Re: [WISPA] Wireless Security biting you in the ass?
One of my clients is a maker of prosthetic limbs... and he has two offices. He is covered by HIPAA considerations, so we spent considerable time trying to figure this out, using the information supplied to him, concerning HIPAA, from the feds and by trade organizations. We eventually came to the conclusion that he must encrypt any data leaving his network, or going over wireless, and that he must password his computers. At first, they were going to build a VPN between his two facilities, now they're re-thinking it and probably going to use an application service provider to meet thier data sharing needs (mostly scheduling, and some patient data) since they didn't want to pay someone to, or build thier own in-house client-server system for cooperative scheduling. They have 3 machines in the local office, which are 2 wired and 1 wireless, and his wireless is encrypted, the machines are behind locked doors, and require passwords to start up. Again, as the provider of data transport, that data MUST be encrypted before it reaches you, in order to be compliant, period. Unless you're getting involved in helping them with thier internal network, or IT system, HIPAA considerations have no impact on your network, how its run, or how secure or insecure you are, because it must be encrypted before it reaches ANY point accessible by non-approved personell. This means their internal network must be secure, machine physical security to prevent unauthorized access, etc. We came to this conclusion while doing a read through his info, and he understood it perfectly. Emailed patient data must be encrypted using something like a passworded zip file, or using an industry standard encrypt / decrypt method using keys. Client-server applications must use an SSL tunnel or session to be compliant ( like https when using web based ) even on an intranet, much less internet based. Any data leaving any physically secure location (like access from a nurses station to patient records database, where the database server is in a locked room and the nurses station is not) must be encrypted, and must require login user/password, and users must log out when not in physical control of the workstation, for instance. If the ethernet network can be plugged into in ANY phsycially insecure location, then all data on that network must be encrypted either by encrypting the data stream, or by the applications that move the data. There are no specific technological requirements for HIPAA compliance... Instead, there's a set of specific standards that start with keeping the machines physically safe from non-approved personell, and it goes from there. It's not bank or pentagon type security, but it does require thinking through the whole system end-to-end to be compliant. Again, none of this has any impact on you, as a transport provider, since everyting MUST be encrypted long before it reaches your network or it's out of compliance anyway. +++ neofast.net - fast internet for North East Oregon and South East Washington email me at mark at neofast dot net 541-969-8200 Direct commercial inquiries to purchasing at neofast dot net - Original Message - From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Monday, November 27, 2006 2:16 PM Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
John, Ask them to supply you with the HIPPA compliance list point-by-point. Then you show how you can comply when it is your responsibility and also point out where they are responsible for security. Then summarise this and they will see that they are more responsible for this HIPPA thing than you or any other carrier is. Because as has been pointed out before, if the data is encrypted when it leaves the terminal, the rest doesn't really matter. Point out also that this way they are free to change their providers anytime they want to, because they are in control of their security not an outsider. You have a Good Day now, Carl A Jeptha http://www.airnet.ca Office Phone: 905 349-2084 Office Hours: 9:00am - 5:00pm skype cajeptha John Scrivner wrote: It does not matter if the responsibility is the network admin or not when it comes down to purchase time. It comes down to perception. Right now perception of the hospital corporate officers is that wireless = not secure. I have been told by people who order circuits that they are not allowed to buy from me or any wireless operator due to security issues. I believe it will require some type of HIPAA seal of approval from some source or another before we can start selling to these guys. This could be bad for us. ALL of the hospitals are going to buying new circuits soon and right now I am out of the running. Scriv [EMAIL PROTECTED] wrote: John To the best of my knowledge there are no HIPPA compliant solutions that are actually approved We have installed a ton of links for hospitals and other medical facilities an this issur comes up from time to time. We pretty much tell the customer that we are just a carrier and we encrypt oir data just like verizon does on a T1. And we all