Technical Safeguards for Your HIPAA-Compliant WordPress Site

Technical Safeguards for Your HIPAA-Compliant WordPress Site

HIPAA compliance is essential to any company dealing in Protected  Health Information (PHI) or its digital equivalent, the electronic PHI (ePHI). HIPAA violations have been coming in all shapes and sizes since the Health Insurance Portability and Accountability Act of 1996 was passed.

There are quite literally hundreds of different ways that companies can violate HIPAA rules, which makes the storing and processing of ePHIs a precarious business with so many disruptive behaviours taking place in the digital realm.

WordPress is the most popular CMS in the world, with about one-third of all websites using it as their infrastructure. For companies that fall under HIPAA’s jurisdiction, this can be a major headache as WordPress in its basic format is not equipped to be HIPAA-Compliant. This is not to say it cannot become so, but there is no ready-made solution from WordPress’s manufacturers.

Even the CMS’s commercial-grade paid offering does not match up to the stringent conditions interface out by HIPAA when it comes to patient rights and data responsibility. If your company needs HIPAA compliant WordPress hosting, there are several safeguards that must be in place. These components aren’t just important because they keep your business from being fined or suspended for a lack of compliance; they are essential building blocks that keep your website and its important private information safe from leaks and criminal attacks. Here’s a look at five of the essentials:


Encrypted Virtual Private Network (VPN):

If your network is not safe, nothing that travels on it will be either. A VPN goes three steps beyond a proxy server by incorporating high-level encryption and many other security features to ensure that whatever information traversing your network is airtight and uncrackable.

A VPN works by creating an encrypted ‘tunnel’ between your computer(s) and a remote server located in a different jurisdiction, sometimes located in a different city, state, or country When your computer makes requests on a website or uploads or downloads information, the VPN will first encrypt the information before transmitting it to the remote server.

There, it will be given a new IP address based on the remote computer’s location before being uploaded to the Internet.  The same process happens in reverse when information enters the network. This greatly reduces the chances of an outside source gaining entrance to your website via its network.


Encrypted Backup System:

The best security system is only as good as its backup. Because when something crashes, a natural disaster occurs, or you get hacked, backup systems have to be religiously maintained; meaning they are systematically updated on a repetitive time cycle, they are guarded or maintained by a security system, and regularly audited to ensure that the backup is not suffering from any corruption or infiltration of its own.


Fully-Managed Firewall:

For every mastermind criminal ring exploiting insecurities to expose millions of data records from a corporate giant, there are hundreds, perhaps even thousands of low-end bots, viruses, worms, and hackers pinging websites every day looking for holes in security to exploit. Firewalls are nothing new – even the most simple of new computers has one these days. But that’s no longer enough to keep threats out of your system. Fully-managed firewalls combine technology with the human element. Pick a service that has round-the-clock managers on duty to ensure that your firewall is always running smoothly,

Intrusion Detection System:

So many security systems are based on mitigating damage after a hack. Intrusion Detection Systems (IDS) are the next-generation solution that doesn’t just inform you when something is amiss in your system, it uses algorithmic decision making to deploy the appropriate response to neutralize any intruders before they can make trouble.  A good IDS will also file every intruder it detects into a living database of threats so it can be on the lookout for them in the future and negate them as quickly as they appear.

Dedicated Log Management System:

Also as important as catching intruders in your system is understanding how they were able to gain entrance. And it’s not just those on the outside looking in that we have to worry about when it comes to security risks that can affect a company’s HIPAA compliance. Accidents happen all the time and misinformed decisions with no malice behind them can have dire consequences if left unnoticed.

Having a dedicated log management system not only lets you analyze any security breakdowns, but it also lets you see spots where something was attempted or when suspicious behaviour took place. This allows the log management system to become part of a living organism in terms of how your website’s security evolves over time as threats evolve over time to keep your HIPAA compliance up to date.



Being HIPAA compliant is of huge importance for any healthcare-related business, but ensuring the aforementioned five safeguards are in place shouldn’t be about making nice with a government agency. Patient information should be treated like rare gems and precious metals, and every possible should be made to keep it from getting exposed or stolen.

Regardless of what niche your business falls under in the medical environment, patients are trusting your business with their most personal information. Failure to do so not only damages patients’ privacy, but the blowback on your company’s name can be crippling to staying in business.

"Sanjeev loves everything about WordPress. Always in constant search for new tools and Plugins keeps him hungry all the time. He spends his day brainstorming new ideas about new plugins and themes on WPeka and CyberChimps. You can follow him on his personal blog appsreviewhub or Facebook