HIPAA tech
HIPAA dvisory
HIPAAdvisory > HIPAAtech Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Wireless Networks

Wireless Network Security (PDF) Draft Special Publication 800-48 from the National Institute of Standards and Technology's (NIST) Computer Security Division.

Mobile Healthcare Alliance (MoHCA)

HIPAA Security for Wireless Networks (PDF) by NetMotion Wireless for ITtoolbox Wireless
Securing data in a health care setting is a daunting task. Although most facilities contain up-to-date medical technology, many have antiquated communication networks lacking in the security and encryption required to protect patient infomration. This white paper goes over the mandated provision of the Health Insurance Protability & Accountability Act (HIPAA) and walks IT managers through the steps for compliance.

ZDNet Wireless LAN Security Special Report

  • The ABCs of 802.11 Standards by Ian Keene, March 21, 2002, Provided by Gartner
    After 13 years of proprietary products and ineffective standards, the networking industry has finally decided to back one set of standards for wireless networking: the 802.11 series from the Institute of Electrical and Electronics Engineers (IEEE). These emerging standards define wireless Ethernet, or wireless LAN (WLAN).

Infrastructure Open to Hacker Attack
CSIS report warns of threat from hackers using modern technology, particularly the wireless variety, to target critical sectors of almost every country's infrastructure.

HIPAA & WiFi: Regulatory Tangles for Wireless Health Care Networks Analyzed

SEATTLE, WA -- June 2, 2003 -- New uses for wireless devices in health care administration, practice management, and clinical care are heralded almost daily in the health care press. Wireless networks are being deployed to allow physicians and nurses to access patient records from central databases while on rounds, to add observations to the databases and to check on medications, among a growing number of other functions.

The growing use of wireless networks by health care professionals presents tremendous challenges to health care IT managers. One of the fundamental axioms of IT is that there is a tradeoff between access and security: easier access translates to greater security risks. True to this axiom, the ease of access that wireless networks offer is matched by the security challenges those networks present.

Decisions made today about the deployment of wireless local area networks (WLANs) must take into account the impact of the administrative simplifications of HIPAA.

HIPAA Requirements:

The HIPAA statute requires health plans, health care providers, and other covered entities to maintain reasonable and appropriate safeguards to protect individually identifiable health information.

Under the HIPAA privacy rules, a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of electronic and nonelectronic protected health information. A court asked to determine the meaning of "appropriate safeguards" under this "mini-security rule," may well refer to the principles and requirements of the security rules to determine what safeguards an entity should have implemented.

The HIPAA security rules were issued in final form on February 20, 2003. They apply to protected health information in electronic form only. The core principles of the final rules require covered entities to:

  1. ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits;
  2. protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  3. protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the security rules]; and
  4. ensure compliance with the [security rules] by its workforce.

The final security rules offer some flexibility to covered entities attempting to comply with these requirements, however. For example, covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in the security rules.

The requirement that covered entities "ensure" the integrity and confidentiality of health information against reasonably anticipated threats or hazards, however, creates a very high legal and practical standard. The attacks of September 11, 2001, and a number of well-publicized incidents of identity thefts made possible by the theft of electronic consumer data, may well have raised the bar even higher regarding what is reasonable and appropriate to protect confidential information of all kinds.

The penalties for violating HIPAA range from $100 per person per incident for run-of-the-mill improper disclosures of health information to $250,000 and 10 years in prison for intentional violations. Statutory penalties may be the least of a covered entity's worries, however, if lax security allows health information to be stolen. There is also a risk of class action lawsuits and, of course, damage to the entity's reputation.

The Security Rules Affect How WLANS Should Be Implemented

The security rules require covered entities to conduct an assessment of potential risks and vulnerabilities and to implement -- and revisit from time to time -- security measures sufficient to reduce such risks and vulnerabilities.

If a covered entity assesses the security risks inherent in transmitting protected health information over wireless networks, it will learn that well-known technical deficiencies in the security features of 802.11b technology likely make the technology inadequate, unless it is enhanced. Required technical safeguards that are not met by standard 802.11b wireless network security features include the requirement to implement unique user identification, encryption and decryption, person and entity authentication, and transmission security. The main reason that these requirements cannot be satisfied by deploying only 802.11b technology is that the encryption protocol used in 802.11b products, called Wired Equivalent Privacy (WEP), is fundamentally flawed. The deficiencies in WEP have been widely publicized.

Because the deficiencies in WEP are serious and well-known, a covered entity risks being deemed to not be in compliance with HIPAA requirements if it relies on WEP alone to protect the confidentiality and integrity of data transmitted over wireless networks.

Additionally, covered entities must implement policies and procedures to safeguard equipment from unauthorized physical access, tampering and theft. Special attention should be paid to the danger inherent in the theft of a wireless device that may provide a thief unauthorized access to protected health information.

Should You Wait to Install or Upgrade Your WLAN?

Covered health care entities need to consider whether they should postpone deploying an initial WLAN or upgrading an insecure, WEP-based WLAN, until planned changes in wireless network standards are adopted and have been implemented in commercial products. The International Electrical and Electronics Engineers has announced that it plans to adopt 802.11g specifications this summer and is working on the specifications for 802.11i.

Some 802.11g products that were released before the standard is finalized have had inadequate security features and some 802.11g products have proven not to be compatible with 802.11b equipment. Presumably 802.11g products developed after the 802.11g standard is released will not suffer from interoperability problems. 802.11g networks also will be more secure than 802.11b networks if they are deployed using the WPA encryption protocol rather than WEP.