know how good that is. HIPPA compliance should beUp to the network administrator. Not the carrier IMHO. Ask someone how your network is not compliant. Its like Y2K all over again Good luck Bob Sent from my Verizon Wireless BlackBerry -Original Message- From: John Scrivner [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 16:16:51 To:wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.14.17/553 - Release Date: 11/27/2006 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Also note: the Wireless in not secure perception is not just about Hippa, but also Homeland security, or any government job, or any industry that deals with end user information such as finance industry. One of the best example I saw where a compnay beat the perception is Allconet (Connx), where their design boasted top security and reliabilty using Alvarion as their transport medium. But the reliabilty of their network was not jsut about wireless, it was the whole solution, the quality of their data cewnter, cell tower cabins, Use of license where appropriate, and Layer2 VCs linked to VLANs. Maybe this was easier for them as it was a network built for the government initially. I guess what I'm saying is that Wireless in not secure is not only a perception of wireless, but a perception of the wireless provider. People are surprised when they hear WISPs doing carrier class offerings. I think announcements like ATT is doing Wireless, will actually help us more than harm us (via competition), just because it starts to validate the industry by companies that ahve tons of highly qualified respected engineers. And we can say they are copying us :-) Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Peter R. [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, November 27, 2006 11:48 PM Subject: Re: [WISPA] Wireless Security biting you in the ass? Back to your problem: Wireless = Unsecure. You have a Marketing problem. The onus is on you to get him to tell you why your network is unsecure. Objections are made to be hurdled, after all. Explaining that cable and DSL are LAN based topologies is not going to help you. You need describe how your Alvarian Fixed Wireless network is capable of providing fiber like capabilities in the private transport arena. (Maybe get some help from your Alvarian Support Engineer). I need to think about it some more before I can give you a better answer. Regards, Peter RAD-INFO, Inc. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Here is a white paper that may have some useful info. http://www.igov.com/informationtech/pdfdirectory/cranite/HIPAA-Compliance-and-Wireless-Networks.pdf Frank Muto President/CEO FSM Marketing Group, Inc - Original Message - From: Carl A Jeptha [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, November 28, 2006 7:42 AM Subject: Re: [WISPA] Wireless Security biting you in the ass? John, Ask them to supply you with the HIPPA compliance list point-by-point. Then you show how you can comply when it is your responsibility and also point out where they are responsible for security. Then summarise this and they will see that they are more responsible for this HIPPA thing than you or any other carrier is. Because as has been pointed out before, if the data is encrypted when it leaves the terminal, the rest doesn't really matter. Point out also that this way they are free to change their providers anytime they want to, because they are in control of their security not an outsider. You have a Good Day now, Carl A Jeptha -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
WhitePaper brings up a popular misunderstanding... They are talking about wireless LAN, NOT Wireless WAN. Most people don't understand the difference, and how that is relivent in their decissions. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Frank Muto [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, November 28, 2006 10:42 AM Subject: Re: [WISPA] Wireless Security biting you in the ass? Here is a white paper that may have some useful info. http://www.igov.com/informationtech/pdfdirectory/cranite/HIPAA-Compliance-and-Wireless-Networks.pdf Frank Muto President/CEO FSM Marketing Group, Inc - Original Message - From: Carl A Jeptha [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, November 28, 2006 7:42 AM Subject: Re: [WISPA] Wireless Security biting you in the ass? John, Ask them to supply you with the HIPPA compliance list point-by-point. Then you show how you can comply when it is your responsibility and also point out where they are responsible for security. Then summarise this and they will see that they are more responsible for this HIPPA thing than you or any other carrier is. Because as has been pointed out before, if the data is encrypted when it leaves the terminal, the rest doesn't really matter. Point out also that this way they are free to change their providers anytime they want to, because they are in control of their security not an outsider. You have a Good Day now, Carl A Jeptha -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] Wireless Security biting you in the ass?
Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
I've been wonderin about this same thing. I've always blown it off and won the argument but Where's the HIPAA cert stuff to be found ? Like, exact checklists ? R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 5:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
I can expand on this, but would that be considered a vendor pitch ? (discussion will include product capabilities, etc) -Charles --- WiNOG Wireless Roadshows Coming to a City Near You http://www.winog.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
Well said! Dennis Burgess, MCP, CCNA, A+, N+, Mikrotik Certified [EMAIL PROTECTED] www.2kwireless.com 2K Wireless provides high-speed internet access, along with network consulting for WISPs, and business's with a focus on TCP/IP networking, security, and Mikrotik routers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marlon K. Schafer (509) 982-2181 Sent: Monday, November 27, 2006 4:25 PM To: WISPA General List Subject: Re: [WISPA] Wireless Security biting you in the ass? Officially, hippa compliance is a CLIENT issue. As long as the data is properly encrypted there's no need for the transport to be. Some will argue this (mainly the telco but sometimes the customer). It's still a fact. Questions to ask them. What do the Doctors use for connectivity to their handheld devices? Right, wireless. What is the encryption mechanism on a t-1 or dsl link? Right, none. What is the security on the cable network? Right, none. Does the facility have a wireless network? Care to have me break into it for you? (I'm told that WPA has now been cracked too.) We went around in circles with a local Sheriff's office on this issue. In the end it was decided that the only real way to be hippa compliant was to encrypt the data AT THE PC level. ANYTHING done after that point was all but useless. They confirmed this with the DOJ. All that's needed is data security, not transport security. If transport security is what's wanted then EVERY vlan switch, router etc. in the loop is a possible security hole. This risk runs end to end, regardless of the transport medium. Good luck. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Monday, November 27, 2006 2:16 PM Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
HIPAA is NOT your responsibility. It is the responsibility of the hospital/health care entity to make sure that they are HIPAA compliant at the point where they connect to the Internet. If they are unable to make that distinction, then doing business with them is asking for trouble because they are just playing the cover your ass game. They probably won't like hearing that, and it may not get you the business, but HIPAA has absolutely nothing to do with your network. Matt Larsen [EMAIL PROTECTED] John Scrivner wrote: Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
John, this is a common question of a vastly misunderstood issue. And while I do not purport to be an expert on HIPAA, I have encountered the question many times. There is no such thing as being HIPAA compliant from a hardware standpoint. Rather, HIPAA addresses how information is handled as it passes along the information chain which included all types of network media and hardware as well as physical handling (e.g. paper patient records being physically transported). In other words, I am not familiar with the existence of any mechanism that certifies or otherwise documents hardware as being HIPAA compliant. It is the organizational process itself which must be certified as being compliant. Here is more info: http://www.hipaadvisory.com/action/Compliance/compliant.htm Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 2:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses(190). This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses(42). This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Great questions, Marlon! You are correct that it is application/data encryption needed, not transport security. Every hospital has a HIPAA Officer. Talk to that person. By 2009, they all have to have EMR and HIPPA compliance, along with some EDI with health insurance payers. - Peter Radizeski Consultant to the Internet Stars :) Marlon K. Schafer (509) 982-2181 wrote: Officially, hippa compliance is a CLIENT issue. As long as the data is properly encrypted there's no need for the transport to be. Some will argue this (mainly the telco but sometimes the customer). It's still a fact. Questions to ask them. What do the Doctors use for connectivity to their handheld devices? Right, wireless. What is the encryption mechanism on a t-1 or dsl link? Right, none. What is the security on the cable network? Right, none. Does the facility have a wireless network? Care to have me break into it for you? (I'm told that WPA has now been cracked too.) We went around in circles with a local Sheriff's office on this issue. In the end it was decided that the only real way to be hippa compliant was to encrypt the data AT THE PC level. ANYTHING done after that point was all but useless. They confirmed this with the DOJ. All that's needed is data security, not transport security. If transport