For Piwik PRO, security and compliance are joint responsibilities shared with our customers. Piwik PRO is dedicated to offering the needed services to help customers achieve HIPAA compliance. In this article, we’ll show you how Piwik PRO meets HIPAA requirements and how customers can manage their Piwik PRO accounts to stay compliant with HIPAA. We will also explain the key definitions you need to understand when using Piwik PRO account.
Key definitions
Owners: The primary contact for the Piwik PRO Analytics Suite account. They can perform all actions on the account, including adding a site or app, inviting others to join the account, and configuring the account settings. For more details, see this article.
Visitors: Users of a website or a mobile application in which the customer implemented Piwik PRO tracking. Visitors’ activity on the site or app can be recorded in the Piwik PRO account.
Customer data: Visitors’ data collected by the customer in a Piwik PRO Analytics Suite account. To learn more about what data Piwik PRO collects, see this article.
HIPAA requirements
Access control
Implement technical policies and procedures for electronic systems that maintain electronic protected health information (ePHI) to restrict access to only authorized individuals or programs.
Unique user identification
Give each user a unique name or number to help identify them and collect data on their activity.
How Piwik PRO meets the standard
Each Piwik PRO account user has a unique username (email address) within a single Piwik PRO account.
Our technical team has access to your account by default. Every account owner can lock the account from the account’s settings.
Piwik PRO support staff uses a dedicated username and password, complemented by a two-factor authentication (2FA) process. Additionally, we strictly limit access to pre-approved IP addresses, so that only authorized personnel can interact with the system. Any time the support team logs into your Piwik PRO you’ll see that information in the audit log. Piwik PRO also records these log-ins internally for security and audit purposes.
Piwik PRO system administrators implement extra security measures to protect the infrastructure and keep tight control. The infrastructure itself remains concealed behind industry-standard solutions, including access through Piwik PRO’s VPN. The administrators generate and assign VPN certificates exclusively to individual users for a granular level of access control.
Piwik PRO does not de-identify data exported from Piwik PRO account. Therefore, the customer needs to ensure that access to the exported data complies with the HIPAA Security Rule.
How Piwik PRO customers and users can meet the standard
- Owners can activate 2FA or a single sign-on (SSO) mechanism using the customer’s identity provider (IdP). When SSO is enabled, users are requested to log in to Piwik PRO using their IdP account username and password.
- Owners can set up the account settings to grant or deny technical support access to the customer’s Piwik PRO account.
- The customer can set up granular access permissions for account users, limiting access to visitors’ data at the module level and site/app level. These permissions also include the use of the REST API.
- Customers are solely responsible for reviewing the security of any third-party integrations that use Piwik PRO features (specifically Activations in the Customer Data Platform, Analytics REST API, or daily data exports). Piwik PRO does not sign business associate agreements (BAA) with the vendors for the solutions Piwik PRO can be integrated with.
- Users are solely responsible for the set-up and use of features for exporting customer data outside of Piwik PRO account, like report scheduling, exports, and reports downloads. When exporting data to destinations that cannot ensure HIPAA compliance, users can set up Piwik PRO features to limit the scope of the exported data so they won’t export any data with HIPAA identifiers.
Automatic logoff
Implement electronic procedures that end an electronic session following a set period of inactivity.
How Piwik PRO meets the standard
Piwik PRO logs out users if they’re inactive for 30 minutes by default. Session inactivity time can be adjusted in the account’s settings.
How Piwik PRO customers and users can meet the standard
Owners can set the automatic logout from 15 minutes to 8 hours.
Audit controls
Implement hardware, software, and/or procedural mechanisms that record and check out the activity in information systems that store or use ePHI.
How Piwik PRO meets the standard
The audit log application lets customers see who’s logged into the platform and made any changes to the settings.
Piwik PRO has a support access audit log that records when and why every Piwik PRO staff member logs into the customer’s account.
How Piwik PRO customers and users can meet the standard
Customers can use the audit log API to monitor any unusual activity like log-ins.
Piwik PRO stores audit logs for the same time as the data retention period set in the contract.
Customers who want to extend that period or retain access logs after the contract ends can download the access log to their SIEM or other storage.
