When it comes to building your website, a CMS (Content Management System) is usually a solid choice, as they are an easy-to-use and convenient way to build and manage your website and to update content quickly and efficiently. CMS is a powerful way to build and maintain a website by using a platform that requires very little technical prowess and minimal knowledge (if any) of website coding. Being responsible for protecting patient privacy, extra steps need to be taken to ensure that the CMS-of-choice is indeed HIPAA Compliant.
All CMS products use a database to store content – text, images, videos, etc. When using a database in a HIPAA Compliant environment, the database must be encrypted. This host database needs to have a dedicated IP Address, separate from where the content resides. With these items on separate IP addresses [preferably behind a network switch], it becomes far more difficult for that data to be compromised.
While there are hundreds of CMS choices out there, the three most popular ones are WordPress, Joomla and Drupal. Over 25% of the publicly-available websites on the Internet are comprised of these three CMS packages. Out-of-the-box installation does not achieve automatic HIPAA Compliance; there are plugins (or add-ons) used to enable things such as two-factor authentication. Based on the fact that sensitive data resides within the CMS database, this is a critical factor in protecting the HIPAA compliant information.
WordPress is a popular CMS choice for many users because of its ease-of-use and ability for customizations. There are also a large number of widgets and add-ons that can be easily integrated into the WordPress application. As the most popular CMS package, it is often the most targeted. For the sake of HIPAA Compliance, WordPress provides a plugin to enable two-factor authentication. For a more comprehensive solution, HIPAA Vault offers a HIPAA Compliant Managed WordPress Hosting plan.
Another choice amongst CMS is Joomla, which requires slightly more web development experience but it is more robust than WordPress. Similar to WordPress, Joomla has a two-factor authentication plug-in available used to protect HIPAA Compliant data and keep it secure.
Drupal, on the other end of the spectrum, is an extremely powerful CMS. Out of the three CMS systems discussed, it requires the highest degree of technical know-how to configure and implement but it is considered more secure than WordPress and Joomla. With this product, add-ons are still required for HIPAA compliance.
Aside from two-factor authentication, there are other things to consider when installing a CMS system in a HIPAA Compliant Hosting environment. For example, Secure Sockets Layer (SSL) is a must for HIPAA Compliance. SSL establishes an encrypted session between the server and client, and helps to protect the data being transmitted during transport. Audit logs used to keep track of user/system access are also required to be retained for future use and record-keeping. These logs must be kept for a minimum of 6 years, so having a robust storage solution is also highly recommended.
In summary, CMS is a powerful and convenient tool to help build and maintain a corporate website. When building a CMS-based website in a HIPAA Compliant environment, additional steps must be taken to ensure compliance standards are met and that PHI data is protected. Once HIPAA data has been protected in both the cloud hosting solution and CMS solution, your new site can be launched!