security is what's wanted then EVERY vlan switch, router etc. in the loop is a possible security hole. This risk runs end to end, regardless of the transport medium. Good luck. Marlon -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Good luck Rick. Last I looked there was no clear outline Bob Sent from my Verizon Wireless BlackBerry -Original Message- From: Rick Smith [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 17:23:15 To:'WISPA General List' wireless@wispa.org Subject: RE: [WISPA] Wireless Security biting you in the ass? I've been wonderin about this same thing. I've always blown it off and won the argument but Where's the HIPAA cert stuff to be found ? Like, exact checklists ? R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 5:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
John To the best of my knowledge there are no HIPPA compliant solutions that are actually approved We have installed a ton of links for hospitals and other medical facilities an this issur comes up from time to time. We pretty much tell the customer that we are just a carrier and we encrypt oir data just like verizon does on a T1. And we all know how good that is. HIPPA compliance should beUp to the network administrator. Not the carrier IMHO. Ask someone how your network is not compliant. Its like Y2K all over again Good luck Bob Sent from my Verizon Wireless BlackBerry -Original Message- From: John Scrivner [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 16:16:51 To:wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
I think its important to understand where the client's fear comes from. Its thinking that they are opening their network wide up. HIPPA is making a client process compliant not the hardware itself, as just mentioned by someone. But one of the processes is what network policies does the hospitol allow that could compromise securty if it was not managed properly. They don't want something in palce that could be improperly managed. The intent may not jsut be HIPPA compliance, but their own good judgement on how to keep data secure. Its been written about on every corner how consumer wifi devices are hackable and not secure, and they remember that regardless if it has anything to do with your network. The key is to not have the customer AP/WiFiCPE be the mechanism of implimenting security. When it is shown that a third party device or other internal processes are responsible for doing the security, it takes away the WIFI as even being a variable to consider for breaching security. They can't critisize wifi for security if the securing method is not the wifi device. The last thing you want is to have your service be slow to be bought because some technical bouard is debating for months and months that security risks of your network. Just take it out of the equation, so there is no delay in buying your service, and they can figure out how to secure their network as a seperate transaction. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Dennis Burgess - 2K Wireless [EMAIL PROTECTED] To: 'WISPA General List' wireless@wispa.org Sent: Monday, November 27, 2006 5:32 PM Subject: RE: [WISPA] Wireless Security biting you in the ass? John, Do you have a listing of HIPPA security needs? One thing you can do is provide a secure tunnel, IPSEC is best, or a security on top of security approach. This tunnel will run from your customer equipment, his hospital, etc, to your boarder router etc that is connected via fiber or land line. At that point it is as secure as you can get it. So, if you use WEP, Ya security sux, but then put IPSEC inside that WEP packet, now you are talking. T1s can be tapped, seen it done. So with the WEP and IPSEC you are always talking secure. Add on top of that, the application, and whatever it uses for security, HTTPS, etc. It's a custom solution to a simple problem. The only thing now that they could complain about is what about someone sitting in the parking lot listening to packets sent and received. Can they do that with a T1 etc, well, ya you can TAP a T1, usually done on the switch side of things? All you can do then is maybe offer a dedicated backhaul to them, with a proportery protocol, something like Nstream would work, so now you have Nstream, running WEP encrypted packets that has IPSEC packets inside that. If the break it, they should get the data for the work they had to do. Or put up something like a optical service if you are close! That would eliminate that. Another question I would have to ask is, how secure is cable or DSL? Figure this, DSL lets every customer off of their DSLAM to coomuncate to each other, so does cable. If someone had the right cable modem and off the same segment, sure, they can capture every package that is going across the cable line! Thoughts. Dennis Burgess, MCP, CCNA, A+, N+, Mikrotik Certified [EMAIL PROTECTED] www.2kwireless.com 2K Wireless provides high-speed internet access, along with network consulting for WISPs, and business's with a focus on TCP/IP networking, security, and Mikrotik routers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo
Re: [WISPA] Wireless Security biting you in the ass?