Those who are charged with maintaining the security of health care information systems carry a heavy burden. As technology changes constantly, those rules require covered entity managers and their lawyers to regularly evaluate the impact of those changes on the security of their networks.

Read "No Rest for the Wary," in BNA's Electronic Commerce & Law Report, Vol. 8, No. 20 for more detailed information (PDF).

Articles

Solving the Compliance vs. Mobile Dilemma by David Haskin, Computerworld, September 14, 2006
How to comply with regulations when users walk out the door carrying high-risk data on mobile devices.

Richardson Hospital Adds Wi-Fi by Jennifer Gordon, Dallas Business Journal, January 30, 2006
The Richardson hospital has installed free Wireless Fidelity (Wi-Fi) access so that patients and their families can connect to the Internet. The system also is available to physicians and hospital staff. The clinical and business operations are completely separate from patient access so that no one can tap into the hospital's confidential records.

Voice Over Wireless Helps Hospital Improve Patient Care by Amanda Mitchell, TechTarget, January 9, 2006
For one California hospital, deploying voice technology over a wireless network is the right cure for a cumbersome style of communication that transcends the ages. It is estimated that doctors can save up to three minutes per patient, thanks to the ability to respond swiftly to calls -- a time savings that can then be invested directly back into patient treatment.

Case Report: Securing the Air by Bob Hedglen, Healthcare Informatics, July 2005
Since deploying a WLAN security solution, productivity of the clinical staff has increased, as has the demand for wireless applications and extension of the wireless networks. Rogue access points have been eliminated. A wireless policy has been defined and followed. We have been able to manage the throughput of wired devices and, perhaps most important, to secure patients' data in compliance with regulations.

Gartner Sees Growing Need for Wireless Security Policies by Jaikumar Vijayan, June 11, 2004, Computerworld
The escalating use of wireless technology demands formal corporate security policies governing that use, according to users and analysts at a Gartner security conference in Washington, DC.

Mobile Tech Gets Security Check by Beckie Kelly Schuerenberg, November 2003, Health Data Management
Health care organizations must evaluate security policies, technologies to ensure their mobile hardware and wireless networks comply with HIPAA.

Deploying Secure, Reliable Wireless LANs in the Healthcare Environment by Bill Sims, Health Management Technology, April 2003
For many healthcare institutions, wireless LANs (WLANs) have become a key component of the IT infrastructure. WLANs have moved into mainstream use by providing greater efficiency and accuracy to users of such mission-critical applications as bedside medication administration, emergency registration, order entry, physician rounding and clinical documentation. As the paper chart gives way to computer-based patient records, mobile devices are becoming the primary point of clinical communications. As the user base grows and mobile applications become increasingly mission-critical, the need for effective security and management of these networks becomes a top priority. Yet for all of their benefits, wireless networks introduce significant risks and challenges to IT management.

Wireless Watchdogs by Alan Joch, Healthcare Informatics, July 2002
Technology to protect through-the-air communication is becoming more sophisticated, just in time to meet HIPAA deadlines.

Saving Lives With PDAs by Matthew Herper, Forbes, April 23, 2002
Doctors and hospitals seem to use personal digital assistants mainly for billing and keeping schedules. But Redmond Burke, a Miami heart surgeon, sees the devices as life-saving tools that allow him to keep track of the infants on whom he operates. Burke turned to a startup to put patient information on a secure Web server that allowed it to be sent encrypted to doctors' handhelds and to be accessed securely by any computer with a Web browser.

Clinical Trial Software Company Buys Thousands of Palms by Matt Hamblen, ComputerWorld, April 19, 2002
To bolster clinical drug trials with patients, PHT Corp. in Charlestown, Mass., has purchased 3,000 Palm Inc. handheld computers, with 13,000 more on order by year's end. The handhelds, the only brand that met U.S. Food and Drug Administration security and reliability standards, have already helped improve compliance in clinical trials by patients tenfold over the former practice of using paper reports, PHT's chief scientist, Stephen Raymond, said.

Wireless Health Driven by HIPAA by Eugene Grygo, InfoWorld, April 5, 2002
Conforming to the federal government's HIPAA regulations regarding patients' security and privacy has put Concentra Health Services, an Addison, Texas-based occupational therapy group of physicians and physical therapists, in a predicament.

As the company deploys 802.11b WLAN (wireless LAN) in Concentra's 231 clinics, executives mull over whether they should implement hardware firewalls between its many WLANs and its core network, says Jay Wilson, the company's vice president of IS and technology, and chief technologist. As are many of the HIPAA regulations, this issue is not clear cut, he says. "Our legal and IT departments are going through and writing each of our HIPAA policies for all of the different areas that HIPAA covers," Wilson says. "We will definitely have a road map for our wireless network ... [but] HIPAA is not black and white, so it doesn't tell you exactly what the answer is."

Wireless Security: Good Enough for Medical Records? by Robert L. Mitchell, ComputerWorld, July 26, 2001
Wireless LANs add a new level of threat to network security by putting data on the airwaves. The technology leaves the door open for tapping into wireless data transmissions -- and could allow a hacker with a laptop and wireless LAN adapter to gain access to network resources by simply parking outside a building. With those risks in mind, The Connecticut Hospice is implementing special security features to prevent unauthorized access to patient data.

Go to TOP