• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

HIPAA-Compliant Wi-Fi: What You Need To Know

August 31, 2015 By Ryan Orsi

Did you know your medical Personally Identifiable Information (PII) is worth 50x more than your credit card information on the black market? It’s also the target of exponentially rising attacks.

A recent report from Keeper Security has highlighted staggering stats informing us that 90% of all healthcare organizations have had a data breach, affecting nearly one-third of the U.S. population.

As cyber attacks on healthcare organizations are increasing rapidly, IT administrators are reviewing their cyber security policies from the ground up.  Wireless access is one area that deserves close attention given the proliferation of the BYOD phenomena, staff equipped with tablets to access Electronic Health Records (EHR), and increasing adoption of wirelessly connected medical devices.

HIPAA has historically provided the guiding principles for securing access to patient information. However, you won’t find specific implementation requirements for a wireless LAN (WLAN) within HIPAA.  Instead, you’ll find it somewhat buried inside the Code of Federal Regulations (CFR) Title 45, Part 164, Subpart C.  The CFR splits WLAN requirements into three categories: administrative (office processes and policies), physical (hardware), and technical (securing WLAN traffic).

Adhering to the following requirements will ensure your Wi-Fi network is HIPAA compliant:

Administrative requirements

  1. Collect logs of the WLAN administrators’ logon and logoff events
  2. Use a WLAN solution with central management (controller/cloud) so that administrator account passwords are maintained in one system
  3. Use a WLAN solution with detection of wireless security threats such as rogue access points
  4. Make a backup of your WLAN configuration from the controller/cloud management system and store it safely offsite in case of an emergency
  5. Use a WLAN solution that allows healthcare staff to remain connected to patient information if the internet or central controller is unavailable to the access points

Physical requirements 

  1. Use access points that offer protection from physical tampering, such as Kensington locks
  2. Store any on-site WLAN controller equipment behind access-restricted areas

Technical requirements 

  1. If you offer public-facing Wi-Fi access, separate this traffic from your internal EHR-facing network using separate SSIDs and/or VLAN IDs
  2. At a minimum, use WPA2 with PSK encryption and if possible, implement WPA2 enterprise 802.1x with client-side certificate security protection
  3. Use a WLAN solution the provides visibility into wireless client activity such as bandwidth consumed, source/destination information, and that has the ability to selectively block any traffic

-Ryan Orsi, Product Manager (@RyanOrsi)

Share This:

Related

Filed Under: Uncategorized Tagged With: Healthcare, hipaa, MU-MIMO, Wave 1, Wave 2, Wi-Fi, wireless, wireless security

Comments

  1. Ed Eby says

    September 16, 2015 at 2:23 pm

    If I am accessing HIPPA information that is housed in a HIPPA compliant “Platform As A Service” provider over HTTPS, does the scope of HIPPA compliance extend to my WiFi from which I am accessing the HIPPA data?

    Reply
    • Ardavan Hashemzadeh says

      November 8, 2016 at 9:55 am

      I’m not a laywer, and any free advice is worth what you paid for it. The vendors of the PaaS will argue that because you’re connecting to their service over HTTPS it is irrelevant from where you’re connecting.

      Reply
  2. Christina Glabas says

    April 23, 2018 at 10:19 am

    Hi there – Can you cite more specifically the part of the CFR that lists these requirements? We looked up the Administrative, Physical, and Technical safeguards under 45 CFR Part 164, Subpart C, but we didn’t find anything that specified the WLAN requirements that you listed here.

    Best regards,
    Christina

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • SolarWinds Catch-Up
  • Don’t Fall Victim to the Most Common Wi-Fi Deployment Mistakes
  • Is EMOTET Really Gone Forever?
  • Identity Management and Risk Authentication: Core Technologies to Achieve Zero-Trust Security

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • RIPE for the Taking
  • Oldsmar Water Treatment Plant Hack
  • So Confused
  • Is EMOTET Really Gone Forever?
  • CacheFlow
View All

Search

Archives

Copyright © 2021 WatchGuard Technologies · Privacy Policy · Terms of Use