As increasingly sophisticated cyberattacks continue to target healthcare’s essential systems - including networks, IoT medical instruments, and mobile devices - the need for advanced security protections continues to grow. Healthcare leaders are beginning to embrace the truth: cybersecurity is now an indispensable part of patient care.
 
Yet even as this move toward secure connected technologies expands, a favorite target of malicious actors continues to be the healthcare organization’s website - especially if the site is powered by WordPress.
 
Why is WordPress - despite its status as a global leader and favored content management system (CMS) among healthcare organizations - such a popular target for attack? At least 4 reasons have been recognized:
  1. WordPress represents a huge audience. With over 60% market share (over 400 million sites) and literally thousands of plugins available for expanded functionality, WordPress rules as the most popular website builder on the planet. The sheer prevalence of WordPress sites therefore makes them a large and convenient target for hackers to exploit.
  2. Off-the-shelf WordPress is not HIPAA compliant, and must be configured to secure and preserve electronically protected health information (e-PHI). Those who continue to use unprotected WordPress sites must realize that they are sitting on a ticking time bomb, waiting to send some serious shrapnel into their (and their patient’s) lives. Unprotected websites remain vulnerable, exposed to a much higher risk of being hacked. 
  3. We’ve seen how lucrative healthcare data can be to hackers. Health data is extremely profitable to criminals; it may be held for ransom, or sold at a premium on the black market. Many healthcare organizations have paid hundreds of thousands of dollars to cyber criminals just to get their patient data back, and allow their vital services to continue. The truth is hackers know this, and so will continue to look for ways to exploit WordPress sites that handle ePHI - regardless of who gets hurt.
  4. Many WordPress users fail to keep their sites updated to the latest version. In fact, less than a third of all WordPress sites are using the latest version, which means they’re lagging badly in important security updates. This is akin to leaving holes in a critical security perimeter for an enemy to access. Hackers can wreak havoc once they find the opening - and they have the tools to do it.
 
There are additional factors that make WordPress a high risk site, such as its open-source platform with many public contributions to code, and the use of unprotected plugins. Open-source allows for rich insights and innovations, but the downside can be that new vulnerabilities may be introduced before sufficient security patching can take place. In addition, weak or unprotected plugins may be selected by users in an effort to increase website functionality, but may provide an open doorway for bad actors to get inside.
 
The Real Costs of a Data Breach
Of course the real cost(s) of a WordPress data breach may not be felt until users experience the staggering impact of being hacked. Office of Civil Rights (OCR) fines for HIPAA violations - which can be quite costly depending on the nature of the offense (employee negligence, failure to perform risk assessments, etc.) are just one ramification of having your patient's protected health information made public. If this happens, they may decide to take legal action against you for personal damages. Attorney fees, court costs, lawsuits, and a significant loss of business reputation may all result.
 
The Good News?
The good news is that your Wordpress site can provide the safe communications and positive patient experiences your patients expect. Configuring your WordPress site for HIPAA - as part of a larger HIPAA compliance program for your organization - will significantly decrease the chances of a costly data breach, protect your patients, and help maintain your vital business reputation. Understanding the following, however, is key:
 
Security… transcends the WordPress application. It’s as much about securing and hardening your local environment, online behaviors and internal processes, as it is physically tuning and configuring your installation. Security comprises three domains: People, Process, and Technology. - WordPress.org
 
This is why the first of our 5 Keys for Protecting Healthcare Data in WordPress has less to do with the technical configurations to your site, and more about your own organization’s individual practices. This will include all 3 domains - people, process, and technology:
 
1. Begin with a complete risk assessment of your organization
 
A thorough risk assessment is a vital part of HIPAA’s Administrative Safeguards . This entails identifying the e-PHI that your organization creates, receives, maintains or transmits; as well as how it is handled and who does the handling. (This includes any vendors or consultants that handle e-PHI, along with the “human, natural, and environmental threats to information systems that contain e-PHI”).
 
Once you do this, you’ll then want to ensure that Physical Safeguards are in place - such as locks on doors and cameras, as well as limiting access to WordPress workstations, networks, and servers. Failures to lock up laptops, hard drives, etc. have led to numerous, costly data breaches. Ensure that careful Technical Safeguards, including appropriate access controls and permissions, are also being used to limit access to e-PHI.
 
Since HIPAA compliance is an ongoing requirement - not a once and done action, it’s a good idea to institute a monthly gap-remediation process to continue to identify any potential flaws in your system. Once identified, these flaws can be analyzed on the basis of their threat impact, and the appropriate corrective actions can be applied.
 
