E-Guide Addressing HIPAA privacy compliance on hospital wireless network Medical devices, tablets, smartphones and RFID are forcing hospital wireless networks open. HIPAA privacy compliance is harder than ever, however. Here's how CIOs can cope. Sponsored By:
E-Guide Addressing HIPAA privacy compliance on hospital wireless network Table of Contents About CDW Healthcare Sponsored By: Page 2 of 6
Addressing HIPAA privacy compliance on hospital wireless network By Don Fluckinger, Features Writer Health care CIOs are caught between a rock (technology) and a hard place (regulation). On the one hand, demanding patients and increasing numbers of wireless medical devices are requiring they open up their wireless networks. On the other, tighter rules for HIPAA privacy compliance are forcing them to lock networks down with encryption and tighter access control, lest they find their facility's name posted on a government website in connection with a data breach. For John Cameron, computer technical specialist and wireless technician at the 121-bed Milford Regional Medical Center in Massachusetts, accommodating guests while maintaining HIPAA privacy compliance on the facility's new wireless network begins with three technology measures: Partitioning the network and keeping patient data and guest activity on separate partitions Limiting guest activity to the browser -- that is, no virtual private networks, or VPN, or other applications Using public domain name servers, or DNS, for the guest partition, not the hospital's own HIPAA guidelines also should be taken into account when the hospital's medical equipment buyers order new wireless gear, Cameron recommended. Not every monitoring device or wireless intravenous pump has the capacity to encrypt the bits of data that HIPAA protects, such as name and date of birth. That reality should be factored into buying decisions whenever possible. On the same point, all the medical devices in use on a hospital's wireless network should be evaluated and the security settings maxed out, he added. "Work with the [wireless and biomedical equipment] vendors on getting the highest security level you can get with what you have," Cameron said. "Biomedical gear is a couple years behind in the wireless field. Eventually, when they come on to the wireless, we need to make sure they can withstand a certain amount of encryption... and make sure it's within the HIPAA guidelines." Sponsored By: Page 3 of 6
For Robert Mann, manager of information technology for Westminster Canterbury Richmond, a continuing care retirement community in Virginia, the HIPAA wireless compliance problem is especially thorny. The community's three-floor, 158-bed facility uses the network in delivering health care, but its 900 residents also access it for their personal use. That represents 900 more vulnerable points in the network for malware or other unauthorized access that hospitals with more transient populations might not have. Yet the facility chose to offer Internet to residents via Aruba Networks Inc. wireless gear because wiring the community's 1970s-vintage buildings would have busted the budget. "We decided this would be a great place to kick off our great enterprise wireless initiative," said Mann, whose network recently was further upgraded to accommodate physicians and nurses accessing Westminster Canterbury's electronic health record (EHR) system via laptops and bedside workstations on wheels. "This is going to give us real-time documentation," he said. To do that and maintain his compliance with HIPAA and with Payment Card Industry (PCI) data security standards, his team first set up virtual LANs on Cisco Systems Inc. switches to cordon off certain areas of the network and beef up security, Mann said. To keep patient data locked down, the team then set up a policy enforcement firewall on the wireless side. Then they slowly rolled out the wireless in the health care buildings and tested for vulnerabilities. Secure, HIPAA-compliant health care wireless networks begin with a locked-down wired network, stressed both Mann and Scott Vachon, manager of network services for the Laconia, N.H.-based two-hospital LRGHealthcare system. Once access to those areas is properly limited and secured, wireless security with encryption and traffic routing and policies can be tackled. "My CIO and I both come from financial companies, so we're schooled in PCI," Vachon said. "[PCI and HIPAA] are not so different. We practice defense in depth, so everything we do, we start at 'no,' then work our way out and say, 'What do we need to open up to meet your requirements?'" Sponsored By: Page 4 of 6
Mann stresses that HIPAA privacy compliance is an ongoing process. After the hospital wireless network becomes operational, the work has just begun. Maintaining security is a matter of testing and retesting, as well as going over areas where maintenance operations could affect wireless gear and its function. "For us it's not a case of 'set it and forget it,'" Mann said. "It's something that we've brought along, something we've grown. But we continue to monitor it, we continue to have thirdparty vendors come in and do testing on it." Sponsored By: Page 5 of 6
About CDW Healthcare CDW Healthcare is a leading provider of technology solutions focused exclusively on serving the healthcare marketplace. Working closely with more than 15,000 healthcare organizations nationwide, customers range from small rural providers to large integrated delivery networks. The dedicated healthcare team leverages the expertise of CDW technology specialists and engineers to deliver best-in-class solutions from data center infrastructure through to point of patient care. The company's technology specialists and engineers offer expertise in designing customized solutions, while its advanced technology engineers can assist customers with the implementation and long-term management of those solutions. Areas of focus include notebooks, desktops, printers, servers and storage, unified communications, security, wireless, power and cooling, networking, software licensing and mobility solutions. Sponsored By: Page 6 of 6