Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
On Tue, 2008-12-23 at 11:15 -0600, John McDowell wrote: We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? If you have a router separating segments, then you are routed. You can still reach any IP on the network if you are routed. Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? First, you are not required to be HIPAA compliant. That requirement is on the Doctor's office. As for security of his data, you can offer him an encrypted tunnel (take your pick for what type) that extends from HIS router to YOUR border router. This does not improve his security, but is a feel good attempt to show that you are doing all you can to help. As for HIPAA requirements, even if you encrypt 100% of his traffic from your demarc all the way to your border using mil-spec quality encryption, it will STILL be clear from the endpoint of the tunnel toward the internet. Once you explain this reality, then even the most difficult clients (I have done a lot of work in the pharmacy industry) will either choose to pay the extra $$ for the added security or they will see the light and save their $$ for something nice for themselves. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://www.wispa.org/ * WISPA Board Member * * http://blog.butchevans.com/ * Wired or Wireless Networks * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] Potential Dr.'s office asking about our network and HIPAA?
We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. -- John M. McDowell Boonlink Communications 307 Grand Ave NW Fort Payne, AL 35967 256.844.9932 j...@boonlink.com www.boonlink.com This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, re-transmit, or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail j...@boonlink.com, and delete the message. E-mail communication is highly susceptible to spoofing, spamming, and other tampering, some of which may be harmful to your computer. If you are concerned about the authenticity of the message or the source, please contact the sender directly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
If the Doctor isn't encrypting medical-related data with SSL or VPN before it leaves HIS network, he's violating the HIPAA guidelines. How often does a doctor use a public wi-fi network to check on charts labs from the hospital via a website? The SSL is what makes it compliant, now if you're talking about point to point (office to office) he may want to get a VPN router. - Original Message - From: John McDowell j...@boonlink.com To: Motorola Canopy User Group motor...@wispa.org; WISPA General List wireless@wispa.org; Principal WISPA Member List w...@wispa.org Sent: Tuesday, December 23, 2008 12:15 PM Subject: [WISPA] Potential Dr.'s office asking about our network and HIPAA? We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. -- John M. McDowell Boonlink Communications 307 Grand Ave NW Fort Payne, AL 35967 256.844.9932 j...@boonlink.com www.boonlink.com This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, re-transmit, or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail j...@boonlink.com, and delete the message. E-mail communication is highly susceptible to spoofing, spamming, and other tampering, some of which may be harmful to your computer. If you are concerned about the authenticity of the message or the source, please contact the sender directly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
Create a tunnel back to your NOC. done! -- * Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer WISPA Board Member - wispa.org http://www.wispa.org/ Link Technologies, Inc -- Mikrotik WISP Support Services* *Office*: 314-735-0270 *Website*: http://www.linktechs.net http://www.linktechs.net/ */ Link Technologies, Inc is offering LIVE Mikrotik On-Line Training http://www.linktechs.net/onlinetraining.asp/* John McDowell wrote: We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
John, If he is connecting to one of his other offices or providers inside of your network, then you can set up some tunnels to encrypt his data. If he is connecting to someone outside of your network, then he has a tunnel from his endpoint to the other endpoint, and it is encrypted across your network and also across the Internet. If he has no Tunnel, then he is in Violation of HIPAA. If he has a tunnel, then he does not need any encryption from your network. You can transport his tunnel just like the rest of the Internet. The Internet is not encrypted, and if he is relying on you providing encryption to the Internet, then he is exposed once he leaves your network. The Internet is routed, and you can get to any working IP address across the entire network of networks. There is no bridging on the Internet. That is how your local routed network is accessible. On Tue, Dec 23, 2008 at 11:15 AM, John McDowell j...@boonlink.com wrote: We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. -- John M. McDowell Boonlink Communications 307 Grand Ave NW Fort Payne, AL 35967 256.844.9932 j...@boonlink.com www.boonlink.com This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, re-transmit, or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail j...@boonlink.com, and delete the message. E-mail communication is highly susceptible to spoofing, spamming, and other tampering, some of which may be harmful to your computer. If you are concerned about the authenticity of the message or the source, please contact the sender directly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
