HIPAA Plug-ins for WordPress, Part 3: Activity Logs
By Gil Vidals, , HIPAA Blog

“Have you seen the video?” It’s a query for a connected world, bringing the world up close. From cell phones to visual doorbells – even police body cams – video helps tell a story – and maybe solve a crime.

Now imagine this crime is an attempt to steal your company data or disable your website. It might even be your employee (61% of IT leaders do believe their employees maliciously put their sensitive data at risk, according to a 2019 survey), or one of your contractors.

Chances are, there won’t be a video; however if a digital record of system events exists, then you’re in business. With these logs, crucial questions can now be answered: Who accessed the system? How was a breach attempted? What was the extent of the damage, if any? Armed with this data, audit logs help you stay proactive, able to track and possibly prevent future malicious activity.

Further, if the culprits know there is a record that could lead back to them, they might even be less likely to commit the crime in the first place. That’s also what audit logs can do for you.

For WordPress healthcare websites that handle protected health data, this is critical – and one reason why HIPAA requires you to track, monitor, and correlate all the potential security risks to your system (see the HIPAA Security Rule, section §164.312b).

Consider HIPAA Vault First

HIPAA Vault’s new, cost-efficient HIPAA Compliant WordPress solution provides these important audit controls, as an integral part of our secure WordPress solution for HIPAA: a compliant infrastructure with layers of security, the most up-to-date security plugins (such as two-factor authentication), encryption, access and audit controls, regular monitoring and security scans, ready-made themes for each medical discipline, and the expertise to stay on top of it all – 24/7/365.  

That said, an audit plugin works best for HIPAA when it not only tracks suspicious behavior, but gives you real-time feedback. Ultimately, it should monitor and log changes for you so you’ll have greater user accountability, preserve the availability and integrity of your site, and protect any sensitive data that passes through it. 

While there are a number of ways to keep logs, let’s take a more detailed look at what a typical logging plugin can do for you. 

Real-time Insights

You want a comprehensive monitoring log plugin which provides a real-time record of user activity for all of your WordPress sites, so you can actually see what changes were made to WordPress content. It should be able to track the creation/deletion of Tags and Categories, Widgets and permalinks, and essentially all Menus changes. 

In addition, any modifications to new or existing user profiles (such as password updates, roles, and email changes), or to URLs and fields, should also be monitored and logged.

Who’s Logging in?

As noted, it’s especially crucial to know who’s attempting to access your system (and from what IP address), in order to make changes. An activity log should also provide this information, as well as when the user logged in or a session was terminated. This gives you a trail of “breadcrumbs” to track for any failed login attempts as well.  

Plugins and Theme Changes

Adding a new plugin – as we’re now seeing – is meant to enable significant changes to your system. A plugin change can alter your database, as well as introduce vulnerabilities. It’s therefore vital to monitor all plugin changes, and use the latest, compatible version.  

The same is true for themes. Some free WordPress themes may be attractive to the eye, but in fact may be carriers for malware. These themes may have bad code and harmful links attached that can wreak havoc, blocking your site or filling it with pop ups and redirects. An activity log should track when these new themes are installed, activated, or updated, and when another theme is deactivated. 

Note: HIPAA Vault offers trusted, customizable healthcare templates at HIPAA.Cloud, so you don’t have to be concerned about introducing vulnerabilities into your system. 

As you can see, you’ll want a comprehensive solution from a trusted HIPAA expert who can ensure these things for you. Take a look at our fully managed, HIPAA compliant hosted solution for WordPress that will free you up to do what you do best, while we keep your WordPress sites secure and up to date. HIPAA Vault provides you with a Business Associate Agreement (BAA), a HIPAA Compliance logo for display on your website, and 24/7 live, technical support. Above all, we keep your important healthcare data safe and available. 

Questions about HIPAA Compliant WordPress? Give us a call (760-290-3460), or chat with us online at www.hipaavault.com

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, please visit our website at www.hipaavault.com.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.