Did you know your medical Personally Identifiable Information (PII) is worth 50x more than your credit card information on the black market? It’s also the target of exponentially rising attacks.
A recent report from Keeper Security has highlighted staggering stats informing us that 90% of all healthcare organizations have had a data breach, affecting nearly one-third of the U.S. population.
As cyber attacks on healthcare organizations are increasing rapidly, IT administrators are reviewing their cyber security policies from the ground up. Wireless access is one area that deserves close attention given the proliferation of the BYOD phenomena, staff equipped with tablets to access Electronic Health Records (EHR), and increasing adoption of wirelessly connected medical devices.
HIPAA has historically provided the guiding principles for securing access to patient information. However, you won’t find specific implementation requirements for a wireless LAN (WLAN) within HIPAA. Instead, you’ll find it somewhat buried inside the Code of Federal Regulations (CFR) Title 45, Part 164, Subpart C. The CFR splits WLAN requirements into three categories: administrative (office processes and policies), physical (hardware), and technical (securing WLAN traffic).
Adhering to the following requirements will ensure your Wi-Fi network is HIPAA compliant:
Administrative requirements
- Collect logs of the WLAN administrators’ logon and logoff events
- Use a WLAN solution with central management (controller/cloud) so that administrator account passwords are maintained in one system
- Use a WLAN solution with detection of wireless security threats such as rogue access points
- Make a backup of your WLAN configuration from the controller/cloud management system and store it safely offsite in case of an emergency
- Use a WLAN solution that allows healthcare staff to remain connected to patient information if the internet or central controller is unavailable to the access points
Physical requirements
- Use access points that offer protection from physical tampering, such as Kensington locks
- Store any on-site WLAN controller equipment behind access-restricted areas
Technical requirements
- If you offer public-facing Wi-Fi access, separate this traffic from your internal EHR-facing network using separate SSIDs and/or VLAN IDs
- At a minimum, use WPA2 with PSK encryption and if possible, implement WPA2 enterprise 802.1x with client-side certificate security protection
- Use a WLAN solution the provides visibility into wireless client activity such as bandwidth consumed, source/destination information, and that has the ability to selectively block any traffic
-Ryan Orsi, Product Manager (@RyanOrsi)
Ed Eby says
If I am accessing HIPPA information that is housed in a HIPPA compliant “Platform As A Service” provider over HTTPS, does the scope of HIPPA compliance extend to my WiFi from which I am accessing the HIPPA data?
Ardavan Hashemzadeh says
I’m not a laywer, and any free advice is worth what you paid for it. The vendors of the PaaS will argue that because you’re connecting to their service over HTTPS it is irrelevant from where you’re connecting.
Christina Glabas says
Hi there – Can you cite more specifically the part of the CFR that lists these requirements? We looked up the Administrative, Physical, and Technical safeguards under 45 CFR Part 164, Subpart C, but we didn’t find anything that specified the WLAN requirements that you listed here.
Best regards,
Christina