upgrade that extension. 

Adam
Okay. Yeah, and I think on the prices, there’s a lot of options within WooCommerce where it’s more built into per sale. So you are making the sale in order for them to take some sort of processing fee from you. So that’s not as bad as it could be. Okay, so any other considerations when it comes to WooCommerce or HIPAA compliance in general? 

Gil
Yeah, I know I’ve mentioned this Adam, in maybe one other podcast we did, but I like to pass this knowledge on. It’s kind of a basic wisdom, let’s just call it that. That if you’re out there hunting for an economic solution for HIPA compliance, one of the questions, if you only had time for one question that was going to make a big difference, it’s you talk to a provider and say, hey, do you have a compliance manager? If they say no, they flunk it right away. Go on to the next one. If they say yes, say, I’d like to meet with that compliance manager. If they say no to that, then it’s a gray area. Like, why not? Is he too busy? Does he not have time for me? But normally they should say yes, we can set up a meeting. 

Gil
If both of those are yes, then this is a really good sign. That likely not guaranteed, but likely. You’ve selected a good provider because they have a compliance manager whose job is to watch your environment, to make sure it remains compliant and he’s accessible to you. If you have a question or, God forbid, a hack and you need to talk to somebody, well, he’s there. You already got his name. You know who he is, he’s accessible to you. So I would think that’s one if you only had one question, ask a provider. That’s probably the most key question you can ask, and that’ll get you a long way. 

Adam
Fantastic. Yeah. And on the point of questions, if you do have any questions for us, feel free to reach out at podcast@hipaavault.com or you can tweet us at HIPAA hosting and we’ll be happy to answer those questions and then maybe also include them in our next show. That’s all for this episode. Please subscribe, like and share. Until next time, thanks for stopping by.