On Mon, 27 Nov 2006 [EMAIL PROTECTED] wrote: HIPPA compliance should beUp to the network administrator. Not the carrier IMHO. This is not a matter of opinion. It is factual. -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
I have a customer who works from home transcribing mammogram notes from doctors into their system. Their IT department put a Cisco VPN router at the client side to connect to their VPN at the imaging center. We discussed HIPPA, and they were not worried about my side at all as they were encrypting the data. If it is a large enough organization, they will have IT support that understand HIPPA vs. Telecommuting. However, IT guys in large organizations tend to be skeptical of WISP service as they have not seen it much so don't want to vouch for its reliability or support it. So you can get the IT guys into the conversation but beware of the reluctance factor. Mark Nash Network Engineer UnwiredOnline.Net 350 Holly Street Junction City, OR 97448 http://www.uwol.net 541-998- 541-998-5599 fax - Original Message - From: Tom DeReggi [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, November 27, 2006 3:23 PM Subject: Re: [WISPA] Wireless Security biting you in the ass? I think its important to understand where the client's fear comes from. Its thinking that they are opening their network wide up. HIPPA is making a client process compliant not the hardware itself, as just mentioned by someone. But one of the processes is what network policies does the hospitol allow that could compromise securty if it was not managed properly. They don't want something in palce that could be improperly managed. The intent may not jsut be HIPPA compliance, but their own good judgement on how to keep data secure. Its been written about on every corner how consumer wifi devices are hackable and not secure, and they remember that regardless if it has anything to do with your network. The key is to not have the customer AP/WiFiCPE be the mechanism of implimenting security. When it is shown that a third party device or other internal processes are responsible for doing the security, it takes away the WIFI as even being a variable to consider for breaching security. They can't critisize wifi for security if the securing method is not the wifi device. The last thing you want is to have your service be slow to be bought because some technical bouard is debating for months and months that security risks of your network. Just take it out of the equation, so there is no delay in buying your service, and they can figure out how to secure their network as a seperate transaction. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Dennis Burgess - 2K Wireless [EMAIL PROTECTED] To: 'WISPA General List' wireless@wispa.org Sent: Monday, November 27, 2006 5:32 PM Subject: RE: [WISPA] Wireless Security biting you in the ass? John, Do you have a listing of HIPPA security needs? One thing you can do is provide a secure tunnel, IPSEC is best, or a security on top of security approach. This tunnel will run from your customer equipment, his hospital, etc, to your boarder router etc that is connected via fiber or land line. At that point it is as secure as you can get it. So, if you use WEP, Ya security sux, but then put IPSEC inside that WEP packet, now you are talking. T1s can be tapped, seen it done. So with the WEP and IPSEC you are always talking secure. Add on top of that, the application, and whatever it uses for security, HTTPS, etc. It's a custom solution to a simple problem. The only thing now that they could complain about is what about someone sitting in the parking lot listening to packets sent and received. Can they do that with a T1 etc, well, ya you can TAP a T1, usually done on the switch side of things? All you can do then is maybe offer a dedicated backhaul to them, with a proportery protocol, something like Nstream would work, so now you have Nstream, running WEP encrypted packets that has IPSEC packets inside that. If the break it, they should get the data for the work they had to do. Or put up something like a optical service if you are close! That would eliminate that. Another question I would have to ask is, how secure is cable or DSL? Figure this, DSL lets every customer off of their DSLAM to coomuncate to each other, so does cable. If someone had the right cable modem and off the same segment, sure, they can capture every package that is going across the cable line! Thoughts. Dennis Burgess, MCP, CCNA, A+, N+, Mikrotik Certified [EMAIL PROTECTED] www.2kwireless.com 2K Wireless provides high-speed internet access, along with network consulting for WISPs, and business's with a focus on TCP/IP networking, security, and Mikrotik routers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband
Re: [WISPA] Wireless Security biting you in the ass?
I have a few hospital employees working at home across my wireless system. They vpn into the hospital and we don't do anything special for them. One reason that they tell the employees to use us is because we service them quickly when they have an issue. I will agree that we've lost work becaue the competition and others tell the tale that wireless is not secure and it's hard to defend against that when the other guy has already won their trust by trashing us. Only thing I can counter that with is to tell them that the hospita and a few other serious high profile customers use us and the security issue is a hype. One of my subs a few years ago was being told by the network company that serviced his network to switch away from us and install a pix router because of the lack of security. So when the sub called, and I tried my best to explain to him it was not insecure, I got to the point that I realized I was not getting anywhere a thought popped in my mind and I said: If your professional security network people say it's so insecure, have them break into your network and prove to you that what they are saying is true otherwise they are hyping you into a sale at my expense. They are after all network security experts and they ought to know how to break in I still have the sub, but those network security experts don't. George John Scrivner wrote: Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