Integrity
Implement policies and procedures to protect ePHI from improper changes or deletions.
How Piwik PRO meets the standard
Piwik PRO collects data in the following ways:
- Collects requests sent to Piwik PRO Tracker by the tracking code implemented on the customer’s website or mobile application.
- Uses the Google Ads integration.
- Imports data to the Customer Data Platform (CDP) module.
Of the above, only the import mechanism lets you overwrite and change existing data. Piwik PRO limits the import permissions. For more details, see this article.
How Piwik PRO customers and users can meet the standard
Users are solely responsible for the data imported to the CDP module and the consequences of replacing previously imported data.
The data import log stores 30-day raw logs of data imported to CDP from external sources so the customer can be sure no data was deleted unintentionally.
Person or entity authentication
Implement procedures to confirm that a person or entity asking for access to ePHI is the one claimed.
How Piwik PRO meets the standard
Piwik PRO support staff uses a dedicated username and password, complemented by the 2FA process.
Standards for strong passwords:
- minimum 12 characters long
- maximum128 characters
- at least one uppercase letter
- at least one lowercase letter
- at least one digit
For SSO-activated accounts, the password rules may be different and depend on the customer’s IdP requirements.
Piwik PRO Analytics Suite is protected against password guessing in two ways:
- The limit on the login and password reset attempts – a specific email account from the same IP address can only have up to 10 login and password reset attempts within 1 minute. Alternatively, 100 attempts within one minute for all login attempts in total. After the 10th failed attempt, logging in for 10 minutes is impossible. This can’t be sped up even with password reset in the meantime. We do not share whether the error is about the email or the password.
- Password reset rules.
- After the password reset, all active sessions are invalidated, and the user will be logged out from any active session without notice. The user will also receive an email confirming the password change.
- If the email is correct and belongs to the specific account, Piwik PRO will send a password reset email with a link. We send this email only once per account, no matter how many attempts are made. There’s a limit of 100 password reset attempts per minute.
How Piwik PRO customers and users can meet the standard
Owners can activate the 2FA or SSO mechanism using the IdP. When SSO is enabled, users are requested to log in to Piwik PRO using their IdP account username and password.
Transmission security
Implement technical security measures to guard against unauthorized access to ePH that you send using an electronic communication network.
Implement a mechanism to encrypt ePHI whenever necessary.
Implement a mechanism to encrypt and decrypt ePHI.
How Piwik PRO meets the standard
Piwik PRO strictly ensures that all connections are using SSL (Secure Sockets Layer) with TLS (Transport Layer Security) protocol version 1.3.It means that all data transmitted between the user’s browser and Piwik PRO servers is encrypted, protecting sensitive information during the transfer to ensure high levels of security and privacy for all user data.
We encrypt customer data with AES 256-bit encryption at rest.
And we encrypt customer data on backup media at the disk level using encryption keys and additionally at the software level during the backup process. Encryption keys are managed by Piwik PRO: we oversee all keys and ensure security and compliance with ISO 27001 and SOC-2 Type II standards.
How Piwik PRO customers and users can meet the standard
When you export data from Piwik PRO account it is not encrypted. Therefore, it is the customer’s responsibility to encrypt it when necessary, at rest in the export destination.
Data retention and disposal
How Piwik PRO meets the standard
Piwik PRO retains customer data depending on the subscription plan:14 months for the Core plan and 25 months or a custom period for the Enterprise plan.
Data retention starts from the first tracked event. If data exceeds this period, we delete it on the first day of the following month including the data for the entire month. When Piwik PRO account is closed, we will delete all the data.
We retain profiles in the CDP module for 30 days if no User ID is assigned or for 13 months if the User ID is assigned.
How Piwik PRO customers and users can meet the standard
Customers interested in retaining data have two options with Piwik PRO:
- You can buy an additional retention plan to extend the default data retention period.
- You can export data to an external service or preferred storage option.
Piwik PRO gives you several options to export data:
- Report exports.
- Raw data exports through our BI integrations.
- Database dumps before data deletion (available only to Enterprise plan customers).
Note: these dumps do not include CDP data.