Atlantic.Net Blog

Can Drupal Websites Be HIPAA-Compliant?

Any companies using Drupal, especially those that are within regulated industries such as healthcare, have to be diligent and proactive about installing any patches in order to maintain security. By using HIPAA-compliant managed services through a host with a strong healthcare background, you will be able to benefit from infrastructure that is engineered to guard against any security incidents and HIPAA violations; you will also be able to have someone pay attention to security updates when they are released so that your site is patched right away. Improving the password needs of the system and encrypting the web forms that are submitted by users are steps you can take yourself to ensure there is full HIPAA compliance within the software layer.

Drupal, like any of the other major content management systems, can be HIPAA-compliant with the right security technologies installed – especially HIPAA-compliant infrastructure.

Strong security with vigilant patching

Drupal and other open source environments approach security differently than proprietary, licensed systems do. By its nature, anyone can view the source code of the software; that means its underpinnings are transparently visible to cybercriminals, as well as to those who want to protect health data and strengthen the software. The nature of open source “creates a feedback loop,” explains healthcare software as a service (SaaS) firm MedTouch, through which the code is assessed and updated rapidly.

Why healthcare organizations choose Drupal

WordPress is the content management system that everyone mentions first since its market share is so enormous. However, developers, as well as healthcare organizations, do not always want the most obvious CMS solution. In fact, WordPress can be problematic; because it is so popular, it is a common target for mass hacking efforts to exploit newly discovered security holes. An analysis by WP White Security, using the WPScan Vulnerability Database, found a total of 2407 vulnerabilities (758 with the core code, 1305 with plugins, and 344 with themes).

While there are ways to create secure WordPress environments, many healthcare organizations would rather avoid the potential issues and choose another CMS, such as Drupal. Although not as commonly employed as the CMS giant WP, Drupal is implemented on 647,479 sites, as of February 20, 2018. Some of those sites are those of healthcare organizations that must maintain the security and privacy of patient data, not just to protect their patients or as a best practice, but to meet the parameters of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Memorial Sloan Kettering (MSK) Cancer Center credits Drupal with giving it a stronger stance than other organizations within the field. The digital personnel at the well-respected entity have embraced innovation in the same manner that its researchers and clinicians have. The use of this open source content management system (CMS) has been beneficial to MSK, allowing the HIPAA covered entity to efficiently create a more adaptive and robust system. Drupal allows a digital interaction that is user-friendly and compelling enough to create retention among the healthcare audience. The benefits of this system, allowing it to be fundamentally more flexible, include its object-centered coding, front-end integrations, and management options.

Here are a few reasons that Drupal is a strong choice for healthcare organizations:

  • You can avoid licensing fees – There is no cost for a license. Like WordPress and Joomla, Drupal is a free open source solution.
  • It is a credible, trusted CMS – Among the more than 600,000 sites that use Drupal as a basis are those of prominent organizations such as Duke Medicine, NASA, NBC, Northwestern Medicine, PBS, University of California San Francisco, University of Michigan Health System, the Weather Channel, the White House, Whole Foods, and Zappos.
  • It receives high marks from business analysts – Forrester Research has named Drupal as the best CMS, while Gartner rates it as one of the strongest systems.
  • It is vendor-neutral – There is support for Drupal from a wide variety of developers and agencies. Often the CMS is attractive to healthcare firms that previously have chosen proprietary, single-vendor solutions.
  • It is highly scalable and adaptable – This system is able to scale with you based on growth or fluctuations. It also has the flexibility to change with you as you expand. Its open application programming interfaces (APIs) allow you to integrate the CMS with outside environments, pulling in data from standard business environments such as ecommerce systems, social networking sites, marketing platforms, and customer relationship management (CRM) solutions. Patient portals, call center programs, syndicated health content, credentialing platforms, and other systems specific to healthcare can also be interconnected with Drupal.
  • It has many active developers – You have access to over 16,000 Drupal modules (equivalent to WP plugins) that can make your development process substantially faster, thanks to the sizable active community of developers. You can also create custom modules for any specific needs or parameters of your organization.

Interoperability: key to HIPAA compliance, natural to Drupal

Drupal is compelling as an enterprise healthcare system because it can be extended; in other words, a Drupal site is not just a Drupal site. You can use it as a content distribution network, intranet, or to integrate numerous systems within a single platform.

Proprietary electronic medical record (EMR) systems can have their strengths – in their highly standardized approaches, as well as their ability to organize and store massive amounts of data. The problem with these systems is that they are not built for customization or interoperability.

Costly, single-vendor solutions are not built to interact with other systems, which makes it difficult for them to function in an integrated healthcare delivery setting. There are hundreds of EMR systems that are currently available. That becomes a problem when a primary physician wants to send records to a specialist. Lack of interoperability leads to HIPAA noncompliance. The files may be electronic, but since they cannot be moved seamlessly, violations occur frequently via faxes, unencrypted email, and lack of legal authorization.

With Drupal, you can aggregate data from various EMR platforms within a single doctor portal. REST APIs, JSON feeds, XML, and API calls can all be used to tie together multiple systems into a complex yet coherent whole.

Using RESTful API to interconnect an EMR with Drupal pulls in information from data silos. Integration does away with the problem of data silos so that medicine can have a more preventive rather than diagnostic focus.

With the assignment of different roles and permission controls for users, you can securely manage access to the platform. Through the use of roles, with different privileges assigned to each, you can give the right access to your data, which is stored within secure HIPAA hosting behind a managed firewall.

Your HIPAA-compliant Drupal system

Using Drupal for your healthcare website can work well, as described above. However, a key concern is that the hosting provider you choose has infrastructure in place that maintains the privacy and security of your protected health information. At Atlantic.Net, our HIPAA compliant hosting is not only HIPAA & HITECH audited but also SSAE 18 SOC 1 & SOC 2 (formerly SSAE 16) certified, showing that we meet the rigorous security standards of both the healthcare and accounting fields. See our HIPAA Compliant Hosting Solutions.

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year