Securing your website is often overlooked in planning discussions and business risk management decisions. Building a website is pretty easy these days, but keep in mind users expect to have a safe online experience too. Just like with social media sites, a lot can go wrong with a forgotten website.
In this episode:
Why Does Website Security Matter? – Ep 342
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[03:35] A recent notification for non-HIPAA entities has been announced under FTC Health Breach Notification Rule. According to the rule,So, this FTC Rule doesn’t apply to HIPAA covered entities. But, if you’re a business associate, you could be in a position where the HIPAA rule applies for one client and this FTC rule applies to another client. The FTC also released a document outlining what businesses are required to follow the FTC rule and how they should comply with it.
Complying with FTC’s Health Breach Notification Rule | Federal Trade Commission
The Rule applies to those outside HIPAA, but also over what would normally be considered PHI.
- A vendor of personal health records (PHRs)
- A PHR related entity
- A third party service provider for a vendor of PHRs or a PHR related entity.
Both documents mentioned above are worth the read if your business has anything to remotely do with personal health records. The FTC rule is very much like the HIPAA Breach Notification Rule, but there are some specific differences. And if you are a vendor, you might have to follow both.
Website Security Matters
[11:13] Securing your website is often overlooked in planning discussions and business risk management. Just like we talked about in our review of 5 Steps Securing Your Social Media – Ep 339 episode, a lot can go wrong with a forgotten website.Without website security, sites can be hacked, defaced, text can be changed, even sites that collect payments can be changed to have payments to someone else’s account. This is a big problem in small businesses. Many times businesses have an outside company create and maintain their website. Web designers are not security people. They tend to say that security is the website hosting company’s problem. The hosting company just provides all the tools to create a site and a place to store it. There is a big gaping wound here, as David calls it.
Just like there is a difference between IT and cybersecurity, there is a difference between web designing and securing a website.
Most people use WordPress to create sites, but there are other platforms including Drupal, Wix, Squarespace, etc. It’s like everything else, everyone has their opinion on what’s best or what they prefer to use to create a website. But no matter what you use, they all have vulnerabilities. It’s a matter of making sure that you have something in place that can monitor and manage those vulnerabilities. If you just throw a website out there and you’re not paying attention to it, then things can go badly.
[17:18] Remember the Log4j vulnerabilities that were all over the news a short time ago? Well, many websites are run on Apache servers and they are a big area where the Log4j vulnerability sits. The HHS 405(d) team has released a few guides to help identify and fix the Log4j issues. So, you want to have your technical people check out the impacts of this threat and document how they are protecting your site, and anything else you have running on Apache servers.Log4J Vulnerabilities and the Health Sector
405(d) Situation, Background, Assessment, Recommendation (SBAR) on Log4j
Having a web presence can no longer be thought of as having a little corner of the internet all to yourself. It’s like having a little village with no castle walls built around us. We have to assume that someone will get in and take measures to protect ourselves from outside threats and vulnerabilities in hardware and software platforms we use. Keeping your website tools and software up to date and secure is just as important as keeping your internal network of computers and software up to date.
Don’t make assumptions that your website is secure. Don’t make assumptions just because the web developer tells you it’s okay. It’s okay. You want to get a report showing that you are on the latest releases of things and that things are all up to date, that somebody’s paying attention and know that it is being backed up and where it is backed up.
[27:05] Here are a few examples of why you should worry about the security of your website.St. Lucie County’s Drug Screening Lab Provides Notice of Data Security Incident
Web portal had a configuration error Jun 2, 2017 – Oct 13, 2021 that allowed data to be accessible to “certain portal users”. No one was looking. No one was documenting updates or changes made on the site. Odds are they happened upon the issue and finally fixed it 4 years later.
Just because you use a big brand name portal or web hosting company or EHR or whatever OR you think that because the vendor has tons and tons of clients so they must be secure… that is not always the case. Portals, websites, software apps, etc all have options to configure. And those options get updates over time, so they constantly need to be reviewed, updated and documented. Like we always say, if nobody’s lookin’ something could be cookin’.
[32:00]Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million
They settled a lawsuit for 18.4 million over an issue collecting cookies with information. It wasn’t PHI, but people who were coming to their website for health care purposes and they were collecting information in their cookies without consent and then selling it to third parties. Here’s a link to the Mass General Cookie Class Action Settlement.
Don’t make the assumption your web developers are doing the right thing. You need to know what they are doing and how they are tracking things. In the course of developing your website they might have put things in place to gather information that you may not know about. And that information could be being shared with another vendor or something.
[34:29]Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes
Most WordPress websites run off a theme that defines the appearance of your website, how it looks online. Your developers use a theme and several plugins to make specific functionality happen. All the cool things you see it do, it takes a lot of moving parts to make that happen and sometimes those moving parts don’t like each other.
From the article:
Basically, hackers begin to use your website to host and deliver malware to those who visit it. And you don’t even know it’s happening. There’s no evidence of it, except for the fact that those links in somebody’s phishing email are pulling a file off of your web server. They don’t deface your site or anything. Just use it for their malicious purposes.
Secure your websites, folks!
According to statistics from 2020 to 2021, the number of security falls reported in WordPress plugins has gone up 142%. So, regardless of what’s on your website, it is important to be certain that your web designers are properly managing, monitoring, securing and backing it up. The last thing you want is for people to track back the fact that they visited your website and ended up being duped, downloading malware or having their information shared without their permission.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
