Addressing HIPAA privacy compliance on hospital wireless networks

Medical devices, tablets, smartphones and RFID are forcing hospital wireless networks open. HIPAA privacy compliance is harder than ever, however. Here's how CIOs can cope.

This article, the second in a three-part series, examines the sometimes thorny issue of Health Insurance Portability and Accountability Act (HIPAA) privacy compliance as it relates to the use of wireless medical devices. Part 1 provided 10 tips for implementing a hospital wireless network.

Health care CIOs are caught between a rock (technology) and a hard place (regulation). On the one hand, demanding patients and increasing numbers of wireless medical devices are requiring they open up their wireless networks. On the other, tighter rules for HIPAA privacy compliance are forcing them to lock networks down with encryption and tighter access control, lest they find their facility's name posted on a government website in connection with a data breach.

For John Cameron, computer technical specialist and wireless technician at the 121-bed Milford Regional Medical Center in Massachusetts, accommodating guests while maintaining HIPAA privacy compliance on the facility's new wireless network begins with three technology measures:

• Partitioning the network and keeping patient data and guest activity on separate partitions

• Limiting guest activity to the browser -- that is, no virtual private networks, or VPN, or other applications

•  Using public domain name servers, or DNS, for the guest partition, not the hospital's own

HIPAA guidelines also should be taken into account when the hospital's medical equipment buyers order new wireless gear, Cameron recommended. Not every monitoring device or wireless intravenous pump has the capacity to encrypt the bits of data that HIPAA protects, such as name and date of birth. That reality should be factored into buying decisions whenever possible. On the same point, all the medical devices in use on a hospital's wireless network should be evaluated and the security settings maxed out, he added.

"Work with the [wireless and biomedical equipment] vendors on getting the highest security level you can get with what you have," Cameron said. "Biomedical gear is a couple years behind in the wireless field. Eventually, when they come on to the wireless, we need to make sure they can withstand a certain amount of encryption . . . and make sure it's within the HIPAA guidelines."

For Robert Mann, manager of information technology for Westminster Canterbury Richmond, a continuing care retirement community in Virginia, the HIPAA wireless compliance problem is especially thorny. The community's three-floor, 158-bed facility uses the network in delivering health care, but its 900 residents also access it for their personal use. That represents 900 more vulnerable points in the network for malware or other unauthorized access that hospitals with more transient populations might not have. Yet the facility chose to offer Internet to residents via Aruba Networks Inc. wireless gear because wiring the community's 1970s-vintage buildings would have busted the budget.

"We decided this would be a great place to kick off our great enterprise wireless initiative," said Mann, whose network recently was further upgraded to accommodate physicians and nurses accessing Westminster Canterbury's electronic health record (EHR) system via laptops and bedside workstations on wheels. "This is going to give us real-time documentation," he said.

To do that and maintain his compliance with HIPAA and with Payment Card Industry (PCI) data security standards, his team first set up virtual LANs on Cisco Systems Inc. switches to cordon off certain areas of the network and beef up security, Mann said. To keep patient data locked down, the team then set up a policy enforcement firewall on the wireless side. Then they slowly rolled out the wireless in the health care buildings and tested for vulnerabilities.

PCI and HIPAA are not so different. We practice defense in depth, so everything we do, we start at
Scott Vachonmanager of network services, LRGHealthcare

Secure, HIPAA-compliant healthcare wireless networks begin with a locked-down wired network, stressed both Mann and Scott Vachon, manager of network services for the Laconia, N.H.-based two-hospital LRGHealthcare system. Once access to those areas is properly limited and secured, wireless security with encryption and traffic routing and policies can be tackled.

"My CIO and I both come from financial companies, so we're schooled in PCI," Vachon said. "[PCI and HIPAA] are not so different. We practice defense in depth, so everything we do, we start at 'no,' then work our way out and say, 'What do we need to open up to meet your requirements?'"

Mann stresses that HIPAA privacy compliance is an ongoing process. After the hospital wireless network becomes operational, the work has just begun. Maintaining security is a matter of testing and retesting, as well as going over areas where maintenance operations could affect wireless gear and its function.

"For us it's not a case of 'set it and forget it,'" Mann said. "It's something that we've brought along, something we've grown. But we continue to monitor it, we continue to have third-party vendors come in and do testing on it."

The third and final article in this series examines the growing use of medical radio frequency identification (RFID) technology and how that affects a hospital's wireless network. Let us know what you think about the story; email Don Fluckinger, Features Writer.

Our series on hospital wireless networks

Dig Deeper on Mobile health systems and devices