WordPress for HIPAA and ePHI? Is that a good idea?

WordPress is an extremely popular content management system for both blogging and creating web sites.  It’s popular because it is quick to set up, easy to administer, has a very large supported base of add-ons, and looks good.  As a result, many LuxSci customers use WordPress in one fashion or another for their web sites hosted at LuxSci.

As we cater to a large segment of customers who have specific compliance needs, e.g. HIPAA compliance, we frequently are asked about using WordPress with ePHI … e.g. using WordPress to provide access to protected health information for members of the WordPress site.

Can this be compliant?  Is it a good idea?

What do you need for a HIPAA Compliant WordPress site?

First, you need to host your WordPress site with a hosting provider that provides HIPAA compliance and who will sign your HIPAA Business Associate Agreement.  This means that HIPAA WordPress hosting at places like wordpress.com and GoDaddy are immediately not possible.

Next, you need to ensure that your WordPress site meets HIPAA requirements and any requirements of your hosting provider.  This includes:

• An SSL certificate and dedicated IP address for your web site so that traffic to/from it can be encrypted in transit.
• Ensuring that your WordPress site cannot be accessed without SSL (e.g. by using LuxSci’s feature where you can have SSL-protected content separate from insecure content).
• Ensuring that ePHI is never publicly available –users must login to access that content.
• Ensuring that users with access to ePHI are properly granted / revoked access by your HIPAA administrators.   E.g. it should not be possible for someone to sign-up and get access without explicit review.
• Ensuring that users have access to only the ePHI they need and should have access.
• Ensuring that all WordPress logins are monitored and are logged.
• Keeping your WordPress and all “add-on” software up-to-date.
• Using plugins like “Duo Security” to add 2-factor authentication to your site.
• Ensuring that there are good backups of your site and its content.
• Ensuring that user logins to WordPress will automatically log users off due to inactivity.
• Log access to ePHI, if possible.
• Reviewing your procedures and users periodically.
• Ensuring that WordPress does not cache copies of ePHI-pages insecurely on disk, especially if you are in a shared environment.  Wordpress content is normally stored in a database, but if it is cached insecurely on disk that will weaken security and in a shared environment could provide access to unauthorized persons.

There are many more procedural things that you must do and that your provider must do that are described here.

So, can these things all be done with WordPress?

Many of these things are doable, however:

1. Not caching ePHI-laden pages.  Some WordPress caching addins cache pages to the database.  Others save pages to disk.  Furthermore, you can sometimes control what pages are cached and which are not.  Being forced to do that on a post-by-post basis, is however, a recipe for accidental breach.  By default, WordPress is probably not caching your site … unless that has been pre-configured or setup for you.  This should be reviewed by your WordPress admin.
2. User auditing and access control. You can make your ePHI-laden pages accessible only to logged in users by using plugins like “User Specific Content“.  You do have to specify on a per-post basis exactly who should have access.  You can also use the User Tracker plugin to see what people are viewing and doing when logged in.  These two plugins give you fine grained control over access and auditing.
3. Backups.  Even if your hosting provider makes automatic backups of your site, you should make your own backups “just in case”.  You can backup your MySQL database directly and/or use WordPress’ backup and restore features.

So, yes, these things can be done and with other plugins, you can further enhance WordPress security.  E.g.

• BulletProof Security
• Plugin Directory

However, is this a good idea?

Ok, so you can get a HIPAA-compliant web host (like LuxSci.com) and you can setup WordPress with SSL, lock it down and setup plugins to do the needful auditing and access control.  Great.  Is this a good idea?

While it does allow you to get up and running quickly, we would advise you to be very careful:

• WordPress has had security issues in the past and is constantly being updated … fixing problems, and adding new problems.  A bug in WordPress or any of the plugins that you are using could leave you in non-compliance, or worse, in breach.
• WordPress and its plugins are not responsible for any bugs or problems … only you are.  If you do not fully understand the security implications of using this or that software, plugin, or setting, then you could be setting yourself up for problems. WordPress’ ease-of-setup can make you think that you are all set when you are not.
• If you are using WordPress for a HIPAA-compliant site, we would highly recommend that you have a WordPress expert developer who is familiar with HIPAA review all of your plugins and settings and your policies for assigning users and access.  You might be surprised.
• WordPress and plugins are updated constantly, you must keep the latest versions installed. If you put your site up and leave it there to rot (e.g. never update anything) you will have problems at some point.
• Review who is writing the plugins that you are using.  You have no contract with them and have done no reviews of their code. How do you know that it does what it says … and only what it says?
• If you are restricting access to a specific set of users, consider additional non-Wordpress security measures such as:
• Locking down access to the site by IP address
• Using a dedicated server instead of a shared web host
• Encrypting the MySQL database used by your WordPress instance

So, it comes down to “use at your own risk” … like any choice of web site content management software that you are using from a third party.   Remember, it may be advantageous to have a custom simple site developed for you rather than rely on WordPress. In this case you would have full control over what is happening and you can choose a developer who knows security and you can have a strong contract with that developer.  The price of that is much less than the price of a HIPAA violation.

Read Next: For a deep dive, see our white paper: Securing WordPress