Wi-Fi and HIPAA
by Dr. Jeff Brown
While best-practices exist for the use of Wi-Fi connections, there are no guarantees of absolute security. Your duty, therefore, is not 100 percent security (this is impossible) but rather to assess and reduce risk to a level you consider acceptable.
To begin, you must first understand the inherent vulnerabilities of Wi-Fi.
Multiple devices: When multiple devices access a single network, each device becomes a potential point of entry for a virus. An infected device can then push malware to other devices connected to the same network.
Websites and apps: Installed applications and websites you visit, especially unsecured sites (http), increase the number of access points to your network. The more access points you create, the greater the chances one of those points contains a weakness known to would be hackers.
Malware: Most people are aware any device (tablet, laptop, desktop, printer, etc.) can be infected with viruses. Less known, however, is some malware (e.g., spyware, such as key loggers) run silently in the background, so as to not alert users something is wrong, and pick up information before it gets encrypted.
Shared Wi-Fi: Any Wi-Fi connection with no password protection, or the password is known to people outside your workforce, should be considered public Wi-Fi. Determining the risk of a public connection is extremely difficult because you have no control over the other connected devices or the information being broadcast over the network. Because of this, it is best to avoid public Wi-Fi.
If you must access practice data over a public connection, the safeguards below become exponentially more important.
OS patches: Keeping your computer’s operating system (OS) up to date is arguably the most important safeguard. Never use an OS that is no longer supported by the vendor. For example, Windows XP and Windows Vista are both unsupported and should not be running on any of your machines.
Software patches: Properly maintaining software installed on your equipment and devices is critical, yet often overlooked because we tend to think of software like a finished product—it’s never finished. Software vendors regularly provide security patches to plug vulnerabilities as they are discovered. If you don’t keep up to date with vendor patches your software becomes increasingly vulnerable over time.
Antivirus: Install a single antivirus software application on every possible device connected to your Wi-Fi network (same applies to physical cord connections, too). The antivirus you use should be set up to update automatically on a daily basis to prevent new malware threats from infecting devices.
Https sites: Your browser’s address bar always displays the real web address of the site you are visiting, which begins with either "http" or "https." The "s" in https indicates the website uses specific protocols to encrypt (secure) data during transmission. Http, without the "s," offers no encryption. Be certain to transmit sensitive data to https web addresses only.
Router configuration: Modern Wi-Fi routers contain built in firewalls and encryption; however, these features must be properly configured to be certain the firewall is "on" and encryption is sufficient. Always change the default password and never allow guests on your secure network. You can certainly offer patients free Wi-Fi, but only after setting up a true "guest" access point on your router, which keeps their traffic and yours completely separate.
It is also recommended to disable Wi-Fi Protected Setup (WPS) encryption on your router and set it to WPA2-level security. Visit the manufacture's website to download the user manual and check for updates.
Virtual Private Network (VPN): Setting up a VPN creates a controlled virtual tunnel between two points to pass data. While a VPN does add a layer of security, it does not single handily protect your entire network; therefore, all other safeguards remain relevant. Hire a knowledgeable and reputable I.T. professional if you are interested in creating a VPN.
It’s true, Wi-Fi can greatly improve your practice’s operational efficiency by providing network flexibility and mobile Internet access. However, these same attributes also increase your vulnerability to outside attacks. Should you determine the benefits of Wi-Fi service outweigh the risk, be sure to properly assess the vulnerabilities and apply the safeguards mentioned above.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.