Convesio HIPAA Compliant WordPress Solution & NIST 800-53 Alignment
This document outlines how Convesio’s HIPAA-compliant WordPress solution aligns with the NIST 800-53 security framework and the HIPAA Security Rule crosswalk to the NIST Cybersecurity Framework.
I. Mapping to NIST 800-53 and HIPAA Security Rule
Convesio’s HIPAA-compliant WordPress solution incorporates various features and configurations that map to specific controls and requirements outlined in NIST 800-53 and the HIPAA Security Rule. Below are some notable examples:
- AU-01 Policy and Procedures: Convesio addresses the requirement for audit and accountability policies, including coordination among organizational entities and compliance measures. Convesio provides detailed audit logs that track who logs into the website and accesses sensitive data. Additionally, Convesio performs regular audits of admin users to ensure that only authorized personnel have access to the website’s admin area.
- AT-01 Policy and Procedures: Convesio ensures its awareness and training policy addresses compliance and is consistent with applicable laws and guidelines. Convesio trains its team members on HIPAA compliance and has processes in place for handling protected health information.
- AC-4 INFORMATION FLOW ENFORCEMENT: Convesio addresses the control around information flow enforcement and implements processes for metadata validation. Convesio works with site owners to determine the best course of action to maintain HIPAA compliance for electronic protected health information (ePHI) on their site.
- CM-01 Policy and Procedures: Convesio addresses configuration management policy requirements, including compliance and consistency with applicable regulations and standards. During the onboarding process, Convesio conducts a compliance audit to ensure everything is set up correctly and sets up form encryption, database encryption, and in-transit encryption to secure all data. Convesio also has a monthly update process that ensures websites remain HIPAA compliant.
- CP-01 Policy and Procedures: Convesio’s contingency planning policy addresses coordination among entities and compliance requirements. Convesio utilizes offsite backups stored on Amazon S3 to provide redundancy in case of data loss.
- IA-02(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS): Convesio requires multi-factor authentication for access to the admin portal and dashboard. Additionally, when auditing sites for HIPAA compliance, Convesio sets up multi-factor authentication and checks for and addresses generic users.
- IR-01 Policy and Procedures: Convesio’s incident response policy addresses key aspects such as management commitment, coordination, and compliance. Convesio monitors customer websites uptime 24/7 to ensure compliance with HIPAA guidelines. Convesio also offers real-time help from professional engineers via Slack or email.
- SC-01 Policy and Procedures: Convesio addresses system and communications protection policy requirements, including compliance and consistency with relevant laws and standards. Convesio utilizes Cloudflare Enterprise for all HIPAA accounts and above. Cloudflare provides DDoS protection and enhances website security. We have a BAA in place with Cloudflare.
- SR-01 Policy and Procedures: Convesio’s supply chain risk management policy addresses compliance and aligns with relevant laws and guidelines. Convesio ensures all service providers handling PHI have the necessary Business Associate Agreements (BAAs) in place. For instance, Convesio has a BAA with Cloudflare, covering the flow of IP addresses, which are considered PHI.
II. Specific Configurations for HIPAA Compliance
Convesio implements several specific configurations to ensure HIPAA compliance:
- Dedicated MariaDB: Convesio provides dedicated MariaDB instances for each HIPAA-compliant site, ensuring data isolation and protection.
- Secure Email Configuration: Convesio offers secure SMTP configurations using compliant providers like MailGun, with BAAs.
- Advanced Security and Logging: The Convesio platform includes advanced security features, audit logging, and regular security scans to monitor and protect websites.
- Encryption at Rest and in Transit: Convesio ensures data encryption at rest and in transit. All sites on Convesio have an SSL certificate. The database is encrypted, and offsite backups are also encrypted. Convesio also offers the option to encrypt form data using plugins like WS Forms.
- Plugin and Theme Management: Convesio manages plugins and themes to minimize security risks. They ensure regular updates and verification of licenses for all plugins and themes.
- Physical Data Center Security: Convesio utilizes data centers with robust physical security measures like ballistic glass, fire suppression, biometric readers, and 24/7 on-site security staff. BAA’s are also in place with infrastructure providers.
III. Additional Measures Required by the Client
While Convesio provides a robust HIPAA-compliant hosting environment, some areas may require additional measures from your end. These include:
- Form Data Collection:
- Carefully evaluate and choose HIPAA-compliant form solutions.
- Consider disabling form data storage within WordPress and directly sending submissions to a HIPAA-compliant email service.
- If using WordPress forms, ensure data encryption before storage.
- Tracking Pixels:
- Avoid using retargeting pixels or other third-party marketing platforms that collect and enrich patient browsing data without a BAA.
- Review Google Analytics settings and disable features that combine browsing data across devices based on user logins.
- Business Associate Agreements (BAAs):
- Establish BAAs with all vendors who have access to or handle PHI, including agencies, plugin developers, and other service providers.
By collaborating with Convesio and implementing these additional measures, you can ensure the website’s compliance with HIPAA regulations and maintain the security and privacy of your client’s sensitive information.