WordPress is a widely used website creation application powering about 38% of all websites on the Internet today. WordPress achieved mainstream popularity because of its ease of use, allowing almost anyone to create detailed and professional-looking websites with a few clicks.
WordPress is particularly popular with small-to-medium size businesses, web developers, graphic designers, and personal blogs. However, it is also used by big companies, such as BBC America, Sony Music, and Microsoft News.
WordPress sites that include Protected Health Information (PHI), as with any website handling PHI, must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through the website.
HIPAA-Compliant Design Rules for WordPress
The following three-step HIPAA-compliant framework facilitates the development of a WordPress site that can handle PHI:
HIPAA compliance built into the website design process
Server hardening to meet the technical requirements of HIPAA
HIPAA-compliant WordPress hosting
HIPAA compliance must drive the website design plan; the design must meet HIPAA’s minimum security and privacy standards to ensure the confidentiality, integrity, and availability of PHI.
Access controls to prevent unauthorized access to PHI
Access controls to the WordPress administration control panel
Audit controls to log all access to the site
Audit controls to log any activity on the site that involves ePHI
Integrity controls to prevent PHI from being altered by unauthorized users
Transmission security controls to protect PHI uploads (encrypted in transit)
Encrypt the webserver data
Here are some practical ways to protect your WordPress server from common vulnerabilities and threats:
Update WordPress and PHP regularly
Update the operating system monthly
Only use very strong passwords and never reuse passwords
Only use sFTP encryption to transfer files to and from the webserver
Update file permissions so that no user can change or modify files
Ensure no system services or applications run as the root user
Restrict database user privileges and set IP restrictions to access the DB
Secure WP-Admin with multi-factor authentication (MFA)
HIPAA-Compliant WordPress Hosting
A hosting company that is HIPAA compliant will provide you with an infrastructure that is built around the fundamental safeguards needed for compliance. Make sure you choose a hosting provider that can:
Implement physical security controls to prevent unauthorized physical access to the webserver
Offer a Fully Managed Firewall or Web Application Firewall (WAF)
Provide an encrypted VPN
Provide an encrypted Data Backup plan to protect PHI securely
Provide a Disaster Recovery solution to ensure that PHI is continuously available
Provide forensic level logging of all activity of the host server (this is in addition to WordPress layer logging)
Monitoring and alerting logging
Monitoring file changes using an Intrusion Prevention Service
Ready to get started with setting up a HIPAA-Compliant WordPress Site? Choose Atlantic.Net for a one-click WordPress installation that will set you well on your way to a HIPAA-Compliant WordPress Website – get started today!
Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!