• LinkedIn

Healthcare Website Security: 7 Best Practices to Follow

Healthcare providers are held to a higher standard than other organizations when it comes to protecting web data and delivering secure experiences. Is your site helping or hurting your brand?

It’s no secret that security is critically important for healthcare organizations. Patients need to know their data is safe. Having a site with technical problems not only puts you at risk of a data breach, but it also hurts your brand. Here are seven areas you should focus on to ensure your site is helping you deliver on your promises.

According to IBM, data breaches in healthcare were the most expensive of any industry at $9.23 million on average. And HIPAA Journal reports 2020 saw more healthcare data breaches than in any other year since reporting started. Breaches are happening more often and cost millions — not to mention that the average time to identify and contain a breach is 287 days. Non-compliance is simply not an option. So, how do you ensure your website is prepared?

Seven best practices to follow

Decreasing risks while protecting your patients’ data and your hospital brand must be a top priority. Evaluate your site on these seven areas to ensure your security and hosting environments are meeting required standards.

  1. Protect user data.
  2. Healthcare organizations must follow HIPAA guidelines, meaning you must comply with requirements to protect the privacy and security of health information. Your website should use secure sockets layer (SSL) technology to securely encrypt necessary page, form, transactional data, and protected health information (PHI) from the web browser to the server. PHI should be encrypted in transit and at rest. That means when it’s being transmitted between systems, such as data sent when a user submits a form, as well as when that data is stored for future use, often in a database. Online forms that accept user data should be managed using specific protocols to comply with HIPAA. Protecting the submitted data in forms is critical. Compliant content management systems (CMS) like VitalSite through form builders like Formulate capture and store specific information when your users view a form submission and creates an audit trail. It logs the user ID, date and time stamp, IP address, and location and state of the data at the time it was accessed.

    If you accept online bill payment or online donations, you must also be payment card industry (PCI) compliant and ensure debit and credit card information remains secure throughout the transaction process. Once submitted, payment data should be transmitted immediately to the payment processor and never stored.

  3. Protect administrative accounts.
  4. As part of staying in compliance with HIPAA, and to prevent unauthorized changes on your website, administrative accounts in the CMS must be monitored and protected. With VitalSite, passwords are encrypted and stored using SQL Server encryption. All of this ensures that it’s difficult for an attacker to access and use someone’s password. In addition, other safeguards, such as requiring strong passwords and periodic passwords changes, as well as locking inactive accounts, are also considered industry best practices for account protection.

  5. Stay up to date.
  6. One of the primary ways hospital websites fall out of compliance is by falling behind with CMS upgrades, updates, and security patches to the software administrators don’t see, including web servers, databases, programming languages and framework. Falling behind on updates and upgrades are common ways organizations that run on a platform like WordPress find themselves vulnerable with multiple plug-ins requiring their own updates and patches. Ensure you’re on the latest version of your CMS and look to partner with an agency that provides upgrades as part of the licensing, as Geonetric does with VitalSite.

  7. Review your network architecture.
  8. Whether you manage web hosting yourself or use an agency or third party, ensuring there are tools and processes in place to minimize the risk of a breach is essential. Especially today, where cyber-attacks are all too common. Areas to look for include redundant web application firewalls, intrusion detection systems, and systems to protect from common web attacks like distributed denial of service (D/DoS) and SQL injection.

  9. Ensure 24/7 uptime monitoring and support.
  10. Your web partner should know before you do that your site is down and respond around the clock with a team who can fix the problem regardless of whether it’s a server, network, software, or content issue.

  11. Protect from downtime with scalability.
  12. Reliable networks are more important than ever, which means having scalability in your network is essential – especially when you consider you never know when a surge in traffic will arise. Case in point: healthcare websites saw huge traffic surges as critical COVID-19 communications, testing, and vaccine announcements were released. These traffic spikes need to be considered before they happen. Without auto-scaling in place, availability can be disrupted from unexpected traffic surges or a failure in one part of the system, bringing down the entire site. With proper auto-scaling cloud infrastructure, your site will remain available without missing a beat.

  13. Require backups.
  14. If the worst happens, how much would you lose and how quickly can you be up and running again? These are the questions you should ask. At Geonetric, we perform a full backup of your entire site and database each day. Every 15 minutes we perform transaction log backups and save these for two days. In addition, daily backups are saved for a week; weekly backups are saved for four weeks; and monthly backups are saved for a year. We also perform database consistency checks nightly. It’s also important to ensure there is proper redundancy for quick recovery purposes.

Take security seriously

For many healthcare organizations, especially community hospitals and medical clinics, it’s hard for marketing and I.T. departments to get the privacy and security resources they need to comply with healthcare’s stringent regulations, making it harder for you to prevent and detect security incidents. And cyber-criminals know this – a 2018 report by The American Journal of Managed Care®, found that 37%of small and 36 percent of medium-sized hospitals had suffered at least one data breach from 2009 to 2016. While many executives at smaller organizations feel they are less likely to be targeted because of their size the opposite may very well be true – security gaps amongst this group make them more likely to be a target.

Some smaller healthcare organizations try to solve potential PHI vulnerabilities by removing functionality, but in the end, this hurts user experience and your ability to connect with patients at key moments. With the right partner you can have all the functionality you want plus the security you need.

Don’t take chances with your patients’ data or your brand – partner with an agency like Geonetric that takes security seriously. We’ll take that extra monitoring off your I.T. team’s plate and help ensure compliance with regulations. Contact us today to learn more about our security protocols and to see a demo of our VitalSite CMS or Formulate form builder.

Bonus: Security Questions

Now that you understand more about security best practices, here is a helpful list of questions you can download or reference to help you have more valuable conversations with potential partners.

Click to enlarge

Bryan Fentress

Digital Solutions Director

Healthcare Website Security: 7 Best Practices to Follow