Are you suggesting single DES? I wouldn't recommend that. Go with 3DES or AES. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Burgess - 2K Wireless Sent: Monday, November 27, 2006 5:33 PM To: 'WISPA General List' Subject: RE: [WISPA] Wireless Security biting you in the ass? John, Do you have a listing of HIPPA security needs? One thing you can do is provide a secure tunnel, IPSEC is best, or a security on top of security approach. This tunnel will run from your customer equipment, his hospital, etc, to your boarder router etc that is connected via fiber or land line. At that point it is as secure as you can get it. So, if you use WEP, Ya security sux, but then put IPSEC inside that WEP packet, now you are talking. T1s can be tapped, seen it done. So with the WEP and IPSEC you are always talking secure. Add on top of that, the application, and whatever it uses for security, HTTPS, etc. It's a custom solution to a simple problem. The only thing now that they could complain about is what about someone sitting in the parking lot listening to packets sent and received. Can they do that with a T1 etc, well, ya you can TAP a T1, usually done on the switch side of things? All you can do then is maybe offer a dedicated backhaul to them, with a proportery protocol, something like Nstream would work, so now you have Nstream, running WEP encrypted packets that has IPSEC packets inside that. If the break it, they should get the data for the work they had to do. Or put up something like a optical service if you are close! That would eliminate that. Another question I would have to ask is, how secure is cable or DSL? Figure this, DSL lets every customer off of their DSLAM to coomuncate to each other, so does cable. If someone had the right cable modem and off the same segment, sure, they can capture every package that is going across the cable line! Thoughts. Dennis Burgess, MCP, CCNA, A+, N+, Mikrotik Certified [EMAIL PROTECTED] www.2kwireless.com 2K Wireless provides high-speed internet access, along with network consulting for WISPs, and business's with a focus on TCP/IP networking, security, and Mikrotik routers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
BTW, we're going to try to work out something with the local hospital for data storage. We want to do off site backup for them. Via a dedicated link to a server that never touches the internet! I'll be working on physical security of the server as well as the transport needs. Issues like noc access and such. We'll also be working on the frequency of the backups. ie: does the system need to backup the data every time a change is made? Or only a few times per day? Once per night? I hope to meet with the hospital administrator here in a couple of weeks when we're not both so swamped. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Peter R. [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, November 27, 2006 2:44 PM Subject: Re: [WISPA] Wireless Security biting you in the ass? Great questions, Marlon! You are correct that it is application/data encryption needed, not transport security. Every hospital has a HIPAA Officer. Talk to that person. By 2009, they all have to have EMR and HIPPA compliance, along with some EDI with health insurance payers. - Peter Radizeski Consultant to the Internet Stars :) Marlon K. Schafer (509) 982-2181 wrote: Officially, hippa compliance is a CLIENT issue. As long as the data is properly encrypted there's no need for the transport to be. Some will argue this (mainly the telco but sometimes the customer). It's still a fact. Questions to ask them. What do the Doctors use for connectivity to their handheld devices? Right, wireless. What is the encryption mechanism on a t-1 or dsl link? Right, none. What is the security on the cable network? Right, none. Does the facility have a wireless network? Care to have me break into it for you? (I'm told that WPA has now been cracked too.) We went around in circles with a local Sheriff's office on this issue. In the end it was decided that the only real way to be hippa compliant was to encrypt the data AT THE PC level. ANYTHING done after that point was all but useless. They confirmed this with the DOJ. All that's needed is data security, not transport security. If transport security is what's wanted then EVERY vlan switch, router etc. in the loop is a possible security hole. This risk runs end to end, regardless of the transport medium. Good luck. Marlon -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
It does not matter if the responsibility is the network admin or not when it comes down to purchase time. It comes down to perception. Right now perception of the hospital corporate officers is that wireless = not secure. I have been told by people who order circuits that they are not allowed to buy from me or any wireless operator due to security issues. I believe it will require some type of HIPAA seal of approval from some source or another before we can start selling to these guys. This could be bad for us. ALL of the hospitals are going to buying new circuits soon and right now I am out of the running. Scriv [EMAIL PROTECTED] wrote: John To the best of my knowledge there are no HIPPA compliant solutions that are actually approved We have installed a ton of links for hospitals and other medical facilities an this issur comes up from time to time. We pretty much tell the customer that we are just a carrier and we encrypt oir data just like verizon does on a T1. And we all know how good that is. HIPPA compliance should beUp to the network administrator. Not the carrier IMHO. Ask someone how your network is not compliant. Its like Y2K all over again Good luck Bob Sent from my Verizon Wireless BlackBerry -Original Message- From: John Scrivner [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 16:16:51 To:wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.14.17/553 - Release Date: 11/27/2006 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
