One of my clients is a maker of prosthetic limbs... and he has two offices.

He is covered by HIPAA considerations, so we spent considerable time trying
to figure this out, using the information supplied to him, concerning HIPAA,
from the feds and by trade organizations.

We eventually came to the conclusion that he must encrypt any data leaving
his network, or going over wireless, and that he must password his
computers.  At first, they were going to build a VPN between his two
facilities, now they're re-thinking it and probably going to use an
application service provider to meet thier data sharing needs (mostly
scheduling, and some patient data) since they didn't want to pay someone to,
or build thier own in-house client-server system for cooperative scheduling.
They have 3 machines in the local office, which are 2 wired and 1 wireless,
and his wireless is encrypted, the machines are behind locked doors, and
require passwords to start up.

Again, as the provider of data transport, that data MUST be encrypted before
it reaches you, in order to be compliant, period.   Unless you're getting
involved in helping them with thier internal network, or IT system, HIPAA
considerations have no impact on your network, how its run, or how "secure"
or "insecure" you are, because it must be encrypted before it reaches ANY
point accessible by non-approved personell.   This means their internal
network must be secure, machine physical security to prevent unauthorized
access, etc.   We came to this conclusion while doing a read through his
info, and he understood it perfectly.   Emailed patient data must be
encrypted using something like a passworded zip file, or using an industry
standard encrypt / decrypt method using keys.   Client-server applications
must use an SSL tunnel or session to be compliant ( like https when using
web based ) even on an intranet, much less internet based.  Any data leaving
any physically secure location (like access from a nurses station to patient
records database, where the database server is in a locked room and the
nurses station is not) must be encrypted, and must require login
user/password, and users must log out when not in physical control of the
workstation, for instance.   If the ethernet network can be plugged into in
ANY phsycially insecure location, then all data on that network must be
encrypted either by encrypting the data stream, or by the applications that
move the data.

There are no specific technological requirements for HIPAA compliance...
Instead, there's a set of specific standards that start with keeping the
machines physically safe from non-approved personell, and it goes from
there.   It's not "bank" or "pentagon" type security, but it does require
thinking through the whole system end-to-end to be compliant.  Again, none
of this has any impact on you, as a transport provider, since everyting MUST
be encrypted long before it reaches your network or it's out of compliance
anyway.



+++++++++++++++++++++++++++++++
neofast.net - fast internet for North East Oregon and South East Washington
email me at mark at neofast dot net
541-969-8200
Direct commercial inquiries to purchasing at neofast dot net

----- Original Message ----- 
From: "John Scrivner" <[EMAIL PROTECTED]>
To: <wireless@wispa.org>
Sent: Monday, November 27, 2006 2:16 PM
Subject: [WISPA] Wireless Security biting you in the ass?


> Wireless broadband security issues have now officially led to my
> business being put into a bad light due to perceived lack of security. I
> am a member of a regional broadband planning group that is working with
> health care and other industry sectors to help deliver broadband options
> to all areas that need it. Rural Health centers and hospitals are all
> over the region and most need access to broadband which is highly
> secure. I need to know what others have done to bring HIPAA compliance
> assurance to network administrators and hospital personnel so that your
> solutions are chosen and used for health care connectivity. Currently my
> services are not being considered do to the perception of a lack of
> HIPAA security compliance. I need to get on top of this right now and
> welcome your thoughts and ideas. I would prefer to hear from those of
> you who have some actual knowledge of delivering HIPAA compliant
> connections or those who provide equipment which has been documented to
> meet HIPAA compliance.
> Thank you,
> John Scrivner
>
> -- 
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to