Security Monitoring of WordPress and WooCommerce for HIPAA Compliance

Complying with HIPAA (Health Insurance Portability and Accountability Act) is necessary for businesses in the healthcare sector, especially those offering services on an online basis through their eCommerce platforms. HIPAA compliance is basically a strict set of rules protecting the information submitted by clients and customers, when purchasing treatments or services, booking appointments, registering for newsletters, and any other related actions. This information is named “protected health information” (PHI, or ePHI for electronic submissions), and by law needs to be handled securely, retaining the privacy of the person who submitted it. Although healthcare-related eCommerce platforms are usually built with innocent intentions, aiming to serve the public, there are maleficent individuals who could use PHI for purposes other than helping those who submitted it.

This article is focusing on HIPAA security monitoring of eCommerce platforms, preventing ePHI breaches and ensuring HIPAA compliance. HIPAA contains several rules and guidelines protecting against unlawful use of ePHI, and ensuring that a business entity and all its business associates follow them. The two most important rules when it comes to ePHI security, are the HIPAA Security Rule (also known as Security Standards for the Protection of ePHI) and the HIPAA Privacy Rule (also known as Standards for Privacy of Individually Identifiable Health Information).

These two rules offer explanations and guidelines on how precious ePHI should be stored, handled, transmitted, and deleted if requested, including HIPAA technical safeguards, as well as physical and administrative guidelines, and action plans in case of breach. Each healthcare-related business with an eCommerce platform, which takes HIPAA compliance seriously, should be aware of these rules and –ideally– have a team working on ensuring that HIPAA requests are met, resulting in a HIPAA compliant WordPress website.

Websites and eCommerce platforms can be built on various hosting platforms, but WordPress (and WooCommerce) take a big chunk of competition, with just under 30% of websites being hosted using their services. No matter what, you'll want to find a HIPAA-complaint web hosting provider with a good reputation for security.

However, regardless of how easy it is to set up a successful website then proceed with eCommerce through WordPress and WooCommerce, it might not be the safest option. There are legitimate concerns that eCommerce platforms hosted by WordPress for healthcare service provision might be more easily accessible to security breaches than other hosts. This is due to WordPress and WooCommerce not being considered HIPAA compliant, as their business associates are not following the HIPAA compliance requirements. What this means, practically, is that ePHI submitted through WooCommerce might not be secure, or in other words, might be easily accessible to people with different interests in mind.

This is why healthcare practitioners, health insurance companies, healthcare clearinghouses, and anyone else on the healthcare sector who uses WordPress and WooCommerce for their eCommerce, should reinforce the security of their platform. Tools to help towards this direction are using various plugins to monitor for threats and breaches, creating secure backups externally, or bypassing ePHI handling through WooCommerce by integration with other ePHI handling options, among others.

HIPAA Security Monitoring of WooCommerce Platforms

Focusing on HIPAA security monitoring as one of the basic HIPAA compliance requirements for WooCommerce is one of two steps in order to ensure ePHI security. The first is to make sure the passwords used to access the accounts are as strong as they can be, as many hacking attempts start from attacking the password lists. Nowadays there are password generator plugins, which suggest a unique, strong password to new users upon sign-up. If you prefer to create your own passwords, there are some rules to make sure they are strong. Such rules include the use of at least one upper case character, lower case character, digit, and special character, the absence of two identical symbols in a row, and obviously the avoidance of easy to crack words or personal data. In order to increase password safety even more, consider introducing a two-factor authentication log-in procedure.

The second step is to keep updating WordPress and WooCommerce as required, based on the latest available updates. The idea behind updates of apps is that detected issues are solved, operations are strengthened, glitches are fixed, new features are added, and generally, your platform is always using the newest available technology as provided by the host. The same principle applies for the use of plugins and themes, you want to always use the latest version, as it is supposed to protect you more than the older ones. If a plugin or theme has not been updated in a while, has received bad reviews from other users, does not show relevant policies followed by the developers, or in general does not show credibility, it might lead to vulnerabilities and potential data exposure. In that case, you might want to swap it for a similar tool that offers more frequent updates, has better reviews, and overall seems more trustworthy.

