[ Wednesday, May 04, 2005 ]


Wi-fi: You may have noticed that quite a few businesses these days, from restaurants and coffee shops to book stores to car repair and tire stores, are offering wireless internet access to their customers as an inducement to sit and stay awhile. This perq is a good fit for many physician offices and other healthcare providers; if your patients are going to have to sit around a lot, instead of just giving them year-old copies of People magazine and Field and Stream, let them surf the net on their laptops.

If you're going to do that, though, make sure you don't compromise your privacy or security. Your wi-fi policy should be integrated with, and governed by, your HIPAA policies and procedures. How? Hospital Compliance Wire has some ideas:

  1. Make sure the wi-fi access for your patients is separate from your clinical information systems. It should operate as if the wi-fi access route was operated by the business next door. Remember, even if your clinical systems aren't wireless now, they may be in the future, so you definitely want to keep "customer" access separate from "employee" access.
  2. Use a static portal as your log-in rules of the road. Have wi-fi access go through that portal page first, and include on it your rules for patient access. Remind patients to respect others in the waiting room and be considerate about what they are accessing (porn, gambling, rap music, you get the idea). When listing terms and conditions, give examples.
  3. Make sure your signal isn't so strong that it allows access to people outside your office. You may find some big bandwidth costs if someone camps onto your wi-fi from your parking lot.
  4. Monitor wireless use. The worst thing you could do is install wi-fi and not monitor it, only to find that a patient or visitor has used your wi-fi to hack into your systems. Look for loopholes and trouble spots. Malicious visitors are always looking for weak spots, and technology constantly changes to invent new ways to breach old security measures.

And as always, document what you do. Written policies and procedures may be the only way you can prove that you took reasonable precautions, and that's likely going to be your only HIPAA defense.

Jeff [8:54 AM]

Great post! I sometimes find it difficult to believe how many unsecured networks are out there, blithely broadcasting away. War driving (the practice of trolling for unsecured wireless networks) requires only a laptop with a wireless card. Sit in the parking lot of any medical office center with your laptop running, and be amazed at how many exposed practices there are out there.
If you don't have the technical knowledge to harden your wireless network, bring in a hired gun. It isn't all that expensive for a small practice with only one or two access points and a single server to secure against casual intrusion.
As with everything concerning security, if you make it inconvienient enough, the potential intruder will simply move on to easier targets.
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template