I believe that HIPPA puts the responsibility on the Dr., not on the carrier. You, the carrier, do not have to do anything to carry his data. This was discussed about 1 year ago on one of the lists and the last I heard, this was the agreement. Doug Ratcliffe wrote: If the Doctor isn't encrypting medical-related data with SSL or VPN before it leaves HIS network, he's violating the HIPAA guidelines. How often does a doctor use a public wi-fi network to check on charts labs from the hospital via a website? The SSL is what makes it compliant, now if you're talking about point to point (office to office) he may want to get a VPN router. - Original Message - From: John McDowell j...@boonlink.com To: Motorola Canopy User Group motor...@wispa.org; WISPA General List wireless@wispa.org; Principal WISPA Member List w...@wispa.org Sent: Tuesday, December 23, 2008 12:15 PM Subject: [WISPA] Potential Dr.'s office asking about our network and HIPAA? We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. -- John M. McDowell Boonlink Communications 307 Grand Ave NW Fort Payne, AL 35967 256.844.9932 j...@boonlink.com www.boonlink.com This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, re-transmit, or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail j...@boonlink.com, and delete the message. E-mail communication is highly susceptible to spoofing, spamming, and other tampering, some of which may be harmful to your computer. If you are concerned about the authenticity of the message or the source, please contact the sender directly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.0/1861 - Release Date: 12/22/2008 11:23 AM -- Scott Reed Sr. Systems Engineer GAB Midwest 1-800-363-1544 x4000 WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Potential Dr.'s office asking about our network and HIPAA?
Some general rules we followed, when setting up a doctor's office with a remote access setup... 1. Physical security - all machines behind locked doors. No monitors visible from any public area. No routers, switches, or ethernet plugs in unlocked or insecure areas. 2. Network security - We did single IP NAT at his office. He wanted to tunnel to home, so we set up a tunnel to his home, but it only works on his specific laptop. He abandoned this, decided to not work at home :) 3. Data security - this they were lacking.. He now transports his data on files that are zipped with a password, on a thumbdrive that's encrypted with a password, and his laptop requires biometric authentication to run. Further, we explained to him that emails between offices were fine... IF encrypted. So, now they zip and password the communication files they email to each other.Images, etc, the same. If you wish to share data between ANY two points, secure tunnels are not necessary, but the data itself should be secured no matter what else you do. No communication on the internet should be considered non interceptable, therefore security starts with encrypting data right at the source. The HIPAA rules seem complex, but I found some medical consultant sites that broke it down a little more and it's not all that complex, if you start with the idea that the data itself should be encrypted ,and the network itself should be physically isolated and secured.We ran ethernet out to the wireless cpe outside, but it does double nat with a router inside so even that segment is isolated from the inside network. Now, this was a very simplistic setup, to be sure, but the philosphy works when scaled up and meets every aspect of HIPAA's requirements. insert witty tagline here - Original Message - From: John McDowell j...@boonlink.com To: Motorola Canopy User Group motor...@wispa.org; WISPA General List wireless@wispa.org; Principal WISPA Member List w...@wispa.org Sent: Tuesday, December 23, 2008 9:15 AM Subject: [WISPA] Potential Dr.'s office asking about our network and HIPAA? We are routed, but from any computer on the network, we can go to any IP on the network. So its like our broadcast is routed, but we're still bridged? Anyhow, I have a potential Dr.'s office that is asking about the security of his information across our network until it leaves the NOC. How do you guys do network security? Vlans? PPPoE? What can we do to ensure that we can comply with HIPAA standards for potential clients like this? Thanks in advance. -- John M. McDowell Boonlink Communications 307 Grand Ave NW Fort Payne, AL 35967 256.844.9932 j...@boonlink.com www.boonlink.com This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, re-transmit, or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail j...@boonlink.com, and delete the message. E-mail communication is highly susceptible to spoofing, spamming, and other tampering, some of which may be harmful to your computer. If you are concerned about the authenticity of the message or the source, please contact the sender directly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
