For healthcare providers, health plans, and healthcare clearinghouses—known as covered entities—adopting new technologies is no simple task. Any vendor or service provider you work with needs to comply with HIPAA, federal policies to improve healthcare standards and combat fraud and abuse related to protected health information (PHI).
Setting up a HIPAA compliant email system is just the beginning. And setting up a website requires more than picking a good domain name and finding a HIPAA compliant web host. (As we’ve found, the most popular web hosting companies are not HIPAA compliant.) You need a way to build, manage, and update the information on your website.
That’s where a content management system (CMS) comes in.
What is a CMS?
A content management system is a tool, most commonly a web-based interface, that makes it relatively easy to design and create a website. Simple compared to building from scratch with raw code, at least.
A CMS can be seen as a control panel or dashboard that sits in between you and your web server and web host that turns the pictures you upload and the words you type into the complex code required to display a web page.
Some web hosts, like Squarespace, provide their own special CMS. But usually, content management systems are applications that are installed on web servers.
Another CMS is Drupal, which has been around longer and powers 12 percent of top websites.
What is Drupal?
First released in 2001, Drupal has evolved from a basic CMS into a full web application framework, supporting over 44,000 add-on modules and over 2,800 design templates.
Like WordPress, Drupal is free, and supported by an open-source community of over a million contributors.
While WordPress was originally created to make blogging easier, Drupal was conceived at the outset to run more robust websites. While Drupal can be used to publish a blog, it’s also used for knowledge management (like user guides or directories) or for hosting online communities like message boards.
Drupal even provides an application programming interface (API) to support more complex connections and integrations with other tools.
Is Drupal secure?
As an open-source project, every line of code in Drupal is public and can be tested and improved by anyone. This is both good and bad for security.
Good because there is a whole community of software developers committed to finding and fixing vulnerabilities. Bad because it’s also easy to engineer and build malicious tools that target Drupal specifically.
Drupal does publish security advisories, and as with most software, keeping up with updates and upgrades is important to ensuring the latest vulnerabilities are patched.
Is Drupal HIPAA compliant?
Drupal is not a company or a commercial service, so it is not an entity that can affirm its understanding and acceptance of HIPAA requirements. As an open-source project with an open management structure, there is nobody to sign a business associate agreement.
As it is a software application that is installed on a web server, responsibility over its operation falls to the user. While some web hosting companies will help you install Drupal, it is unlikely they will accept any liability for its operation.
The most likely path to use Drupal in a HIPAA compliant configuration is to use a HIPAA compliant web hosting company, which will sign a BAA.
Beyond that, as BitDiscovery CEO Jeremiah Grossman said at the Paubox SECURE @ Home conference, you don’t have to avoid using an open-source CMS like Drupal or WordPress; you just need to keep the platform and all its plugins up to date and scan for vulnerabilities on a regular basis.