If you have a health care facility of any sort in the United States, HIPAA regulations are a major concern. These laws are designed to protect the private data and information of those receiving health care, and their enforcement is taken very seriously.
At the end of the day, there are few personal revelations that can be more damaging to a person than a release of their medical records, so it's vital every health care provider take their data-handling responsibilities seriously.
While HIPAA regulations are extremely complex, and you should always double-check with your lawyer, we've got some general tips for helping make your network compliant.
HIPAA Compliance Checklist
1 - Physical Security
One burden of HIPAA beyond that of most networks is that you need to keep your hardware physically secured. While it's certainly a good idea for anyone to keep their server room locked, this is generally a requirement for health care businesses.
Similarly, your access points also need to be physically secured in some way, since a clever hacker can sometimes gain access to a network if they can get their hands on the wireless access point. Your access points should be kept away from visitors, by:
-
Placing them high on the ceiling,
-
Putting them inside ceiling dropspace, or within walls,
-
Or using a locked cage of some sort that prevents physical access.
There's nothing special required here, just a good-faith effort to keep your hardware secure from unauthorized physical intrusion.
2 - Network Segregation
In terms of setting up your network topography, it boils down to this: Patients, visitors, and anyone else not cleared to access patient records need to be kept far away from them.
Generally, the most secure methods involve simply wiring up a separate physical network. If your public Internet access is no way touches your business network, unauthorized intrusions are virtually impossible.
Otherwise, most business-grade wireless access points allow the creation of "guest account" networks, which are kept on separate subnets. When backed up by robust security policies ensuring that subnet is isolated, this is nearly as secure as a physically separate system.
Under no circumstances should you allow a guest access to your primary business network, ever. It's a huge security risk, and one that's unwarranted.
3 - Employee Training
Proper staff training is another vital element. Every worker with access to patient records must be kept up-to-date on policies regarding the handling of NPI. (Non-Public Information.) This should include:
-
Password selection and protection procedures
-
Training on how to recognize and avoid "social engineering"
-
Data collection, storage, and deletion policies
-
Legal liabilities and responsibilities
Remember, the "human element" is often the most vulnerable area of network security. No one can train your staff in secure data handling procedures except you, and if they drop the ball, it's your clinic that takes the heat.
4 - Error And Breach Reporting
Finally, compliant systems are required to have robust tracking and reporting of all discrepancies, errors, and breaches as they occur. HIPAA regulations require prompt notification if a patient's information is stolen.
Experiencing a data breach is bad. Attempting to cover up that data breach is much, much worse if a company is caught sweeping an intrusion under the rug.
Even if you (wisely) hope they'll never be utilized, you must have collation and reporting procedures in places to disseminate information about an attack if it occurs. The penalties for failing to report a data breach are too steep to ignore.
HIPAA Compliant Networks Help A Clinic Succeed
Having in-office WiFi and guest access is a good idea for virtually any organization with walk-in business, and it's no different for medical clinics. As long as you stay within HIPAA regulations, there's no reason you can't implement a robust and useful WiFi network.
And for more tips on securing your network, please don't hesitate to contact us with your questions!