WordPress is a popular content management system (CMS) used for managing websites and blogs. It offers great flexibility through plugins, but does not come with security built-in by default. Today, we will explore whether or not WordPress can be trusted in healthcare settings given its popularity ; learn about some common attacks against these types of applications. Today’s question (and we get asked this quite a lot) is:
WordPress doesn’t sign a BAA, or Business Associates Agreement, so how can it be HIPAA compliant?
Transcript:
Adam
Hello, and welcome to the HIPAA Vault podcast, where we discuss HIPAA compliance for WordPress. My name is Adam Zenadine, and I’m joined by our CTO for HIPAA Vault, Gil Vidals Hey, Gil.
Gil
Hey, Adam. Looking forward to this podcast today.
Adam
Yeah, me too. Me too. Last week, we touched on some general considerations for hosting HIPAA data. We looked at encryption at rest, encryption in transit, and in use, which we introduced, as well as asking the host whether or not they have a compliance manager designated to review. So it’s important, we know, to ask the hosting provider about a compliance manager. But today we’re going to talk a little bit about WordPress specifically and the security around it and what things that listeners should take into consideration when it comes to WordPress and security. What I should probably do is first start by introducing WordPress in case any of our listeners are not familiar with it. So WordPress is a content management system also shortened to CMS, and it’s actually the most popular content management system globally. It has a 50% to 60% market share, something like that, and it’s used to essentially develop websites.
It’s very powerful because it has plugins that are like mini apps that sit within it that allow users to create any kind of functionality, pretty much that they want on the website. It’s also got themes that allow you to get started not having to build everything from scratch. It gives you a nice template to start from on your website. And WordPress is also very Google-friendly, so marketers like it for search optimization purposes. That’s just a little bit about WordPress. But I had a question I wanted to review with you today, Gil, from one of our listeners, and you can email us questions at podcast@hipaavault.com. And the question today is with regards to security on WordPress. And the question is, WordPress doesn’t sign a business associate agreement, so how can it be HIPAA compliant? What do you think about that?
Gil
Yeah, that’s a good question, and I want to draw an analogy to answer that question, because to me, analogies, they’re like little stories. They stay in my mind. So I want to draw an analogy between WordPress, let’s say you have some money, some cash in this hand, and WordPress you want to keep secure because you don’t want people hacking into your WordPress site, and stealing your patient records. And then your cash, for obvious reasons, you want to keep that secure. But let’s say your cash, you’re thinking, okay, where do I keep my cash? Some people in the old days keep it under their mattresses. Some people may keep some cash on their bodies, and other people say, “Oh, I don’t want to do any of that”. I want to keep it in a big bank vault downtown. Some of these are more secure than others.
WordPress is similar. You can take WordPress software, which is a community open-source project, and you could take that and say, I’m going to host it at a hosting provider down the street from me. I’m going to host it on my computer in my garage. You could do that. People do that even today. Or you can pick a specialty company that does those kinds of things. A HIPAA-compliant hosting web hosting provider. Now, if you’re hosting it anywhere but in your backyard, you need to sign a business associate agreement. In other words, if you’re going to be partnering with the company that’s going to be hosting your website, they need to sign a business associate agreement. That’s very important. And that document essentially is a marriage between you and that provider. And that it’s a legal marriage where you say, look, we’re both responsible for the data.
If there’s a breach, we’re both responsible. And it avoids the finger-pointing saying, well, I thought he did that and I thought they did that. No, you’re in it together and that’s why it’s such an important document. You want to find a good partner. Just like in marriage, you want to find a good partner that is doing their part in the partnership.
Adam
Right. And I suppose it’s also important to look at the fine print on the Baa because there are different levels of service and agreements that you’re going to have with your quote, unquote hosting provider. Right. So they might be responsible for making sure the server is secure, but are they responsible for things in WordPress itself that could come into it? Are they providing you with WordPress just saying, hey, here’s a username and login, do what you need to do and we’ll cover everything else? Or are they saying, oh, here’s a server, you log into the server and you can install whatever you want on the server. Like what level is that? A business associate, I guess, going to be assisting with the HIPAA compliance for the website.
Gil
Yeah, I think that document is more of a business legal document. It’s not going to get into the valid points you brought up. They are very valid points, but they wouldn’t be in that kind of document. This document is at a much higher level. It’s just basically saying that this Acme company that has a healthcare app and this other company that’s the hosting provider, they’re going to share responsibility, but it doesn’t delineate it like what you’re saying, okay, you do this piece that’s not talked about. It’s just saying that both are responsible. If there were to be a breach, we’re married and we’re both going to be in trouble. Language. So the other part you’re talking about Adam, is more of a technical question or more of the plan that the provider would lay out, say, hey, in our plan you get these features and benefits.
Adam
Okay, great. Yeah. So then that wouldn’t be listed in the business associate agreement necessarily. It would just be important to look out for. Okay, for example, there are a lot of plugins in WordPress who’s going to be responsible for updating the plugins? Because if you don’t update the plugins, then there’s going to be a big security risk, right?
Gil
Yeah. Last week we talked about what questions you ask a hosting provider that’s claiming to be HIPAA compliant provider. And we talked about if you only could ask him one question, I would say, well, do you have a compliance manager that I can speak with? Like what’s his name? I want to talk to the guy. And of course, the reason for that is if they say, we don’t have one or we have one, but he’s never available for you to talk to, then that’s not a good situation for you. But this kind of thing is important too. What you just mentioned, is the plugins, who’s updating the plugins? Is that the responsibility of the healthcare application owner, the one who’s installing the app, or the one who owns the app? Or will a provider participate in that and will they be doing some of the updates? That’s a pretty important point, I would say.
Adam
Yeah.
Gil
And that’s, I think, why last week you and I decided together that the compliance manager was an important component. If you could only ask one question, what would it be? Well, the compliance manager should know all these things and they should know about the plugins and the core and they should make sure all that’s maintained. So that’s why it gives you peace of mind. If there is a compliance manager, it’s their responsibility. So that’s why that would be the single question. But if you’re going to get into the details, which you should do your due diligence, you also want to ask the provider about the plugins and who does them and how often are they updated, and how you find out if there’s a vulnerability in one and how often do you scan the website. So those are all good questions to ask, but again, those are separate from the Vaa and they would be covered more at the technical end of the hosting plan.
Adam
All right, fantastic. Well, I think that’s all for this episode. Be sure to like, subscribe and check out HIPAAVault.com for news and updates. So until next time, thank you for stopping by.