On Mon, 27 Nov 2006 [EMAIL PROTECTED] wrote: HIPPA compliance should beUp to the network administrator. Not the carrier IMHO. This is not a matter of opinion. It is factual. I never doubted this. I just need to find someway to make the corporate people believe they can use my wireless transport to deliver an end to end solution that will be HIPAA compliant with my service located in the center. Passing the buck is not the problem. The buck will never get in my pocket if I cannot sell my service as a way to connect without breaking HIPAA compliance perception issues. This is a perception problem that I do not have enough information or expertise to fix. Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
On Mon, 27 Nov 2006, John Scrivner wrote: I never doubted this. I just need to find someway to make the corporate people believe they can use my wireless transport to deliver an end to end solution that will be HIPAA compliant with my service located in the center. Passing the buck is not the problem. Which is the reason I mentioned in my other post about speaking to an attorney about drafting a paper in plain English to help them understand (and lend credibility to what you tell them). Someone else mentioned partnering with a HIPAA compliance consultant, which is another (perhaps better) idea. -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
On Mon, 27 Nov 2006, John Scrivner wrote: Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Like many others, I've had this argument with various people. In the end, the reality is that HIPAA has nothing do to with the transport medium. Data along a T1, wireless, cable network or DSL network is unencrypted. It's as simple as that. If it makes your customer feel better, then you can easily create a VPN tunnel (with whatever strength encryption they want) between their client device all to way to your border (where it will hit a T1, fiber or whatever), at which point it will (again) be unencrypted. HIPAA compliance is NOT (according to the attorney I spoke to) the responsibility of the transport provider. The perception (which you correctly identified) is that wireless is insecure. This is easily fixed by creating end to end encryption (at least as far as you have control over the network). Marlon pointed out the fact that MOST end users (hospitals and such) have networks INSIDE that have flawed security models. The biggest hurdle with this perception is that these places ASSUME it is your responsibility. This is a tough issue to overcome because most of them do not understand what they want or need. You will have to become an expert in the rules in order to show them the truth. SO...what I would recommend (and have done) is offer them some options. 1. I would offer an encrypted (IPSEC) tunnel service for a premium price. Be certain to point out the weaknesses that Marlon mentioned regarding wired services. I'd google up some information on hacking these wired services, as there is a TON of information out there. 2. Get familiar with a good security company and offer good firewall options (this would be at the client end) that includes IDS with notifications. I'd steer WAY clear of SonicWall and those types of devices, as these are NOT very flexible. 3. Have an attorney write you up some information on YOUR responsibility as well as THEIR responsibility as it relates to an internet connection. Make sure that he includes language that makes it clear that these responsibilities are the same whether the connection is wired or wireless (or notes any differences). -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
It is HIPAA - The Health Insurance Portability and Accountability Act. It covers way more than just encrypting data. Like Pat said, it is a process. Even paper records have to have a chain of command and security. So when you see the files in the reception area at your doctor's office, unless they are tagged with signatures of who has them, they are not in compliance. The fine for violation is up to $250,000 and jail time for the doctor. And, btw, the line in the sand constantly shifts. It was supposed to be completed by 1999, then 2001, then 2003, now it looks like 2009. (It's the Insurance companies that are pushing for EMD and EDI transactions). Even dentists have to comply. One of the purposes of the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996, is to encourage the efficient use of electronic data interchange in the health care system. The HIPAA subtitle standardizes specific electronic transactions used in the health care arena by requiring that certain formats and specified code sets be used. There are specialists that you can partner with. (I partner with Threadfin Consulting). Most doctors work with a hospital. The Hosp Admin has to understand HIPAA for federal dollars. Also, they have to assign a HIPAA Compliance Officer - under the CYA policy so you have someone to blame, hire and put in jail, like CFO's under the SOX. The Hospital is your best bet. Plus check with the local AMA and ADA