Health Care

5 Steps to a Secure Website

Jules Roebbelen
,
August 11, 2020
BACK

Please do not send any personal health information through this form. 

Email communication is not secure. Do not share your health information via email.

No matter how it’s worded, even in giant blinking letters, whenever there is an opportunity to type text into a message area, people will, without fail, share personal information through website Contact Us forms. This likely triggers a whole process of information deletion at the receiving end, and is a constant privacy concern for security officers. It is the responsibility of health care providers to ensure that information is handled properly, even if it was improperly sent through your website. 

There are hundreds of available website Content Management Systems (CMS), but few are optimized for displaying health care services or gathering Personal Health Information (PHI) from patients and clients. Caredove takes your website security seriously, and we have a few tips to help boost your site's integrity and improve the management and security of PHI.

1. Secure your website with an SSL certificate.

This turns the "http" at the beginning of your URL to "https" which encrypts requests and responses between your website and the website viewer. This also makes your website harder to hack, protecting your information and any client information that might be held in your website. Having a site secured with an SSL certificate is the bare minimum of security measures you should implement on your website, especially if you are promoting healthcare security and privacy standards in your workplace. It is the most standardized "stamp of approval" for a website's authenticity and trustworthiness. Depending on your website provider, you can get free or low cost SSL certificates that are simple to implement.

2. Remove your general inbox email address from your site.

Hacker bots can scan thousands of web pages every day looking for an exposed email address. These email addresses are then victim to higher volumes of spam and junk mail, which can be an insidious way for hackers to gain access to your private information through a scam process called phishing. If a team of receptionists or front desk staff are sharing access to a general email inbox, any one of them could fall victim to a phishing scam, where they are tricked into entering passwords or credit card information into a fake form, handing over the keys to their virtual lives to an unknown hacker.

3. Secure your contact form.

Contact forms are an excellent way to gather leads and handle incoming inquiries from your website. But there are several reasons why a contact form is NOT the best way to gather information about your clients. Contact form submissions likely land in a general email inbox for your organization, managed by multiple front desk staff. Overall, email is NOT a secure place to hold patient information.

  • Are you 100% sure that you know all the people that have access to that email inbox?
  • When was the last time the password was changed?
  • What country is your email server hosted in?
  • What if the email server fails? How do you access your messages?
  • Does your staff have access to this email from home?
  • What if their home computer gets a virus? Do they have proper malware in place?
  • How do you know that your staff aren't forwarding PHI on to other parties?
  • What sort of workflow do you have in place to action these inquiries to make sure they aren't being lost in the shuffle?
  • If PHI is sent through these forms, what steps do you take to destroy that information?

If your contact form is NOT going to a general email inbox, that means that the data is stored directly in your CMS. The top five website Content Management Systems under attack in 2018 were:

  1. WordPress (while WordPress does offer a substantial security program, most breaches are because the WordPress website was improperly set up by the user, due to old plugins not being updated and missing SSL certificates)
  2. Joomla
  3. Drupal
  4. Magento
  5. Sharepoint
    Source

These CMS are at risk of compromising any PHI you have stored in your website. Many CMS have servers all over the world, which means your client PHI could be travelling to countries with much less strict privacy standards than Canada. Storing PHI outside of Canada might be in breach of your organization's privacy and security standards.

4. Ensure any contact form integrations are compliant with your national healthcare privacy standards.

Contact forms can be integrated to lead pipeline software like Hubspot or Salesforce, making it easy for your sales team or intake staff to action leads without living in an email inbox. Even if you have an integration to one of these softwares, which ensures leads and PHI does not land in an email inbox, many of these lead tracking softwares are not PIPEDA and HIPAA compliant, meaning they do not meet Canadian and American healthcare privacy and security standards. If you are handing PHI in one of these systems, make sure that they are meeting the healthcare standards necessary to properly handle your client information. 

5. Choose a contact form process that aligns with your organization's values to provide the best and most secure access to care for your clients and patients.

You will likely be able to make things clearer if you manage service requests in a compliant system like Caredove.

  • Caredove has a 99.9% uptime with AWS servers hosted in Montreal. No patient health information ever leaves Canada.
  • Caredove terms and conditions means we take responsibility for storing this information securely.
  • Our data is encrypted end to end.
  • We are experts in health information privacy and security, so you don't have to worry.

Caredove can embed a secure contact form on your site, or build and host your entire website if you are concerned about your site's overall security. We guarantee a secure, responsive and beautiful website, with all your Caredove services and contact forms seamlessly integrated, making it easy for patients and clinicians to send service requests from their computer, tablet or phone. Learn more about our WebBuilder, and how we can improve your website security and your client experience.

Suggested Reads