One of my clients is a maker of prosthetic limbs... and he has two offices.
He is covered by HIPAA considerations, so we spent considerable time trying to figure this out, using the information supplied to him, concerning HIPAA, from the feds and by trade organizations. We eventually came to the conclusion that he must encrypt any data leaving his network, or going over wireless, and that he must password his computers. At first, they were going to build a VPN between his two facilities, now they're re-thinking it and probably going to use an application service provider to meet thier data sharing needs (mostly scheduling, and some patient data) since they didn't want to pay someone to, or build thier own in-house client-server system for cooperative scheduling. They have 3 machines in the local office, which are 2 wired and 1 wireless, and his wireless is encrypted, the machines are behind locked doors, and require passwords to start up. Again, as the provider of data transport, that data MUST be encrypted before it reaches you, in order to be compliant, period. Unless you're getting involved in helping them with thier internal network, or IT system, HIPAA considerations have no impact on your network, how its run, or how "secure" or "insecure" you are, because it must be encrypted before it reaches ANY point accessible by non-approved personell. This means their internal network must be secure, machine physical security to prevent unauthorized access, etc. We came to this conclusion while doing a read through his info, and he understood it perfectly. Emailed patient data must be encrypted using something like a passworded zip file, or using an industry standard encrypt / decrypt method using keys. Client-server applications must use an SSL tunnel or session to be compliant ( like https when using web based ) even on an intranet, much less internet based. Any data leaving any physically secure location (like access from a nurses station to patient records database, where the database server is in a locked room and the nurses station is not) must be encrypted, and must require login user/password, and users must log out when not in physical control of the workstation, for instance. If the ethernet network can be plugged into in ANY phsycially insecure location, then all data on that network must be encrypted either by encrypting the data stream, or by the applications that move the data. There are no specific technological requirements for HIPAA compliance... Instead, there's a set of specific standards that start with keeping the machines physically safe from non-approved personell, and it goes from there. It's not "bank" or "pentagon" type security, but it does require thinking through the whole system end-to-end to be compliant. Again, none of this has any impact on you, as a transport provider, since everyting MUST be encrypted long before it reaches your network or it's out of compliance anyway. +++++++++++++++++++++++++++++++ neofast.net - fast internet for North East Oregon and South East Washington email me at mark at neofast dot net 541-969-8200 Direct commercial inquiries to purchasing at neofast dot net ----- Original Message ----- From: "John Scrivner" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, November 27, 2006 2:16 PM Subject: [WISPA] Wireless Security biting you in the ass? > Wireless broadband security issues have now officially led to my > business being put into a bad light due to perceived lack of security. I > am a member of a regional broadband planning group that is working with > health care and other industry sectors to help deliver broadband options > to all areas that need it. Rural Health centers and hospitals are all > over the region and most need access to broadband which is highly > secure. I need to know what others have done to bring HIPAA compliance > assurance to network administrators and hospital personnel so that your > solutions are chosen and used for health care connectivity. Currently my > services are not being considered do to the perception of a lack of > HIPAA security compliance. I need to get on top of this right now and > welcome your thoughts and ideas. I would prefer to hear from those of > you who have some actual knowledge of delivering HIPAA compliant > connections or those who provide equipment which has been documented to > meet HIPAA compliance. > Thank you, > John Scrivner > > -- > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
