Episode 3: WordPress for healthcare and 2 factor authentication

Transcript:

Adam
Hello, and welcome to the HIPAA Vault podcast, where we discuss HIPAA compliance for WordPress. My name is Adam Zenidine, and I’m joined by the CTO of HIPAA Vault, Gil Vidals. Hey, Gil, how’s it going? 

Gil
Hey, Adam. Doing great today. How are you doing? 

Adam
Yeah, doing well, thanks. So, Gil, last week we talked to the audience about the importance of the business Associate agreement when choosing a HIPAA WordPress host. Today we’re going to talk a little bit about security, and in particular, security for WordPress and two-factor authentication. A little bit about two FA, as it’s called two-factor authentication. It’s identity and access management security. And it’s a method for access management that requires two forms of identification to access resources and data. And an easy way that I remember it is something you know and something you own. So, Gil, something you know I think is fairly obvious. It’s that it’s usually a password. So there’s a username and a password that’s entered, but could you talk a little bit about something your own? And what types of that thing that you own? 

Gil
Sure. That’s great. Yeah. This two-factor authentication is a subset of a broader one called multifactor authentication, so you can involve lots of different things to make something more secure. So one example that companies use in high tech is they have a USB key, for example, a UV key. So UV key would be something you would plug into your computer, and then the website all of a sudden lets you in. Like, you might type in a password, and then it says to put your UV key into your computer. So that’s one example of something that you own, right? You have it in your hands. Another one might be, to look at your smartphone and type in the code that shows up on your smartphone. So those are a couple of examples of something that you have in your possession. So in other words, even if the bad guy has your password, your username, and your password, he still wouldn’t be able to steal information because he doesn’t have what you own. It’s in your pocket or it’s in your office. 

Adam
Okay, I think that’s a helpful way to describe it. And I also understand that there are other types of authentication where you can get a code to your email address and sometimes SMS as well. I see that with some non-HIPAA applications where two factors are required without going. 

Gil
Among all the reasons why SMS is considered not as secure as email, SMS would be at the bottom. So in other words, if the code is going to be sent somewhere you typically don’t want to use SMS, email would be a better choice, but even better than that would be these tokens that are generated every 60 seconds. So there’s an application that resides on your phone, and every 60 seconds it generates a string of digits, usually about six digits. And that is better. Whenever you set up these multiple-factor authentications, usually you have a choice. And those choices are not equal. They’re not equivalent, just to be clear with our audience. 

Adam
Okay. And obviously, we do the heavy lifting when it comes to our hosting customers where we host a WordPress for them and keep things secure. But Gil, for those listeners that maybe are currently with a host and they’re not HIPAA compliant, but they want to get a little bit more secure, how could they enable two FA on their WordPress site? 

Gil
That’s an excellent question because that’s really what we’re wanting to focus on the security around WordPress. So many customers of ours, and in general, lots of people are using a lot of medical practitioners, counselors, and therapists, they’re using WordPress. So how do you go about enabling the two FA? So, thankfully for WordPress, the way that platform works is you can install a plugin, and these plugins allow you to use two-factor authentication. So you install the plugin, and then depending on the plugin, you may have to choose. How do you want this code to be sent to the user? Do you want it to go via texting, email, or using an authenticator, like Google Authenticator? So you have to make that choice. So I would say the plugin is the best way to handle that. You’re getting a phone call, by the way, while you’re handling that. 

That’s kind of funny that the phone rang just at the right time, Adam because another way to get it code is by phone. You can have your phone ring. I know you didn’t do that on purpose, but the timing is just right. The phone can ring, and then a robotic voice reads to you if the code is your code is telling you what the code is. So I forgot about that method, too. That’s a pretty good one. Okay. 

Adam
Yeah. And that actually kind of leads me to our question for today, which is, how do I know which two FA plugins to use? 

Gil
Right? Well, WordPress has a library, a directory, and a plugin library. You could just in Google, put in a WordPress plugin, and you come to a directory that has hundreds of thousands of plugins. 

Adam
WordPress.org? 

Gil
Yeah. And so when you go in there, you type in two factors. You could type in two, the number two F, as in Frank, A, as in Apple, two FA. Or you can put in multifactor authentication. In any case, you’re going to get several well, I don’t think you’re 100, but you’ll get several choices. And that’s not a bad thing, right? Having a choice is a good thing. And why is that a good thing? Well, because some vendors, Adam, they may make the plugin freely available, and other vendors may say, well, it’s free, but if you want it to work fully, you have to pay us a fee. So there are lots of things to look at there in terms of whether am I getting fully free or partially free and then paying. So one decision is based on your budget. Do you need a free one? 

And let’s say you choose one that’s free and you’re like, okay, this is great, I don’t pay anything for it. But keep in mind that for the free version, the two factors might come only via texting, which we already talked about earlier. That’s not as secure as email or the six-digit Google Authenticator code. So even though it’s free, there is a compromise you’re making there. So pay attention to that when you’re deciding. 

Adam
Right? Yeah. Of the free plugins, do you have any recommendations as to a good plugin to get started with? 

Gil
Well, let me say that always a rule of thumb that you want to follow is never to choose, and never use a plugin that is immature. By that I mean it’s on version 0.0.0 .1. 

Adam
Yeah, I think we should probably do a whole episode on plugins as well. 

Gil
Yeah. What, to choose one? Yeah. So basically choose one that in this case, I’m going to say that you want to choose a plugin that is USA based. USA based? Why? Well, HIPAA regulations are North American. I mean us. Not just in North America, but United States regulations. Now, you might find an excellent plugin that was made by some guy in Eastern Europe or China. There could be issues with that. We have some backdoor hacks that have been produced and put in a plugin. So you want to use a bona fide USA-based plugin, that’s number one. Number two, you want to find one that’s mature. In other words, don’t pick one that was just released two weeks ago. Look at the date and say, oh, this one has lots of releases. You can see the releases when you look at the plugin, it’ll say, this release came out last week. But then you look and you say, oh, they had releases every two weeks for years. That’s a mature plugin. So that’s what I would look for. 

Adam
Okay. No, fantastic. I think that leads us on nicely for potential future episodes to talk about plugins in more detail. 

Gil
That’s it. I think this is valuable information for our audience because so many people at so many websites that have medical data, don’t bother to enable two factors, and it’s not that hard. I know we’re talking a lot about it, but in the end, it’s not hard. Now, there is one last thing I’d like to mention. We have used one called WP Space Two FA. WP two FA. We’re not here to sponsor or to necessarily promote a particular one, but that’s one we’ve used in the past, that one seems okay. So you could look at that one. But there are many others, so we’re not saying that’s the only one, by any means. 

Adam
All right, great. 

Gil
Yeah. 

Adam
So that’s it for this episode. Be sure to, like, subscribe, and share and check out HIPAAVault.com for the latest news and updates. And until next time, thanks for stopping by.