Wireless Security: Six TipsExperts Offer Insights on Protecting Wireless Networks, Devices
"These days, even smaller healthcare organizations are using wireless," says security specialist Kate Borten, president of The Marblehead Group. "You may feel as though your wireless network is part of your private LAN. But because these wireless signals go out over the airwaves, you really need to think of your wireless network more as if it's a public network."
As a result, it's essential that organizations take full advantage of the advanced security features, such as encryption and authentication, that come built into most newer wireless networks, Borten stresses.
Risk ManagementAnd because so many healthcare organizations are now enabling physicians to access certain clinical information via smart phones and other wireless devices, risk management strategies "must include how to manage all the risks outside of your own walls," says security expert Rebecca Herold, owner of Rebecca Herold and Associates.
To comply with both the HITECH Act and HIPAA, "you need to make sure that only those who are authorized are able to access protected health information," Herold notes. Wireless networks and devices bring along the capability of having unauthorized people access information, she says. "So making sure that those devices and networks are appropriately secured is a very important thing to do.
The two security advisers offer six tips for a wireless security strategy:
1. Wireless Policies, ProceduresHealthcare organizations need to develop policies and procedures, based on a detailed risk assessment, that address the specific risks related to wireless networks and devices, Herold stresses.
"Make sure those policies and procedures are communicated to everyone using wireless devices and networks," she says.
2. Using EncryptionApplying encryption to wireless networks as well as smart phones and all other wireless devices is an essential component of a risk management strategy, Herold and Borten stress.
"A healthcare organization has a lot of very sensitive information that travels through its wireless networks," Herold notes. "They need to make sure that if they have sensitive data flying through the air ... that the data is strongly encrypted ... so those who can see the network can't also see the data."
3. Standardizing Wireless DevicesBorten and Herold recommend organizations consider the feasibility of requiring physicians and others to use only certain wireless devices when remotely accessing clinical data.
"Organizations are recognizing that certain hand-held devices simply don't have the security capabilities that others do," Borten notes. As a result, some are considering requiring the use of those devices that have the best security features.
"My hope is that as time passes, any hand-held device is going to come with easy-to-use encryption and authentication capabilities," Borten says. "But I don't think we're there today."
Ideally, only those devices that the healthcare organization owns should be used by clinicians so consistent security measures can be taken, Herold says.
But if an organization cannot standardize devices in that way, they must "identify every person in the organization who is using a wireless device for any type of business activity, even if they are only using it for e-mail," she says. That way, IT staff can take steps to make sure that each device is properly secured and that users receive ongoing training on their devices' security features.
4. Wireless Networks in the HomeOrganizations must make certain that employees as well as independent contractors who access patient information from their homes using their own wireless networks take adequate security precautions, including the use of encryption and firewalls, Herold says.
For example, they should use a router with a built-in firewall "so that their neighbors or those driving by can't just jump onto the network and, as a result, potentially jump onto the organization's network as well," she notes.
5. Incident Response PlanHospitals and clinics need to be adequately prepared for handling a wireless security incident.
"Make sure that you have a documented incident response plan in place and a trained incident response team who knows how to best respond to a lost or stolen wireless device - or any other security incidents for that matter," Herold says.
The incident response team should be prepared to use remote device disabling tools to make sure any information on a smart phone is inaccessible and that the device cannot be used to access the network, she adds.