2. Host your WordPress site with a proven, HIPAA hosting company
Achieving a HIPAA compliant infrastructure for WordPress is a must; this means that all servers, software, networks, facilities, etc. used to deliver IT services are secured. HIPAA compliant hosting helps you meet HIPAA’s Security and Privacy Rules by providing the strong data privacy protections necessary to protect e-PHI.
 
Some of these measures include:
● encryption in transit and storage
● identity and access controls
● backups
● database provisioning
● monitoring for vulnerabilities (intrusion detection and prevention tools)
● data center controls, and more.
 
We understand that these necessary safeguards can be a complex and costly undertaking; it pays to have an experienced HIPAA host who can provide this for you. Their hosting should be verified by independent, third-party auditors and cloud experts who perform extensive examinations of controls in data centers, infrastructure, and operations.
 
Finally, be sure to secure a business associates agreement (BAA) with your compliant hosting provider. This is a HIPAA-mandated, legal contract that confirms a patient’s data will be kept confidential by the provider, both in transit and in storage on all servers.
 
3. Ensure the latest WordPress version of your site is installed, along with the most up-to-date, secure plugins
Since 86% of WordPress sites get hacked because of an outdated install, plugin, or theme, there’s really no excuse for not having the latest version for security and performance. As of this date, the latest version of WordPress is 5.5, released on August 11, 2020. Again, outdated versions are like holes in you armor; you remain vulnerable to a myriad of dangerous attacks (vulnerabilities) that would normally be repelled by the protection that the update provides.
 
In addition, not all plugins - essentially pieces of PHP software designed to integrate with your site, and add new features like blogs, online commerce, and more - come from trustworthy sources. There are at least 48,000 free plugins, and thousands more sold by various companies, so great care must be taken to use the most trusted versions. This can also help ensure compatibility, and avoid a negative impact on performance or security.
 
Note: Since it’s always wise to avoid a single-point-of-failure situation for accessing sensitive data, one plugin to have is known as two-factor authentication (2FA). 2FA provides an additional layer of security in the sign-on process by requiring the addition of a one-time passcode (OTP) - typically sent to your phone - should your login credentials ever fall into the wrong hands.
 
4. Ensure that e-PHI is stored outside of WordPress site, in an encrypted database
If a WordPress database will be used to store sensitive PHI – including text, images, and videos – that database must be encrypted. For example, a HIPAA Compliant environment will have a host database at a dedicated IP Address separate from where the web content resides. With a separate IP address [preferably behind a network switch], it becomes far more difficult for that data to be compromised.
 
Secure Sockets Layer (SSL) is also a must for HIPAA Compliance, as SSL establishes an encrypted session between the server and client to protect PHI data during transport.
 
5. Ensure that audit/activity logs are being used to track site activity
The HIPAA Technical Safeguards mentioned above require that detailed audit logs be kept. These records should identify who has accessed e-PHI on your server(s) and what they’ve accessed – both failed and successful log-in attempts. System and network access information, including any security event or malicious software, attempted breach, or even attempts to delete or modify the logs themselves, must be kept for a minimum of six years.
 
Auditing works best for HIPAA WordPress when it not only tracks suspicious behavior, but gives you real-time feedback. An activity log should provide this information, as well as when the user logged in or a session was terminated. This gives you a trail of “breadcrumbs” to track for any failed login attempts as well. Keeping track of system logs is typically accomplished by Security Event and Information Management (SEIM) tools. The log manager should minimally allow the logs to be searched for significant events that may indicate a breach attempt. In addition the log manager should handle correlation. Correlation is the ability to find data that is relevant across the various hosts (servers).
 
Achieving Patient Safety
We've mentioned the importance of security, compliant hosting, access controls, and logging for WordPress, yet we’d be remiss without stressing the need for regular security training for your entire team. The reason for this is that any HIPAA compliant solution - including WordPress - is best supported by a well-trained, security-conscious staff.
 
Cybersecurity training is especially critical, as there are many attack vectors that malicious actors can use. These include professional-looking phishing emails (many purporting to come from familiar vendors) that will reach your staff, regardless of their position. These emails have clickable links, designed to install malware in your system. Remember, any weak link in your organization can easily lead to privacy protections being broken.
 
Finally, we understand that it may be difficult - if not impossible - for busy healthcare providers to stay on top of and apply many of these important keys. Having an expert managed security team who can handle the infrastructure piece on your behalf and who will configure and stay on top of WordPress updates can go far to remove this burden of concern. Most importantly, it can help you achieve he important patient safety goals you desire, and they’ve come to expect.