General discussion

  • Creator
  • #2291936

    Wireless and HIPAA


    by aaronk ·

    Hi all. I am a Network Administrator for a large healthcare provider. As part of our continuing technology upgrades, we need to install a wireless network to support Ipaq devices. I know WEP is not HIPAA compliant, but I cannot seem to locate any WPA compliant network cards that will work on Pocket PC. Anyone have any ideas as to what we can do?

    Thanks in advance.


All Comments

  • Author
    • #3297361

      Untried idea

      by stress junkie ·

      In reply to Wireless and HIPAA

      I’ve thought about the problems of using wireless network devices for a few months. It seems to me that you can treat your wireless LAN like you would treat the Internet. Put a firewall between your wireless network and your cabled LAN, then create a VPN from the firewall to the wireless LAN. All of your wireless traffic would be encrypted. Let me know what you think. I’m very interested in other people’s thoughts about my idea.

      • #3297254

        Interesting Thought

        by aaronk ·

        In reply to Untried idea

        Its a nice idea, however that would then require my users to login to the network via VPN. The users of said devices will be doctors, so whatever I do needs to be as simple as possible.

        • #3315625

          HIPPA = logging in

          by lamarrk ·

          In reply to Interesting Thought

          Requiring a log-in would make your HIPPA compliance stronger. I also work at a large hospital and we’re planning an implementation of 300 to 500 access points. We will also be using a VPN tunnel to secure the wireless communication between the access points and the mobile devices (IPAQS, laptops, etc.).

    • #3315327

      I know your pain!

      by kcrabb ·

      In reply to Wireless and HIPAA

      I too am trying to implement a wireless option in some of the clinical areas in our hospital. The VPN solution is what we tried first. We set up a large concentrator on the back end (but not big enough as it turned out) set up client based authentication using LDAP. It is pretty easy for the user to figure out, and since it is LDAP they do not have to know another password (they have to remember medical stuff and not a bunch of passwords one doc told me) The draw back that we are finding is that the concentrator that we thought was good is not big enough for our needs.
      We are looking at PEAP as a more secure way. I know that most of the standard wireless cards are upgrading to the latest version of this (Dell released a patch in the past couple of weeks for theirs). The Microsoft flavor tries to rule over all of them, and is not very good at it right now (I know you are all shocked). Once removed other clients can be used, from stand alone software like the one from Meetinghouse or just configurations on the card itself like in the new Dell drivers.
      The other option is hardware at the access point. There are several companies that have tackled this by putting, what is basically, a fire wall at the access point. So that it sits between the access and the ‘wired’ network. Some of these are set to have authentication, again with LDAP or AD, etc… The draw back on these that we have seen is so far they do not span subnets very well. In a smaller network setting it would be great, but in the larger ones it starts to become cost prohibitive.
      I hope this helps. Any one else feeling the HIPAA pain with wireless?

Viewing 1 reply thread