On Mon, 27 Nov 2006, John Scrivner wrote:
Wireless broadband security issues have now officially led to my business being put into a bad light due to perceived lack of security. I am a member of a regional broadband planning group that is working with health care and other industry sectors to help deliver broadband options to all areas that need it. Rural Health centers and hospitals are all over the region and most need access to broadband which is highly secure. I need to know what others have done to bring HIPAA compliance assurance to network administrators and hospital personnel so that your solutions are chosen and used for health care connectivity. Currently my services are not being considered do to the perception of a lack of HIPAA security compliance. I need to get on top of this right now and welcome your thoughts and ideas. I would prefer to hear from those of you who have some actual knowledge of delivering HIPAA compliant connections or those who provide equipment which has been documented to meet HIPAA compliance.
Like many others, I've had this argument with various people. In the end, the reality is that HIPAA has nothing do to with the transport medium. Data along a T1, wireless, cable network or DSL network is unencrypted. It's as simple as that. If it makes your customer feel better, then you can easily create a VPN tunnel (with whatever strength encryption they want) between their client device all to way to your border (where it will hit a T1, fiber or whatever), at which point it will (again) be unencrypted.
HIPAA compliance is NOT (according to the attorney I spoke to) the responsibility of the transport provider. The perception (which you correctly identified) is that wireless is insecure. This is easily fixed by creating end to end encryption (at least as far as you have control over the network). Marlon pointed out the fact that MOST end users (hospitals and such) have networks INSIDE that have flawed security models.
The biggest hurdle with this perception is that these places ASSUME it is your responsibility. This is a tough issue to overcome because most of them do not understand what they want or need. You will have to become an expert in the rules in order to show them the truth.
SO...what I would recommend (and have done) is offer them some options.
1. I would offer an encrypted (IPSEC) tunnel service for a premium price. Be certain to point out the weaknesses that Marlon mentioned regarding wired services. I'd google up some information on hacking these wired services, as there is a TON of information out there.
2. Get familiar with a good security company and offer good firewall options (this would be at the client end) that includes IDS with notifications. I'd steer WAY clear of SonicWall and those types of devices, as these are NOT very flexible.
3. Have an attorney write you up some information on YOUR responsibility as well as THEIR responsibility as it relates to an internet connection. Make sure that he includes language that makes it clear that these responsibilities are the same whether the connection is wired or wireless (or notes any differences).
-- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: firstname.lastname@example.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/