Although Wi-Fi is a godsend for delivering services and exchanging data throughout healthcare organizations, it comes with serious vulnerabilities that threaten business and patient data security.
Healthcare has become a prime target of attackers, with breaches reaching an all-time high. According to the Bitglass 2017 Healthcare Breach Report, 328 healthcare companies were hit by data breaches in 2016, affecting the healthcare records of some 16.6 million Americans.
However, many breaches are avoidable with proper security. Organizations must recognize security as an integral part of their business, and use network security–layering techniques to minimize the risk of a successful attack.
Why Security Is Critically Important to Healthcare Organizations
The Health Insurance Portability and Accountability Act (HIPAA) includes a Security Rule that requires any organization that handles protected health information (PHI) to institute safeguards. On data networks, because PHI is stored and transmitted electronically, it’s referred to as ePHI. At a minimum, safeguards for ePHI include authentication, access control, audit controls, transmission security (encryption) policies and procedures.
Protecting ePHI is becoming a major challenge, as more and more clinics and hospitals embrace mobile devices and the Internet of Things (IoT). The weak point lies within how Wi-Fi functions. Anything that connects to Wi-Fi, whether a computer, tablet or medical device, sends signals over the air to a Wi-Fi access point (AP), which communicates with other APs or a wired network. These signals can travel well over 100 feet – through walls and windows – and are at risk of being intercepted by an attacker.
It’s the responsibility of healthcare IT staff to implement strong safeguards to protect ePHI as it travels between medical devices and Wi-Fi networks. If an IT staff violates HIPAA, a company can face hefty fines, imprisonment of key staff, reputation damage and loss of business.
Instituting HIPAA-Compliant Wi-Fi Security
There are many ways to beef up security on a Wi-Fi network to meet HIPAA Security Rule requirements. Here are the most common methods:
- Use Firewalls and Intrusion Detection Systems (IDSs) or Intrusion Prevention Systems (IPSs): Your network administrator is responsible for setting rules in the firewall that prevent most unwanted traffic from getting to a network. However, with an IDS in place, you add another layer of defense, which detects malicious traffic that slips through the firewall and alerts an administrator to take action. An IPS goes a step even further by entirely stopping malicious traffic. Today’s next-generation firewall acts like a combination of a traditional firewall and an IPS, all in one appliance.
- Separate the Private Network from the Public Network. The private network is where ePHI is used and stored; the public network is where anyone has WiFi access, like in a waiting room. To protect the private network, set up a virtual LAN that uses a guest service set identifier (SSID) for public use. Although ePHI is not usually exchanged in a public setting, a malicious user with hacking skills could breach an unprotected Wi-Fi connection, and potentially access the healthcare provider’s network.
- Implement WPA-2 Enterprise: WPA-2 Enterprise is a user authentication that restricts unauthorized access to a network. It allows only trusted WiFi clients to connect to resources on a network and encrypts ePHI exchanged between Wi-Fi clients and the healthcare provider’s network.
- Ensure That Access Points Are Physically Secure: To prevent tampering, keep access points out of the reach of non-administrative users such as in a locked enclosure.
- Constantly Monitor the Network with a Wireless LAN Solution: This solution can watch for unusual activity, such as rogue access points and spikes in bandwidth usage.
Security Benefits of Managed Wi-Fi
Another approach to a secure HIPAA-compliant Wi-Fi environment is to contract a service provider to manage your Wi-Fi connections. This scenario shifts most operational responsibilities, such as installation and maintenance, from a healthcare provider to a company specializing in networking and security. This service provider will ensure that your Wi-Fi is current and secure by adding features and applying updates over the web while testing all equipment and connections.
Whether your connections are housed within one or multiple locations, you can simply access and track them through a cloud-based dashboard. This type of central management lets an administrator see network performance at a glance and quickly respond to issues. Central management also allows an admin to gather analytics about how people use the network, which can be shared with business staff to improve customer engagement and loyalty.
Another plus with managed Wi-Fi is its predictable monthly cost. If managed Wi-Fi sounds like a good solution for your company, reach out to vendors for details on plans and pricing.