A realistic approach to internet security for medical practices – Part 1: Website Security
Website hacking is on the rise
As websites become more complex, the potential security risks increase. 10 years ago, when most businesses had very simple sites with just a few pages, there was little hackers could do besides take your website offline or delete your website files. Nowadays, websites are based on Content Management Systems (CMS). CMS’ use a database to store everything from your last blog post to your last contact us form request. Databases store valuable data: both in that it can be valuable to others, but that your website depends on it to work.
How are medical websites hacked?
What would happen if your database was deleted and all your web pages and blog posts disappeared? What would happen if all your contact us requests were stolen, maybe containing credit card numbers or a patient’s sensitive medical information?
In my 10 years of experience in hosting medical websites, we have seen an alarming increase in attacks on websites. The three most common attacks include (in order of frequency):
1) Websites being inserted with Malware, redirecting users to another website. This makes your site unusable, is confusing to users and gets the site blacklisted in Google.
2) SPAM emails being sent through contact us forms. This will blacklist your domain and server as being a domain that sends SPAM, causing your emails to bounce. Email server downtime and/or performance degradation is also caused.
3) Complete deletion, export or corruption of databases. Without a backup, all of your data and site content is lost or stolen.
The hacks are usually done by what is known in the industry as “bots”. Bots are like unmanned computers that look for websites then try multiple known techniques to enter into the website. Unfortunately, these bots usually find their targets through search, so the more frequent your site appears in Google rankings, the more frequently you are attacked. Therefore, as you increase your marketing budget, you also need to increase your security budget.
Website forms, information storage and HIPAA
When it comes to HIPAA, your website forms are at the highest risk. In the past year, we at Medical Web Experts have had multiple clients contacted from HIPAA governing authorities, requiring them to change the security for their contact us forms. HIPAA’s concern is that patients will use website contact us forms to send consultation-related messages to the practice and that these emails can be intercepted or stored in an unsecured database.
Best practices for medical website security:
- Have your website audited for security flaws.
- Implement website monitoring software, such as that by McAfee’s Site Secure system which monitors the site on a daily basis, checking for site flaws. Medical Web Experts is a McAfee Site Secure solution reseller.
- Secure your contact us forms or put disclaimers instructing patients to not include sensitive medical information.
- Put a CAPTCHA in your web form to prevent SPAM.
- Keep your server and CMS software updates current.
- Implement a daily backup system and secondary weekly/monthly backup system.
HIPAA – All bark and no bite?
HIPAA is a highly complicated law (400 pages worth), even challenging for someone with both an IT and law background. Since its creation, there has been a lot of bark and no bite when it comes to enforcement – but this is all changing. In the past 2 years, we at Medical Web Experts have seen a significant increase in citations for HIPAA violations and medical practices being contacted with warnings from HIPAA governing organizations. Therefore, it’s important to have a plan to meet HIPAA guidelines in your practice, focusing on the highest risk issues to meet both HIPAA guidelines and to protect your business from real issues that can severely affect your business, such as data loss, lawsuits and website downtime.
About the Author
John Deutsch is the founder of Medical Web Experts and has spent the last 10 years working the healthcare IT industry, specializing in Electronic Medical Records, Network Administration and Software Development. To learn more about Medical Web Experts and their services, please visit www.medicalwebexperts.com
Read the other articles in this 3 post series: