HIPAA compliance documents do not tell you exactly what to do in your network.
Instead they are a framework to fulfill, here is a link to the HHS information in case you are interested:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
HHS is the U.S. Department of Health & Human Services
But unfortunately the details of what should be done is opaque at best.
It is better to review the SANS website as it is a Teaching of Security organization. One of their documents has a good review of HIPAA compliance
An interesting sidenote (The Criminals do not care about compliance or security, just whether they can hack your network resources) check our blogpost: http://oversitesentry.com/website-files-ransomed-not-just-personal-files/ )
In the following standard review (from the SANS document) wireless devices were discussed:
HIPAA Standards
While the Final HIPAA rules do not necessarily deal directly with wireless or any specific network device, the regulations cover many separate areas that deal with PHI (Personal Health Information). In summary the document deals with 3 major areas:
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
or storage.
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.
So in essence to protect PHI (Personal Health Information) as in medical data, one has to perform basic security practices. And this has to be documented for any potential audits.
Contact Us as we help with compliance or documentation details.
Blogpost on HIPAA compliance from my blog:
http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/ blogpost from June 2015
Notice the tidbit of 10% of all organizations will be audited by Office of Civil Rights and if they so choose they will do some serious social engineering on your org.
Always better to be pro-active. make sure you have a good security policy in place. Set up a methodology of security not just a compliance checkbox policy.
Updated 01/31/2016
