Healthcare, Wi-Fi and HIPAA – A Tricky Combination

facebooktwittergoogle_pluslinkedinmailfacebooktwittergoogle_pluslinkedinmail

What a great start to year on the industry events front – we started with NRF in January, looking forward to HIMSS and our ACTS event in February, and MURTEC in March. In NRF, high points of discussion were around Social Wi-Fi and analytics. That said, topics of security and PCI compliance were also high on the agenda prompted by the Target credit card breach that occurred just before NRF. I expect to there will be a lot of security discussions at HIMSS too.

Healthcare, Wi-Fi and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. It is enforced by the Department of Health and Human Services (HHS), and implemented by regulations of 45 CFR. Among other provisions it has rules mandating that healthcare organizations safeguard the privacy and security of patient health information.


These privacy rules apply to patient information in all forms and the security rules apply to patient information in electronic form called as Electronic Protected Health Information (EPHI). EPHI is any patient information transmitted over a network and stored on a computer.

HIPAA states privacy and security guidelines at high level. They do not require specific technology solutions, but are clear that reasonable and appropriate security measures must be implemented. For example, Section 164.312 has clauses requiring technical policies and procedures to allow access to EPHI only to authorized persons or software programs, to prevent improper alteration or destruction of EPHI and to protect health information transmitted over electronic communication network. Section 164.308 requires among other things identifying, responding, mitigating and documenting suspected or known security incidents.

AirTight WIPS

Protection from vulnerabilities for wireless access layer

What does all this mean to Wi-Fi? Today, healthcare is seeing a flood of wireless enabled devices in day to day operation.  Hospitals are increasingly providing Wi-Fi for doctors to access medical records and VoIP for staff communication. Healthcare facilities are increasingly using Wi-Fi-enabled medical devices. This makes Wi-Fi a dominant EPHI access layer in the healthcare environment. Hence, Wi-Fi security controls built into access points (APs) and covered by intrusion prevention system (WIPS) become relevant to satisfy HIPAA security rules as applied to the access to EPHI over Wi-Fi. For example, just as it is important to enforce strong authentication and encryption on managed APs and to control BYOD, it is important to ensure that unmanaged rogue APs do not open holes into healthcare networks that store and transmit EPHI or to ensure that doctors’ tablets do not connect to Evil Twins or neighborhood APs. Comprehensive reporting and forensic capabilities are also required to satisfy the auditing requirements of HIPAA.

How our customers are addressing security and compliance for EPHI

Over last many years, we have worked with several healthcare organizations to satisfy HIPAA requirements pertaining to Wi-Fi using AirTight’s overlay WIPS and using AirTight’s software configured access point/WIPS combos. Below are some examples.

  • Overlay WIPS in large hospital complex – Maine Medical Center (MMC) is 10-building, 68-floor, 2-million square feet healthcare complex in Portland, Maine. As an early adopter of Wi-Fi technology in healthcare information systems, the MMC has large deployment of Cisco WLC Wi-Fi. However, MMC is also security conscious and performed deep down analysis of security offered by various wireless security solutions. MMC chose to overlay AirTight WIPS on top of Cisco WLC.

AirTight has integration APIs for an easy overlay on Cisco WLC Wi-Fi. Moreover, AirTight WIPS comes out to be more cost efficient from both Capex (as it does not require controllers and MSE) and Opex perspective (due to freedom from false alarms and configuration overhead) than Cisco wireless security.

  • Access Points/WIPS for distributed clinics – CHS Health Services operates onsite clinics delivering full-service solutions for a broad spectrum of industries. Due to highly distributed nature, CHS is concerned about security as well as management of it Wi-Fi infrastructure. Faced with those challenges, AirTight cloud managed Wi-Fi which has WIPS built into it at no extra cost fit the bill. In addition, AirTight’s software configurable dual radio APs provide CHS the flexibility of choosing the right balance of access and security scanning radios to fit nature of each facility.

Overall, Wi-Fi can contribute greatly to enhance the quality of healthcare by providing easy access to information and mobility of healthcare staff. With Wi-Fi however comes risk of new and evolving security threats and compliance violations. As a result, choosing right security solution becomes imperative to be able to reap full benefits of Wi-Fi for the betterment of patient care! Visit AirTight booth at HIMSS to find out more.

Hemant Chaskar

Hemant Chaskar is Vice President for Technology and Innovation at AirTight. He oversees R&D, product strategy, and intellectual property.Hemant has more than 15 years of experience in the networking, wireless, and security industry and holds several patents in these areas.

Twitter 

Comments

  1. says

    Hermant, thanks for the great article on wireless security. I’ll def. be mentioning such services to my clients. I would like to add that HIPAA compliance – for most Covered Entities and Business Associates – is largely dependent on having documented policies, procedures, and processes in place for both the HIPAA Security Rule and the Privacy Rule, along with other applicable areas. But most CE’s and BA’s seem to just focus on the well-known Security Rule and forget about the dozens of “standards” and “implementation specifications” under the Privacy Rule, which are also important. There are numerous provisions regarding the uses and disclosure of Protected Health Information (PHI) – along with other important considerations that deserve attention – so remember to focus on the Privacy Rule also by putting in place all mandated policies, procedures, and controls.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>