1. Security Code Review
WordPress is an open source project with a number of contributors from a large community of coders, designers, and implementing organizations and institutions. Being open source, anyone can examine the source code before integrating in an existing information system. Since there is no need for a Non-Disclosure Agreement (NDA) to review the source code, the organization or institution planning on implementing WordPress (i.e. core, themes and plugins), has the responsibility to conduct independent manual or automated code review of the WordPress code base - including themes and plugins - or have a third party service perform code review certification, especially when it comes to security.
Although being an open source project, a number of contributing developers have already browsed through the code base, this is not a justification to forgo the code review process, particularly when it comes to sensitive and privacy-related applications, like healthcare. In case of a security breach, the use of open source components that have not been independently reviewed or tested could be an aggravating factor. Other security measures should also be considered, such as penetration testing of the application, aside from testing server infrastructure.
2. Data Validation, Sanitization and Escaping
Nursing or any other healthcare-related applications are basically data-driven. This means most of the application and business logic would deal around handling of patient or care-related data. Data validation
is a process of making sure there is verification of user input as to the type of data being entered before certain codes or scripts can run. This is useful in making sure only valid input types are being run by the program. Sanitization
entails manipulation or alteration of user input to conform to the required data type or format. This step, however, would entail possible modification of user data input, which will affect the accuracy of information being stored. Escaping
3. Data Encryption
Aside from security code review, nurse developers must ensure that sensitive personal information are encrypted while in storage or in transit. This is to make sure that if ever a breach occurs, personal data are not revealed in plain text. This is in conjunction with the practice of hashing passwords and not storing them in plain text in the database.
Encryption is not just a feature, but a requirement for health-related applications. Personal and sensitive information must be protected while the data is in transit or in storage. Proper SSL (HTTPS) should be implemented to encrypt data in transit, and data stored in databases must likewise be protected through encryption. HIPAA, GDPR and Data Privacy Acts stipulate that proper encryption mechanisms be instituted when handling protected health information, or personal or sensitive information.
4. Hashed Authentication
Hashing functions are different than encryption algorithms. Hashing functions are generally used for authentication, and there is no single private or public key capable of reversing the hashed digest to the readable form.
To authenticate encrypted data, hashing functions can be employed making sure there is no alteration in the cipher or encrypted text. Any changes in the cipher text would mean the encrypted data could have been compromised and may no longer be valid.
OWASP WordPress Security Implementation Guideline
For developers and implementing institutions who are planning on integrating WordPress in their current IT infrastructure, the Open Web Application Security Project
(OWASP) guidelines for implementing WordPress can be a useful guide.
- Verdi, M., Sami, A., Akhondali, J., Khomh, F., Uddin, G., & Motlagh, A. K. (2019). An empirical study of C++ vulnerabilities in crowd-sourced code examples. Retrieved from https://arxiv.org/pdf/1910.01321.pdf