Network managers in healthcare know that one goal is always at the top of your list: staying compliant with HIPAA. That means you are doing everything you can to secure your patients’ electronic protected health information (ePHI). Penalties for a HIPAA violation can be severe. Factor in the potential loss of patient trust and business if a data breach occurs, and the price of a security error can become very high. Today, we cover some of the ways you can ensure that your network is HIPAA-compliant so you mitigate these risks. In particular, we recommend steps to take to protect your wireless LANs and your storage.*
Wireless LANs are increasingly used in healthcare organizations to better support busy and mobile healthcare professionals. The HIPAA Security Rule, which provides covered entities with guidance on protecting ePHI, divides its guidance into administrative, physical, and technical safeguards.
Here are a few specific things to implement in your wireless LAN that will help ensure you can meet these requirements:
Ensure that each user accesses the wireless network with a unique user ID. Your best method of user authentication is usually going to be WPA2-Enterprise. This is both the most secure and the easiest to manage way of meeting the requirement.
An important aspect of HIPAA is your ability to monitor user activity on the network. Your monitoring system should alert you to suspicious activity like multiple failed log-on attempts or potential rogue access points, and it must allow you to intervene quickly. You’ll also need the system to log reports on what you’ve monitored in case of a violation or audit.
While not technically required, encryption is essentially the only way to ensure that you are protecting your ePHI in a HIPAA-compliant manner. Using a VPN and Secure Sockets Layer (SSL) are best practices for protecting data in transit on your wireless network.
Ensure that your access points and controller are protected from tampering by keeping them in a secure location and using Kensington locks.
Servers and Storage
Administrative, physical, and technical safeguards also apply to your servers and storage equipment.
Some of the considerations to make for your HIPAA-compliant storage systems include:
Just like your wireless APs, your servers and storage devices must be physically secure. This includes protecting equipment from unauthorized access. It is also important to properly destroy your old unused equipment in order to keep ePHI out of the wrong hands.
As with data in transit, encrypting data at rest is important to ensure your ePHI is adequately protected once it reaches your storage system. It is generally recommended that you use the Advanced Encryption Standard (AES) to protect ePHI data at rest.
Data back-up, recovery, and emergency access:
HIPAA requires that exact copies of ePHI be properly backed up. You also need an effective disaster recovery plan and a way to access data to continue operations in emergency mode. A key step in ensuring all of these needs are met is to keep your frequently-backed-up data stored in a secure location off-site. Many small organizations with one- or two-person IT teams struggle to back up often enough. This is a big mistake. The only way to stay compliant with these aspects of HIPAA is to back up often, keep the data off-site, and take the time to test your disaster recovery plan.
If you’re relying on a cloud vendor for your storage, make sure their policies and practices are HIPAA-compliant as well. Business associates (BAs) of covered entities are also responsible for HIPAA compliance. Verify your cloud vendor’s controls and secure them in writing in your service agreement.
Keeping your network secure is critical to avoid HIPAA penalties and the hassle of an audit. Most importantly, it’s necessary to maintain the trust of your patients. While there are many aspects to remaining HIPAA-compliant, safeguarding your wireless LAN and your storage systems should be at the top of the list for network administrators.
* The information contained in this article is not intended to serve as legal advice nor should it substitute for legal counsel. This article is not exhaustive, and readers are encouraged to refer directly to the guidelines and seek additional detailed technical guidance to supplement this information.