While most plugins are thoroughly tested, not all plugins are safe. This week Adam & Gil talk about the top 3 WordPress plugins for HIPAA compliance. For more info on HIPAA Gauge.
Transcript:
Adam
Hello everyone, and welcome to the HIPAA Vault podcast where we discuss HIPAA compliance for WordPress. My name is Adam Zeineddine and I’m joined by CTO of HIPAA Vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Looking forward to this talk today.
Adam
Yeah, so last week we talked about 2FActor authentication and this week we’re going to talk a little bit about WordPress plugins. Hopefully we can give some tips and tricks to avoid getting hacked. How does that sound?
Gil
That’s always a good thing, especially in this day and age when there’s bad news all around us. When it comes to technology, it’s good to protect yourself and be proactive. So, yeah, I’m looking forward to that.
Adam
Absolutely. So let’s dive into it a little bit about WordPress plugins. So a WordPress plugin, for those listeners that aren’t aware, is a piece of PHP software and it’s designed to add new features and functions to a WordPress site. And while most plugins are thoroughly tested, not all plugins are safe. So the first question, Gil, today is what are the most important security aspects when using plugins for WordPress?
Gil
Could you talk a little bit about sure. I think for a medical practitioner or someone who’s not a technologist per se, but they’re an expert in some field of medicine and they are going to be using WordPress, which is a good choice. The way WordPress works is you have these plugins that extend the functionality of WordPress and they’re very useful. I mean, these plugins are in the tens of thousands, probably hundreds of thousands of plugins. So pretty much anything you want in terms of functionality that WordPress core is lacking. You could just flip on this plugin and some of them are free, some you pay for premium features and so on. But the world’s your oyster. So what do you want to look for? Right, let’s say you need a certain function.
Gil
You go to the WordPress plugin directory, you type in what you’re looking for. Here comes six, seven, eight, maybe a dozen different plugins. That all. Do what you’re looking for. Well, obviously, first, start off by finding the exact functionality you want, make sure it fits what you’re looking for. Secondly, you have your budget. Some of these premium plugins may cost quite a bit, so you may want to evaluate it based on cost. Once you get past that, the next thing you want to really look at is what version is the plugin on? You don’t want to find a plugin that’s on version 0.1, where it was just launched 2 hours ago. You want to find a mature plugin, just like wine ages over time and gets better these plugins are the same thing, right?
Gil
Over time they smash the bugs, they get stronger, they get better. So find a plugin that’s mature. The other thing is, you want to find a plugin that was written in North America and you say, well, why would that make any difference? Well, keep in mind HIPAA regulations really call for a US based regulation. So if you find a plugin that was written by some Eastern European or, you know, there’s all sorts of things in the news you can read about on your own, about how these devices IoT Internet of Things plugins, they have these backdoor methods of getting into data. So you really want to find a US based plugin? That’s my recommendation. So find a version that’s mature. Find one that’s US based, that has support.
Gil
Open up an email, send support at the plugin, whatever email they give you, and just send them a quick email saying, hey, my name is Dr. Joe or Dr. Sally and I’m going to use this plugin and I just want to ask a question. And if you get a response, that’s a good sign. If it’silent you get no response, then probably not going to be very well supported product. You want something that has support on the back end. So those are my recommendations. I say Adam to start with.
Adam
Fantastic. And could you give maybe your top three most useful plugins that you’ve found in your research?
Gil
Sure. There’s a WP 2FA. The WP 2FA is a plugin that we use for our customers that enables multiple factor authentication. So that means that when you go to log into WordPress, whatever functionality your WordPress has, it likely will have a login. And that login would normally be a username, which is usually an email address plus a password. Well, with this plugin it extends the functionality and security of WordPress by requiring a second factor. That second factor is typically an SMS message that goes to your phone at six digits, or it could be an email that you receive that then has the code that you need to type in. Most everyone’s used to this now, right? It’s a standard security practice, so we recommend that. So that’s one, the other one, and.
Adam
Also for listeners and viewers that might not have checked it out yet, we also did a bit more of a deep dive on WP 2FA in episode three, so be sure to check that one out.
Gil
Sure. The other one I wanted to mention would be the IPE security Adam, because that one obfuscates the login. So WordPress out of the box has a WP login or WP admin URL that most technologists good and bad actors know about. So they may try to brute force into your application. Brute force means they know the URL, they know the door to get in, and they start knocking by typing in random usernames passwords. So this item security plugin will help hide that URL so that it’s not so easy to get to. It also has brute force login protection. That means that if it detects someone’s trying to log in too many times and they fail and they try and they fail, that’s what brute force means.
