Every website needs security. What website security questions should you be asking about your business websites and who should you be asking? Website security can be an open hole in your HIPAA security plans. It can also be the source of many problems for your business if you don’t pay attention to the site content to be sure you are securing your message.
Today, we are discussing the kinds of things you should worry about concerning security for your business website. How to watch after it properly – even if you aren’t a technical person. Understand the website security questions you need to ask now, especially if you have HIPAA data involved on your website, by listening to this episode of Help Me With HIPAA.
Website Security Questions
A few reasons we are doing this topic.
1- Panama Papers breach appears to be due to a bunch of outdated software used on several sites by the big name law firm helping out all those folks to hide their money.
2- I got an email this week from our marketing firm, bbr marketing – shout out to them. Fortunately for their other clients we are also one of their clients. They develop websites for their marketing clients. One of their clients just happened to mention something about being able to “communicate with patients without worrying about HIPAA laws” on the site.
Website security should be an element of your HIPAA Risk Analysis even if you only use it for information not to collect or store patient information. Why?
- Your reputation can be impacted if your site is hacked.
- Your site could be set up to distribute malware or ransomware to anyone that happens to visit it.
- Your other systems could be potentially accessed via a hack on your website as a – gateway. (Do have a link to your patient or client portal embedded?)
- You may be storing information on a non-HIPAA secure website because you didn’t ask the website designers to address it and they have no clue.
- Do you even know how your patient portal is secured no matter who it is hosted by – you should have at least asked.
What should you be asking about the software?
WordPress, Joomla, Drupal, Apache, MySQL, etc.
What should you be asking about the host?
Shared, VPS, Data center servers, local servers?
What about the data that is captured?
Where is it stored, who has access, does it get backed up securely, is it encrypted
What users and password controls do you have in place?
“Admin” should not be a user and “password” should not your password. Database passwords shouldn’t be simple ones either.
What intrusion prevention is in place?
Constantly pounded by Russian traffic?
Examples of web security going awry:
- Oral Surgeon getting the call on a Sat night about his site having registration information publicly indexed.
- Client whose site suddenly started directing you to “pharmacy sites” when you Googled their name
- Another client site went down and the web designers couldn’t “fix it” for months.
- Another client had a website hacked. Changes were made to their pages that had SEO create fake traffic for others. You couldn’t even figure out who was going to their site.
- Vetting a new web designer not asking about security
- Old designer wouldn’t give a client the admin login to their domain
- A different client couldn’t get the login to their site to manage it themselves