Security Monitoring Recommendations

Other than using strong passwords and keeping your eCommerce platform updated, there is some more specific advice to be followed, in order to advance your HIPAA security monitoring practices.

• Limit accessibility to the administrative side of your platform. Each newly developed website comes with a default “admin” account, which if not taken care of with regards to its security, it can lead to vulnerabilities, as such accounts are on the top of the “hit list” of hackers. The best strategy is to create a new account for administrative purposes and delete the default one. Besides the default “admin” account and its privileges, WordPress platforms allow for a few other types of accounts, such as “editors”, “contributors”, or “subscribers”. You should keep the activity allowance of these accounts to a minimum, following the principle of “least privilege”.
• Use security plugins. Given the generally low security of WordPress as a host, it is advisable to use security plugins, in order to assist with proactive security monitoring. There are several plugin options in the market, which can perform general security checks, detect intrusions, test the ease of penetration, audit logging activity (from all accounts, for all reasons), or monitor file integrity. Again, you should make sure to keep all plugins up to date, and keep an eye out for better versions.
• Use a firewall to harden website security even more. On top of all other applied HIPAA technical safeguards for security monitoring, employing the use of a firewall can detect and block hacking attempts before becoming noticeable from plugins, or reaching the platform or the server. This is an added step of security, as it usually operates on the cloud, whereas plugins operate on the server.

How Much does Insecure HIPAA Data Cost?

Sure, HIPAA compliance is not cheap, proven by the high cost figures. However, how much would HIPAA non-compliance cost? Before answering this question, we will elaborate on the “non-compliance” term. Non-compliance can refer to anything from a simple breach, to important data being exposed, or even to not having implemented HIPAA at all. Of course, the monetary answer to each occasion will be different and an exact estimation of a breach cost in each occasion is difficult, but there are some figures available in this literature to give an idea.

There are four tiers of HIPAA violation fines, depending on the importance of the breach, starting from $100 (breach unawareness and absence of control), and moving up to $50,000 (willingly neglect HIPAA rules) per violation, with a maximum cost of up to $1.5. million and several years in prison. Data of 2019 reveal that the average cost of HIPAA data breach was almost $6.5 million, with the average number of patient records breached being just over 25,000. Rumor has it that medical records have triple the worth of financial records in the black market, making healthcare businesses “great” hacking candidates. HIPAA data exposure can be caused by physical causes (stolen storage hardware, office break-in), administrative causes (accidental exposure of ePHI to the wrong patient, unprofessional discussion of ePHI, non-compliance of a business associate), or electronic causes (malware incidents, hacking, breach of electronic heath records).

Malicious data breach attacks are the most common of HIPAA non-compliance cases, accounting for more than half of all incidents. In the case of eCommerce managed by WooCommerce, which has a low security level, electronic data breaches can be highly likable, leading to HIPAA breach fines. Unless actions such as a HIPAA compliant WooCommerce integration, data encryption or tokenization, or others are taken to reinforce the security, you may be at risk.

Despite the hefty fine imposed after HIPAA data exposure, associated costs do not stop there, as there can be a clientele loss suffered due to the incident (which has to be publicized), loss of reputation, and potentially, loss of the business itself. According to a study conducted by IBM, 67% of the total cost due to data breach was realized during the first year after breach, 22% was “felt” during the second year and 11% during the third, with data breaches related to healthcare sector trailing costs for longer.

Clarity Ventures HIPAA Compliance Experts

The first step is to realize where the problem is. The problem of HIPAA eCommerce platforms hosted on WordPress is that your sensitive medical records may not be secure enough, resulting in non-compliance with HIPAA. The aim of HIPAA Privacy and Security rules is to protect patient and provider data from exposure or misuse, and it is a responsibility of the business to comply with them and protect these records and the identity of its clients.