Gil
You’re just trying a bunch of times and so it will thwart that it’ll block them from trying over and over again. That’s the good news. The bad news is, even as a legitimate user, if you forget your password and you keep trying over and over, you could lock yourself out. Now, there’s ways to get back in, of course, but it could block. You have to be careful when you use it, that you ensure that you have your password saved somewhere properly. Hopefully not a Post it note on your desk, but hopefully some password encrypted management system. So anyway, that’s another one we recommend. And the third one, Adam, is our own HIPAA vault, has our own HIPAA gauge, which is a free plugin. And HIPAA Gauge helps the medical practitioner determine if their WordPress site is HIPAA compliant.
Gil
Is it adhering to the compliance standards for HIPAA? And we call it HIPAA Gauge because it has three gauges and each gauge tells you a little bit about compliance. And it’s either red, orange or green. If they’re all in green, then probably you’re HIPAA compliant. If they’re in the red zone, then likely you’ve got problems.
Gil
So those are the three, I think, the item security, WP, 2FA and then our HIPAA Gauge. Those are the three that I think are a good starting point for securing WordPress to make sure that you don’t leave any low hanging fruit for the bad actors out there.
Adam
Well, that’s fantastic, I think. Very useful. Top three plugins by function, WP, 2FA, item security, and HIPAA gauge. Moving on now to our question for the week. Question came in through email from a potential customer of ours, actually. So the question is, I currently have a WordPress site hosted with a non HIPA host, but I am using a paid HIPAA compliant form plugin with a baa. When I switch to manage WordPress with HIPAA Vault. Do I still need to use the paid form plugin to stay HIPAA compliant?
Gil
I think that’s a good question. Let’s just set the stage for the audience so they understand what’s going on here. So if you have a WordPress site that is hosted at some popular web hosting company, not necessarily HIPAA compliant hosting, but it’s there somewhere. And so you have a form that you want, an intake form that you want to use that’s going to have some kind of patient health information, protected health information. So you go out and you find some form that claims to be HIPAA compliant. And so typically what happens is these forms are not hosted where your website is hosted, that single page is hosted somewhere else, right?
Gil
So when someone navigates to your website and they click on the form, they’re actually sent over to some other host and then they fill up the form, it’s protected there, and then after they hit submit, it comes back to the original website, hosted wherever you’re at. So that’s kind of a hybrid solution, because you have only that one form protected with HIPAA compliance and the rest of your site is not. The question is then, well, what happens if you move over to a fully managed HIPAA compliant provider like HIPAA Vault and they’re managing the whole thing? So the short answer is you don’t need to pay extra dollars, you don’t need to pay a premium for a HIPAA compliant form because your entire website is in an environment that is secure and monitored for HIPAA compliance, so you no longer need that form.
Gil
Now, there’s nothing wrong with using the form, I mean, having extra security. And if you already have that form and you like the form and it works well, you just pay a few bucks. Who knows how much those forms are? Probably a few bucks a month. So you just keep paying for that. There’s no requirement that says you need to stop using it or anything like that. It’s just a matter of whether you choose to abandon that form, make a new one that maybe doesn’t have any cost associated with it.
Adam
Great. There you have it. There’s the answer to that question. Very comprehensive. And I think just to add to that, if you have to choose between one or the other think I would go with making the whole website HIPAA compliant rather than just the form because there could be potential for the website getting hacked and then a bad actor tricking people into going to a different page to fill out a form which isn’t HIPAA compliant.
Gil
Yeah, that’s a good example, Adam. If somebody does hack the site, that’s in a standard vanilla hosting provider that doesn’t have the security and the bad actor manipulates the menu so when they click the form that you purchase the one that is compliant, but instead it gets routed to some other form that wouldn’t be good. So I like that example, Adam. Also, I think that in this day and age, with hackers being so aggressive and so prevalent, you really want to put your best foot forward and protect your site, comprehensively the whole site and put your mind at ease. That would be my suggestion, definitely.
Adam
Thank you for that question. If you’d like to send us any other questions that have been on your mind, please send it to podcast@hipaavault.com or you can also tweet us at @hipaahosting. That’s all for this episode. Be sure to like share and subscribe, please. It really helps our channel. And until next time, thanks for stopping by.