Thread

Do you know if Expression Engine 2.1 is in compliance with HIPAA security requirements? We would like to use Expression Engine for a project that would be dealing with patient health information, and so anything we use must be HIPAA compliant. I know of course we would have to put everything behind https, but is the system itself HIPAA compliant?

I am not part of the ExpressionEngine development team, nor am I a HIPPA expert, but I have worked in large HIPPA regulated environments before, and a great source of information on the idea of HIPPA compliant software is the URL: http://www.techsoup.org/learningcenter/software/page11924.cfm

A great clip from that page is below:

Seeking “HIPAA-Compliant” Software

How, then, do you find a HIPAA-compliant software package? You can’t, because no such thing exists.

It’s you, as an organization, that’s HIPAA compliant, and no software application is going to magically make you that way. HIPAA defines a large set of policies and procedures, many of which have nothing to do with technology. Instead of searching for a “HIPAA-approved” label, you should be looking for software that provides the (few) features suggested by HIPAA guidelines, and that additionally helps to support the policies and best practices that your organization has set up to protect your data.

EllisLab will need to follow up with you a bit more on this possibly, but I have made a few notes below to assist I think, based on the sections outlined in the URL above:

Tracking Who Did What

ExpressionEngine does not have as fine grain of tracking what each user did or changed within the software, while there is revision controls in place, you are not out of the box going to have it tracking each and every little change related to data stored, but that is not to say an add-on could not be possibly written to do this.  I have no idea how much work this would involve, and it may depend on your actual implementation and how much data is required to be tracked.

User Roles and Patient-Based Security

ExpressionEngine can do this of course using users and group permissions, at the template, or even tag level if you use conditionals within a given template in EE to display what data depending on who is logged in.  Does your billing department only need to see 5 pieces of data out of 50, but your doctors/patients need to see a larger sub-set, you would control that yourself as you would need to be the one defining the policies on what the minimum amount of data each type of person needs to see.  Which is more related to your own full HIPPA policies than specifically a given software package.

Physical Security and Encryption

Physical security of course is going to depend more on your server/hosting environment, more than it has to do with software itself, and encryption as well.  Any piece of software that can encrypt data and later retrieve it for display can by its very nature be used to provide all of that data unencrypted if you have a break down at a number of levels of physical or sotware based security.  ExpressionEngine itself encrypts using SHA1 by default passwords used for user accounts into the system, which is one way encryption and can not be undone.  But the actual encryption of the data you would be storing in the database for patient information would not be.  Again, possibly a 3rd party add-on could be written for this, or you could simply have the MySQL databases themselves stored on encrypted storage volumes protecting server level access to the data in certain regards.  Also don’t forget that any and all exports for backups or migrations between servers based on HIPPA would have to be encrypted as well, and that too would be outside of ExpressionEngine’s (or even MySQLs control).

You would likely want to consult with a web development and server administration group that has dealt with the specific needs of developing and housing web sites that need to hold to your HIPPA policies.

Email and Messaging

Technically, again depending on how you implement functionality in EE, it could fill the role outlined in this section of the URL I provided.  EE’s private message system, or comment notification system sends out limited data simply saying you have a message, or something new was added to this URL, depending on how you define the templates.  So EE would with likely minimal work provide a way for you to manage this quite well.

The rest of the sections of the URL are a lot more about again policies and procedures, and really as they outline well, like PCI compliance in the credit card industry.  That is its a lot more about policies, procedures and tracking of who/what and when things are accessed outside of simply a compliant piece of software or compliant service. It has been shown in many instances humans are actually the weakest security link in almost all security situations, hackers generally call that Social Engineering - http://www.esecurityplanet.com/trends/article.php/1040881/Social-Engineering-The-Human-Side-Of-Hacking.htm  Social Engineering is a lot of what HIPPA is about…

Figured this was something interesting to answer while I actually was sitting here monitoring security updates on our own network 😉

Hope it helps a bit.

Thanks for the info. Yes, I do definitely understand that a piece of software by itself can’t make you HIPAA compliant.

There are hosts out there that specialize in HIPAA compliant environments, so I’m not as worried about that part.

How feasible is it to encrypt the entire EE database, or at least the weblog/member data tables. I don’t know a lot about encryption. Would everything still function properly? Or would things need to be rewritten in or to read/write from the database?

Also, is there any existing add ons for EE that help to enable stronger passwords?

I, too, am interested in encrypting weblog/member data tables as well.

Edited to add: I did see this about encryption in a search for Encryption + Code Igniter, but heck if I know how exactly to make it so.

I, too, am interested in encrypting weblog/member data tables as well.

Edited to add: I did see this about encryption in a search for Encryption + Code Igniter, but heck if I know how exactly to make it so.

This would not be a simple modification at the application level, as you would not be able to search the encrypted data for specific values (quite necessary for both of those tables in regular operation) without modifying every related query to use MySQL’s encryption functions for both read and write.  In addition to being troublesome, the performance drain is likely to be very noticeable.

There is probably a product that exists for the MySQL server that acts as a proxy to handle the encryption/decryption go between, but with a PHP/MySQL based application, encryption of all data handled at the application layer is probably not a great model in general.

yea, that’s kinda what I thought. Do you have any links to any products like you mentioned for database encryption?

I’m sorry I do not know of any offhand.

I hope that answers your questions for now, James? Please don’t hesitate to start a new thread in case there’s anything else.