WordPress Security

WordPress Security for Healthcare and Medical Websites

Build HIPAA-compliant WordPress healthcare sites with patient data protection, secure forms, and medical information safeguards.

S
Sarah Chen
9 min read
2,396 views
HIPAA-compliant security for WordPress healthcare sites

Introduction

Healthcare websites handle protected health information (PHI) and must comply with HIPAA regulations. Security breaches in healthcare can result in severe penalties and patient harm.

HIPAA Compliance Requirements

Healthcare sites must implement:

  • Access controls - Unique user identification and authentication
  • Audit controls - Track all PHI access and modifications
  • Transmission security - Encrypt data in transit
  • Integrity controls - Prevent unauthorized data alteration
  • Person or entity authentication - Verify identity before PHI access

Patient Data Encryption

Encrypt all protected health information:

At-Rest Encryption

// Encrypt patient data before storage
class WPFS_PHI_Encryption {
    private $cipher = 'AES-256-CBC';
    private $key;

    public function __construct() {
        // Use dedicated encryption key from wp-config.php
        $this->key = defined('WPFS_PHI_KEY') ? WPFS_PHI_KEY : AUTH_KEY;
    }

    public function encrypt($data) {
        $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cipher));
        $encrypted = openssl_encrypt($data, $this->cipher, $this->key, 0, $iv);
        return base64_encode($iv . $encrypted);
    }

    public function decrypt($encrypted_data) {
        $data = base64_decode($encrypted_data);
        $iv_length = openssl_cipher_iv_length($this->cipher);
        $iv = substr($data, 0, $iv_length);
        $encrypted = substr($data, $iv_length);
        return openssl_decrypt($encrypted, $this->cipher, $this->key, 0, $iv);
    }
}

// Store patient record with encryption
function store_patient_record($patient_data) {
    $encryption = new WPFS_PHI_Encryption();

    // Fields requiring encryption
    $phi_fields = array(
        'ssn', 'date_of_birth', 'diagnosis', 'medications',
        'insurance_id', 'medical_history', 'treatment_notes'
    );

    foreach ($phi_fields as $field) {
        if (isset($patient_data[$field])) {
            $patient_data[$field] = $encryption->encrypt($patient_data[$field]);
        }
    }

    return $patient_data;
}

Access Control and Authentication

// Role-based PHI access
function can_access_phi($user_id, $patient_id, $data_type) {
    $user = get_userdata($user_id);

    // Define role permissions
    $permissions = array(
        'physician' => array('all'),
        'nurse' => array('vitals', 'medications', 'notes'),
        'receptionist' => array('contact', 'insurance', 'appointments'),
        'billing' => array('insurance', 'billing_info'),
    );

    // Check if user is assigned to patient
    $assigned_patients = get_user_meta($user_id, '_assigned_patients', true) ?: array();

    if (!in_array($patient_id, $assigned_patients) && !in_array('physician', $user->roles)) {
        return false;
    }

    foreach ($user->roles as $role) {
        if (!isset($permissions[$role])) continue;

        if (in_array('all', $permissions[$role])) return true;
        if (in_array($data_type, $permissions[$role])) return true;
    }

    return false;
}

// Log all PHI access
function log_phi_access($user_id, $patient_id, $data_accessed, $action) {
    global $wpdb;

    $wpdb->insert($wpdb->prefix . 'phi_access_log', array(
        'user_id' => $user_id,
        'patient_id' => $patient_id,
        'data_accessed' => $data_accessed,
        'action' => $action,
        'ip_address' => $_SERVER['REMOTE_ADDR'],
        'user_agent' => $_SERVER['HTTP_USER_AGENT'],
        'accessed_at' => current_time('mysql'),
    ));
}

Secure Contact and Appointment Forms

// HIPAA-compliant form handling
function secure_health_form_submission() {
    // Verify HTTPS
    if (!is_ssl()) {
        wp_die('Secure connection required for health information.');
    }

