HIPAA-Compliant Web Sites: Requirements and Best Practices
It is not easy to create a HIPAA-compliant web site and webmasters often ask us for clarification on best practices when it comes to HIPAA compliance.
We have previously discussed what makes a web page secure and also what makes a web site HIPAA-compliant, but it seems that an explainer on what you should and should not do with web sites in shared and dedicated environments would be useful to many.
HIPAA-Compliant web sites on a shared server – really?
Using a dedicated server for any web site that deals with ePHI is highly recommended for the clear security advantages. However, we do allow HIPAA-compliant web sites on LuxSci’s shared web servers provided they are designed properly.
What is the danger on a shared web server?
A shared web server is inherently less secure than a dedicated server because many independent site administrators have access to the same server. If there is ePHI on the server, it must be protected against:
- Unauthorized access by another customer administrator.
- A hacking attempt into an unrelated web site on the shared server.
- Unauthorized access by someone hacking the web server itself.
- Security issues with your web site, users, and administrators.
With a dedicated server, there is no issue with #1 or #2 – you just have to secure you own web site and access properly and let LuxSci handle #3. On a shared server, you can’t control other people’s stupidity or negligence.
On a shared web server, ePHI could be stored in files and/or in a database.
Database-stored ePHI is relatively safe from unauthorized access. Make sure that the username and password to that database is not available on the shared server to anyone with unauthorized access to your files in case the server itself is compromised.
File-stored ePHI is more vulnerable. If those files are unencrypted, have improperly set permissions, or they are stored in a poor location, then there is the potential for unauthorized access. Even if you are careful to use permissions and file ownership to isolate access to your files from other customers, it only takes one mistake or bug to break that system. Any system-level compromise of the server would leave all of these files exposed.
What are the HIPAA requirements on a shared web server?
For these reasons, LuxSci only permits ePHI on shared web hosting servers if (as documented in our HIPAA Account Restrictions Agreement for HIPAA customers):
- The data is stored in encrypted files and the password+keys to decrypt those files is not also “right there,” or
- The data is stored in a database and the credentials to access that database are protected against others on the same server from gaining access to it.
It is not enough to just:
- Use careful file permissions
- Put the data in a web site password-protected directory
- Use obfuscation in file and/or directory names
Furthermore, great care must be taken to ensure that if should someone gain access to the raw files or scripts in your website, that they could not obtain the password to your ePHI-containing database or to decrypt the encrypted files.
What about in a dedicated server environment?
Even though using a dedicated server does eliminate a lot of risk, there is no reason to be lax. In a dedicated environment, we permit storage of ePHI in unencrypted files (only the customer and LuxSci staff have access). However, ePHI should be secured to the maximum extent possible in every case.
HIPAA-Compliant Web Site Recommendations
We highly recommend dedicated solutions. The price tag is not high anymore, starting just over $200/mo. The significantly increased security afforded by a dedicated solution is very important for HIPAA-compliant web sites.
If you must use a web site on a shared server for ePHI, you have some work to do. We recommend doing some or all of the following:
- Ensure that your web site is secured with an SSL certificate so all traffic to and from your site is encrypted.
- Use PGP or S/MIME to encrypt and decrypt any files containing ePHI that will be stored on disk. Do not store the password to the PGP or S/MIME key in your web site anywhere. Force your web site visitor to enter the password and use cookies to preserve that password from page to page. This separation of the password from your encrypted data and keys ensures security in the event that your data is compromised.
- Ensure that any ePHI-containing files are owned and accessible only by your user and are stored outside of your web site’s document root.
- This ensures they are not accessible via a web link.
- Proper ownership and restricted permissions further restrict access to the files to just your own account.
- If you store ePHI in a MySQL database, ensure that the password to that database is not stored in your site. Require the web site visitor to enter it so that the password is separated from the data. Better yet, encrypt the data using PGP or S/MIME before saving it in the database.
- What about CMS web sites, like WordPress, that require you to put the database credentials in a plain text file in the web site? This is risky and we recommend that customers with these kinds of sites use dedicated servers or the “Trick” discussed below.
- Use a MySQL database to log all user access to any ePHI. Keeping an audit trail of access is important for HIPAA.
- Ensure that ePHI is only accessed by individuals who are “logged in” to your site. You will know who is accessing information and verify their identities with passwords.
Complex Passwords
If you are using a CMS like we mentioned above, consider using this trick to protect your data. It allows you to maintain separate user passwords, all of which grant access to the same encrypted files, without leaving the password to decrypt those files in your site.
This method adds a little complexity to your site design, but increases security and adds a lot of usability.
- Define a single complex password [CP] that will be used for encrypting all content (or which will be used for accessing a database).
- For each user of your site, encrypt the CP and save it in a small file. Use that user’s own web site access password as the password to decrypt their own version of the encrypted CP.
- When a user logs in to your site successfully, you can use the user’s submitted password to decrypt the CP. You will have the password that can be used to unlock any of the ePHI files or connect to the database that that user needs.
- This trick can be expanded to give selected access to specific files to specific users and can be extended via cookies, hashes, and other techniques to provide session-length persistence of the decryption information needed.
If this all sounds like gibberish to you, it is very technical. Running any HIPAA-compliant web site will require significant technical skill to implement all of the security, privacy, and auditing features needed to avoid a breach.
You should seek a developer well-versed in security and HIPAA compliance to implement your web site. We recommend against using someone who is learning security as they go along or who has not developed similar sites before – that is a recipe for future trouble. Do not be lazy and set up WordPress with some plugins with SSL and assume your site is secure and compliant. If you “assume,” then you are not performing your HIPAA risk analysis properly.
Will my web site be “HIPAA Certified”?
Neither LuxSci nor any other web hosting provider offering HIPAA compliant services will certify that your web site itself is HIPAA compliant. At least, not unless:
- They developed the site themselves and are in full control of all of its content and scripting going forward, or
- They spend hours reviewing your site scripts, design, and implementation. This would be an expensive, paid audit and would be invalidated as soon as you changed anything.
LuxSci does offer HIPAA compliance certification seals for email services and secure web form services, but not for web sites. And there are good reasons for this:
- LuxSci is not in control of the content of your site or the workings of the scripts that run it.
- LuxSci is not auditing every change you make to your web site.
- E.g. a web designer could update the front page of the site and paste in ePHI. No one can stop that except for the web designer and your company procedures.
It is up to the customer to implement their web site in a compliant manner, as outlined and agreed to in our HIPAA Account Restrictions Agreement. LuxSci is responsible for providing a HIPAA-compliant environment for you to operate in. LuxSci will:
- Provide a Business Associate Agreement.
- Monitor the server environment 24/7/365 for security threats.
- Ensure that HIPAA-compliant backups are made and are available to restore.
- Ensure that the right tools are available to implement security: E.g. SSL, PHP, Databases, Password protection, etc.
We bring the environment, you make the site and ensure it is compliant. If you are unsure how to create a HIPAA-compliant web site yourself, please find someone who does – or find some other way to achieve your goals. There is no magic switch that can be flipped to make a web site always compliant- other than turning off the web site!