Is Drupal HIPAA compliant?

Featured image

Share this article

Is Drupal HIPAA Compliant? - Paubox

For healthcare providers, health plans, and healthcare clearinghouses—known as covered entities—adopting new technologies is no simple task. Any vendor or service provider you work with needs to comply with HIPAA, federal policies to improve healthcare standards and combat fraud and abuse related to protected health information (PHI).

Setting up a HIPAA compliant email system is just the beginning. And setting up a website requires more than picking a good domain name and finding a HIPAA compliant web host. (As we’ve found, the most popular web hosting companies are not HIPAA compliant.) You need a way to build, manage, and update the information on your website.

That’s where a content management system (CMS) comes in.

What is a CMS?

A content management system is a tool, most commonly a web-based interface, that makes it relatively easy to design and create a website. Simple compared to building from scratch with raw code, at least.

A CMS can be seen as a control panel or dashboard that sits in between you and your web server and web host that turns the pictures you upload and the words you type into the complex code required to display a web page.

Some web hosts, like Squarespace, provide their own special CMS. But usually, content management systems are applications that are installed on web servers.

One of the most popular content management systems is WordPress, which runs more than 60 million websites, including 39 percent of the top websites in the world.

Another CMS is Drupal, which has been around longer and powers 12 percent of top websites.

What is Drupal?

First released in 2001, Drupal has evolved from a basic CMS into a full web application framework, supporting over 44,000 add-on modules and over 2,800 design templates.

Like WordPress, Drupal is free, and supported by an open-source community of over a million contributors.

While WordPress was originally created to make blogging easier, Drupal was conceived at the outset to run more robust websites. While Drupal can be used to publish a blog, it’s also used for knowledge management (like user guides or directories) or for hosting online communities like message boards.

Drupal even provides an application programming interface (API) to support more complex connections and integrations with other tools.

Is Drupal secure?

As an open-source project, every line of code in Drupal is public and can be tested and improved by anyone. This is both good and bad for security.

Good because there is a whole community of software developers committed to finding and fixing vulnerabilities. Bad because it’s also easy to engineer and build malicious tools that target Drupal specifically.

Drupal made last year’s list of the top ten most exploited security vulnerabilities. But WordPress, which is much more popular, is one of the most common target of hackers.

Drupal does publish security advisories, and as with most software, keeping up with updates and upgrades is important to ensuring the latest vulnerabilities are patched.

Is Drupal HIPAA compliant?

Drupal is not a company or a commercial service, so it is not an entity that can affirm its understanding and acceptance of HIPAA requirements. As an open-source project with an open management structure, there is nobody to sign a business associate agreement.

As it is a software application that is installed on a web server, responsibility over its operation falls to the user. While some web hosting companies will help you install Drupal, it is unlikely they will accept any liability for its operation.

The most likely path to use Drupal in a HIPAA compliant configuration is to use a HIPAA compliant web hosting company, which will sign a BAA.

Beyond that, as BitDiscovery CEO Jeremiah Grossman said at the Paubox SECURE @ Home conference, you don’t have to avoid using an open-source CMS like Drupal or WordPress; you just need to keep the platform and all its plugins up to date and scan for vulnerabilities on a regular basis.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022