    // Rate limiting
    $ip = $_SERVER['REMOTE_ADDR'];
    $key = 'health_form_' . md5($ip);
    $attempts = get_transient($key) ?: 0;

    if ($attempts >= 3) {
        wp_die('Too many submissions. Please try again later.');
    }

    set_transient($key, $attempts + 1, HOUR_IN_SECONDS);

    // Sanitize but preserve medical terms
    $allowed_html = array(
        'p' => array(),
        'br' => array(),
        'strong' => array(),
        'em' => array(),
    );

    $health_info = wp_kses($_POST['health_information'] ?? '', $allowed_html);

    // Never store PHI in cookies or client-side storage
    // Process immediately and encrypt before storage

    return $health_info;
}

// Disable autocomplete on medical forms
add_filter('wpfs_form_attributes', function($attrs) {
    $attrs['autocomplete'] = 'off';
    return $attrs;
});

Automatic Session Management

// Auto-logout after inactivity
function enforce_session_timeout() {
    if (!is_user_logged_in()) return;

    $timeout = 15 * MINUTE_IN_SECONDS; // 15 minutes for healthcare
    $last_activity = get_user_meta(get_current_user_id(), '_last_activity', true);

    if ($last_activity && (time() - $last_activity) > $timeout) {
        // Log the timeout
        log_phi_access(
            get_current_user_id(),
            null,
            'session',
            'auto_logout_inactivity'
        );

        wp_logout();
        wp_redirect(wp_login_url() . '?session_expired=1');
        exit;
    }

    update_user_meta(get_current_user_id(), '_last_activity', time());
}
add_action('init', 'enforce_session_timeout');

// Require re-authentication for sensitive actions
function require_reauthentication($action) {
    $last_auth = $_SESSION['last_reauthentication'] ?? 0;
    $reauth_timeout = 5 * MINUTE_IN_SECONDS;

    if ((time() - $last_auth) > $reauth_timeout) {
        // Prompt for password
        return false;
    }

    return true;
}

Audit Trail Requirements

// Comprehensive PHI audit logging
function create_audit_trail($event_type, $details) {
    global $wpdb;

    $audit_entry = array(
        'event_type' => $event_type,
        'user_id' => get_current_user_id(),
        'details' => json_encode($details),
        'ip_address' => $_SERVER['REMOTE_ADDR'],
        'user_agent' => substr($_SERVER['HTTP_USER_AGENT'], 0, 255),
        'timestamp' => current_time('mysql'),
        'session_id' => session_id(),
    );

    $wpdb->insert($wpdb->prefix . 'hipaa_audit_log', $audit_entry);

    // Audit logs must be retained for 6 years per HIPAA
}

// Log all patient record access
add_action('wpfs_patient_viewed', function($patient_id) {
    create_audit_trail('patient_record_view', array(
        'patient_id' => $patient_id,
    ));
});

add_action('wpfs_patient_modified', function($patient_id, $changes) {
    create_audit_trail('patient_record_modify', array(
        'patient_id' => $patient_id,
        'fields_changed' => array_keys($changes),
    ));
}, 10, 2);

Conclusion

Healthcare WordPress sites require encryption, strict access controls, comprehensive audit logging, and automatic session management. These measures ensure HIPAA compliance and protect sensitive patient information.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects
SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects

Learn how hackers inject hidden links and malicious redirects into WordPress sites to steal your...

January 18, 2026
Understanding WordPress Malware Signatures and Detection Patterns
Understanding WordPress Malware Signatures and Detection Patterns

Learn how malware scanners detect threats using signatures and patterns. Understand the technology...

January 15, 2026
Country Blocking for WooCommerce: Protect Your Online Store
Country Blocking for WooCommerce: Protect Your Online Store

Learn how to implement country blocking for WooCommerce stores. Prevent fraud, reduce chargebacks...

January 10, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started