Some general rules we followed, when setting up a doctor's office with a remote access setup...
1. Physical security - all machines behind locked doors. No monitors visible from any public area. No routers, switches, or ethernet plugs in unlocked or insecure areas. 2. Network security - We did single IP NAT at his office. He wanted to tunnel to home, so we set up a tunnel to his home, but it only works on his specific laptop. He abandoned this, decided to not work at home :) 3. Data security - this they were lacking.. He now transports his data on files that are zipped with a password, on a thumbdrive that's encrypted with a password, and his laptop requires biometric authentication to run. Further, we explained to him that emails between offices were fine... IF encrypted. So, now they zip and password the communication files they email to each other. Images, etc, the same. If you wish to share data between ANY two points, secure tunnels are not necessary, but the data itself should be secured no matter what else you do. No communication on the internet should be considered non interceptable, therefore security starts with encrypting data right at the source. The HIPAA rules seem complex, but I found some medical consultant sites that broke it down a little more and it's not all that complex, if you start with the idea that the data itself should be encrypted ,and the network itself should be physically isolated and secured. We ran ethernet out to the wireless cpe outside, but it does double nat with a router inside so even that segment is isolated from the inside network. Now, this was a very simplistic setup, to be sure, but the philosphy works when scaled up and meets every aspect of HIPAA's requirements. ++++++++++++++++++++++++++++++++ <insert witty tagline here> ----- Original Message ----- From: "John McDowell" <[email protected]> To: "Motorola Canopy User Group" <[email protected]>; "WISPA General List" <[email protected]>; "Principal WISPA Member List" <[email protected]> Sent: Tuesday, December 23, 2008 9:15 AM Subject: [WISPA] Potential Dr.'s office asking about our network and HIPAA? > We are routed, but from any computer on the network, we can go to any IP > on > the network. So its like our broadcast is routed, but we're still bridged? > > Anyhow, I have a potential Dr.'s office that is asking about the security > of > his information across our network until it leaves the NOC. How do you > guys > do network security? Vlans? PPPoE? What can we do to ensure that we can > comply with HIPAA standards for potential clients like this? > > Thanks in advance. > > -- > John M. McDowell > Boonlink Communications > 307 Grand Ave NW > Fort Payne, AL 35967 > 256.844.9932 > [email protected] > www.boonlink.com > > > > > > > This message contains information which may be confidential and > privileged. > Unless you are the addressee (or authorized to receive for the addressee), > you may not use, copy, re-transmit, or disclose to anyone the message or > any > information contained in the message. If you have received the message in > error, please advise the sender by reply e-mail [email protected], and > delete the message. E-mail communication is highly susceptible to > spoofing, > spamming, and other tampering, some of which may be harmful to your > computer. If you are concerned about the authenticity of the message or > the > source, please contact the sender directly. > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
