By Carl Weinschenk
With Lee Kelly, senior security analyst at Fortrex: During the past year, the financial and healthcare industries have been subject to new rules and regulations concerning the handling of sensitive information. Among other things, Fortrex advises healthcare-related businesses on security issues.
This interview originally appeared in the IT Business Edge weekly report on Empowering a Mobile Workforce. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
Question: How does The Health Insurance Portability and Accountability Act (HIPAA) impact people who use mobile computing devices?
Kelly: They have to pay attention as well. Take the healthcare field. Companies potentially transmit, store, and process PHI [Protected Health Information]. The wireless network is just an extension of current networks, but their use has different ramifications. For a wireless computer to connect to a network, it sends a signal to an access point. The AP can broadcast that signal over a wide area and anyone potentially can connect. The stories you hear about people driving by, sitting in parking lots and connecting are true. In a traditional wired network, you don't have that.
Question: What do you recommend?
Kelly: First: Use wireless only based on business need, not because it's the latest and greatest high-tech toy. Second, in the configuration of the AP, it is crucial to do things like not broadcast the AP signal, filter or restrict who can connect through the AP and, above all—even if you do the other two—encrypt the traffic. Where you place the AP in the overall network architecture is also critical. We generally recommend that it go in a DMZ, just in case someone breaks in.
Question: It seems that in healthcare, groups of folks that aren't as aware of regulations might be using the gear. Is this a potential problem?
Kelly: For example, at a teaching hospital, students may use wireless devices to go on rounds and to do school work and clinical work. They may be using the same devices at home. In some cases, the PDA may be used for the student's personal life as well. Now you would have [PHI] data stored on that device being taken to parties, being taken home. It does expose data to risk. It needs to be looked at with common sense.