Website Security for Medical Practices

John Deutsch

John Deutsch

Posted on July 28, 2011

A realistic approach to internet security for medical practices – Part 1: Website Security

Website hacking is on the rise

As websites become more complex, the potential security risks increase.  10 years ago, when most businesses had very simple sites with just a few pages, there was little hackers could do besides take your website offline or delete your website files.  Nowadays, websites are based on Content Management Systems (CMS).  CMS’ use a database to store everything from your last blog post to your last contact us form request.  Databases store valuable data: both in that it can be valuable to others, but that your website depends on it to work.

How are medical websites hacked?

What would happen if your database was deleted and all your web pages and blog posts disappeared? What would happen if all your contact us requests were stolen, maybe containing credit card numbers or a patient’s sensitive medical information?
In my 10 years of experience in hosting medical websites, we have seen an alarming increase in attacks on websites.  The three most common attacks include (in order of frequency):
1) Websites being inserted with Malware, redirecting users to another website. This makes your site unusable, is confusing to users and gets the site blacklisted in Google.
2) SPAM emails being sent through contact us forms.  This will blacklist your domain and server as being a domain that sends SPAM, causing your emails to bounce.  Email server downtime and/or performance degradation is also caused.
3) Complete deletion, export or corruption of databases.  Without a backup, all of your data and site content is lost or stolen.

Hack “Bots”

The hacks are usually done by what is known in the industry as “bots”.  Bots are like unmanned computers that look for websites then try multiple known techniques to enter into the website.  Unfortunately, these bots usually find their targets through search, so the more frequent your site appears in Google rankings, the more frequently you are attacked.  Therefore, as you increase your marketing budget, you also need to increase your security budget.

Website forms, information storage and HIPAA

When it comes to HIPAA, your website forms are at the highest risk.  In the past year, we at Medical Web Experts have had multiple clients contacted from HIPAA governing authorities, requiring them to change the security for their contact us forms.  HIPAA’s concern is that patients will use website contact us forms to send consultation-related messages to the practice and that these emails can be intercepted or stored in an unsecured database.
Best practices for medical website security:

  • Have your website audited for security flaws.
  • Implement website monitoring software, such as that by McAfee’s Site Secure system which monitors the site on a daily basis, checking for site flaws.  Medical Web Experts is a McAfee Site Secure solution reseller.
  • Secure your contact us forms or put disclaimers instructing patients to not include sensitive medical information.
  • Put a CAPTCHA in your web form to prevent SPAM.
  • Keep your server and CMS software updates current.
  • Implement a daily backup system and secondary weekly/monthly backup system.

HIPAA – All bark and no bite?

HIPAA is a highly complicated law (400 pages worth), even challenging for someone with both an IT and law background.  Since its creation, there has been a lot of bark and no bite when it comes to enforcement – but this is all changing.  In the past 2 years, we at Medical Web Experts have seen a significant increase in citations for HIPAA violations and medical practices being contacted with warnings from HIPAA governing organizations.  Therefore, it’s important to have a plan to meet HIPAA guidelines in your practice, focusing on the highest risk issues to meet both HIPAA guidelines and to protect your business from real issues that can severely affect your business, such as data loss, lawsuits and website downtime.

About the Author

John Deutsch is the founder of Medical Web Experts and has spent the last 10 years working the healthcare IT industry, specializing in Electronic Medical Records, Network Administration and Software Development. To learn more about Medical Web Experts and their services, please visit
Read the other articles in this 3 post series:

John Deutsch

John Deutsch

Founder and CCO of MWE, and business owner of 19 years with extensive experience in Healthcare IT. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.

Related Posts

Graphic of a large laptop with a shield and padlock in front of it. Smaller images of people on the left and right side of the labtop interact with various mobile devices.

Posted on February 16, 2022 by Pablo Bullian

Welcome back to the Medical Web Experts Security Bulletin. Below are some recent developments that may impact your organization, as well as our recommendations for keeping your systems secure. Mitigating…Read more

Illustration of a boy sittin on top of a computer with security shields floating.

Posted on January 07, 2022 by Pablo Bullian

A Look at 2021’s Most Dangerous Vulnerabilities Found in Windows Patching is a complex task that most companies struggle with or overlook, but keeping systems, and therefore patches, updated is…Read more

Subscribe to Our Newsletter

Get promotions and current business tips. Sign up for our newsletter today.