WordPress Security

There are generally three (3) elements the nurse developer needs to look into when building healthcare-related applications that deal with protected health information, or personal or sensitive information.

1. Security Code Review

WordPress is an open source project with a number of contributors from a large community of coders, designers, and implementing organizations and institutions.  Being open source, anyone can examine the source code before integrating in an existing information system. Since there is no need for a Non-Disclosure Agreement (NDA) to review the source code, the organization or institution planning on implementing WordPress (i.e. core, themes and plugins), has the responsibility to conduct independent manual or automated code review of the WordPress code base – including themes and plugins – or have a third party service perform code review certification, especially when it comes to security.

Although being an open source project, a number of contributing developers have already browsed through the code base, this is not a justification to forgo the code review process, particularly when it comes to sensitive and privacy-related applications, like healthcare. In case of a security breach, the use of open source components that have not been independently reviewed or tested could be an aggravating factor. Other security measures should also be considered, such as penetration testing of the application, aside from testing server infrastructure.

2. Data Encryption

Aside from security code review, nurse developers must ensure that sensitive personal information are encrypted while in storage or in transit. This is to make sure that if ever a breach occurs, personal data are not revealed in plain text. This is in conjunction with the practice of hashing passwords and not storing them in plain text in the database.

Encryption is not just a feature, but a requirement for health-related applications. Personal and sensitive information must be protected while the data is in transit or in storage. Proper SSL (HTTPS) should be implemented to encrypt data in transit, and data stored in databases must likewise be protected through encryption. HIPAA, GDPR and Data Privacy Acts stipulate that proper encryption mechanisms be instituted when handling protected health information, or personal or sensitive information.

3. Hashed Authentication

Hashing functions are different than encryption algorithms. Hashing functions are generally used for authentication, and there is no single private or public key capable of reversing the hashed digest to the readable form.

To authenticate encrypted data, hashing functions can be employed making sure there is no alteration in the cipher or encrypted text. Any changes in the cipher text would mean the encrypted data could have been compromised and may no longer be valid.


OWASP WordPress Security Implementation Guideline

For developers and implementing institutions who are planning on integrating WordPress in their current IT infrastructure, the Open Web Application Security Project (OWASP) guidelines for implementing WordPress can be a useful guide.