for meetings. They will be talking HIPAA all next year. It is really about getting rid of FUD and putting a process in place. You can make them warm and fuzzy selling IPSec wrapped in WEP wrapped in Nstream with Firewalls on both ends, but the Act is ultimately about safe, secure use of medical information. So data security, data storage, back-up and retrieval. Physical storage as well as electronic. That's my 2 cents. Peter @ RAD-INFO, Inc. Tom DeReggi wrote: John, There is no HIPPA certification for a broadband connection. HIPPA is an overall concept to have a medical intity secure it's customer records. As mentioned at this year's ISPCON CEO Session, the HIPPA compliance manual is about 3 inches thick, and thats hard to sum up in a few words. And most of it won't apply to making your service HIPPA compliant. My advice is to partner with a consulting company that offers HIPPA compliant consulting services to hospitols and doctors, and make sure they know who you are, and recommend your service. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
You're right. Perception is everything. So I picked up two things from this thread. One, why is the onus on me to prove my network is secure? Break into it or you're just passing on hot air from uninformed or biased sources. Two, I can offer transport on a private network that doesn't touch the net. How many layers of security are the other vendors offering? I've got two; encryption and private network. - cw John Scrivner wrote: It does not matter if the responsibility is the network admin or not when it comes down to purchase time. It comes down to perception. Right now perception of the hospital corporate officers is that wireless = not secure. I have been told by people who order circuits that they are not allowed to buy from me or any wireless operator due to security issues. I believe it will require some type of HIPAA seal of approval from some source or another before we can start selling to these guys. This could be bad for us. ALL of the hospitals are going to buying new circuits soon and right now I am out of the running. Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Private network Great point. Its one of our biggest selling points for multi-location businesses. It like having their own private network engineered for them. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: cw [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, November 27, 2006 8:34 PM Subject: Re: [WISPA] Wireless Security biting you in the ass? You're right. Perception is everything. So I picked up two things from this thread. One, why is the onus on me to prove my network is secure? Break into it or you're just passing on hot air from uninformed or biased sources. Two, I can offer transport on a private network that doesn't touch the net. How many layers of security are the other vendors offering? I've got two; encryption and private network. - cw John Scrivner wrote: It does not matter if the responsibility is the network admin or not when it comes down to purchase time. It comes down to perception. Right now perception of the hospital corporate officers is that wireless = not secure. I have been told by people who order circuits that they are not allowed to buy from me or any wireless operator due to security issues. I believe it will require some type of HIPAA seal of approval from some source or another before we can start selling to these guys. This could be bad for us. ALL of the hospitals are going to buying new circuits soon and right now I am out of the running. Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Wireless Security biting you in the ass?
Back to your problem: Wireless = Unsecure. You have a Marketing problem. The onus is on you to get him to tell you why your network is unsecure. Objections are made to be hurdled, after all. Explaining that cable and DSL are LAN based topologies is not going to help you. You need describe how your Alvarian Fixed Wireless network is capable of providing fiber like capabilities in the private transport arena. (Maybe get some help from your Alvarian Support Engineer). I need to think about it some more before I can give you a better answer. Regards, Peter RAD-INFO, Inc. -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
Scriv, I carry 2 hospitals and 4 clinics in N. Louisiana and are their primary internet connections. We had this discussion last year and a simple VPN from their router to my core router was more than sufficient to meet HIPPA guidelines. HIPPA compliance is a very vague area! Mac Dearman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] Wireless Security biting you in the ass?
I had another ISP borrow a trango radio to do a training session at the local college for their hosted medical application. They connected the trango to the network, and then ran a Cisco IPSEC connection over it using PIX firewalls. That was enough to satisfy the HIPAA requirements. R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mac Dearman Sent: Tuesday, November 28, 2006 12:29 AM To: 'WISPA General List' Subject: RE: [WISPA] Wireless Security biting you in the ass? Scriv, I carry 2 hospitals and 4 clinics in N. Louisiana and are their primary internet connections. We had this discussion last year and a simple VPN from their router to my core router was more than sufficient to meet HIPPA guidelines. HIPPA compliance is a very vague area! Mac Dearman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scrivner Sent: Monday, November 27, 2006 4:17 PM To: wireless@wispa.org Subject: [WISPA] Wireless Security biting you in the ass? Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance. Thank you, John Scrivner -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
