Welcome back and thanks for checking out the second article of our newsletter. If this is your first since subscribing, welcome and we hope you enjoy! You can also go back and review previous articles on our website (BLOG).As we continue down our paths to explore PHIPA compliance, RCDSO guideline adherence and network security best practices, we wanted to take this opportunity to talk about wireless network security a bit.
These days all of us seem to carry around some kind of portable wireless device. Whether we’re staying connected with a tablet, laptop, or cell phone, one thing is certain: Wireless networks are everywhere and they’re very convenient! They allow us to move around without ugly cables getting in the way and help us save money on our expensive data plans on our phones.
But are they secure?
More importantly, is the wireless network at your practice secure enough to protect Patient Health information (PHI)? What are things to know about offering a guest wireless network at your practice to your patients?
I think it’s important to start by being clear on who says what, so I’ll point out that PHIPA says you need to take “Reasonable Steps” to secure your network, and the RCDSO says that “The Electronic Records Management System has no wireless access points, unless they are appropriately secured.” Equipped with that information we turn to general wireless network security to understand what this means.
Without diving into too much technical detail I’ll tell you that breaking into wireless networks isn’t a very difficult task in most implementations these days. With tools like YouTube at our fingertips there’s no shortage of tutorials that even a moderately technical person can follow effectively to copy and paste commands until they’ve got it figured out. Depending on how a wireless network is secured and what equipment you’re using to provide it, it can take as little as seconds to minutes to break right in and be on your network. The most common kind of wireless network configuration these days (WPA2) would take less than five minutes to capture the info required for an evil doer to go home and “brute force” your password (use computers to keep guessing until it gets it right). Depending on the skill level of the evil doer, and the complexity of your password it can take minutes to a few months to break. Regardless of how much time it takes, typically the person who took this info starts a computer program then walks away until the password is decrypted. If they’re willing to be patient they’re going to get in!
I don’t want “breaking into wireless networks” to be the focus of this newsletter so I’ll stop there, but my point was to outline that wireless networks aren’t the most secure things out there and it’s important to be informed!
So, then what does this mean? Do we throw our hands in the air, disable the office wireless and consider living with foil helmets for the rest of our days?! No certainly not! Many see the value in offering their guests free wifi, others just want to have it as a nice extra for staff to be able to use with their phones.
Whatever your motivation, the most important question you should be asking is not “how do I protect the wireless network from someone breaking in” but instead “what can be accessed from the wireless network if someone does break in”?
There are many different design options available depending both on what you need from your wireless network and also on how loosely or tightly you’re interested in interpreting RCDO’s guideline to have your wireless “appropriately secured”. To provide some input, here are a few suggestions we recommend to our clients to keep their PHI safe, increase their wireless network security, and to generally limit their legal liability for a guest network.
Guest Wireless Network Only
A true guest wireless network is isolated from your internal network completely. When connected, it should not be possible to see or access computers, servers, printers, or anything else in your office technology because it’s technically a separate network completely.
Block Intra SSID Traffic
What this means is that no device on the wireless network is capable of seeing/reaching/accessing any other devices on the same wireless network because it’s blocked. With this setting enabled all devices are isolated, so if a hacker connects and wants to cause problems, they won’t be able to do anything that puts any other connected devices in harm’s way.
Consider a legal disclaimer
as guests connect that essentially tells them that they are connecting at their own risk and that your clinic is not responsible for any content they may encounter on your wireless network. This step isn’t required, but from a legal point of view it protects you if a user connected to your guest wireless network gets infected with a virus and feels that it is your fault for some reason.
As mentioned in our previous newsletter, our goal is to help you understand your risks so you can make informed decisions regarding your technology. Whether you are going to follow our recommendations or not, you have an idea of risks involved and steps that can be taken to mitigate them.
Before I wrap this up, I’m forced to make a shameless plug! If you are interested in a quick third-party review of your wireless network security and implementation, give us a call. If you want an even bigger assessment of your network where we review things such as backups, firewall, antivirus, servers, workstations, secure PHI transmissions, and many other settings, this would be a great opportunity to take advantage of our 10% Network Audit discount for your first Network Audit.
If you like this newsletter, please help us by passing it along to someone you know who may benefit from the things we write about. Signup for the newsletter can be found here.
If you would like more info or have any questions or comments, or if you have any topics you’d like us to cover in future newsletters please email us at email@example.com
Take care, thanks for reading, and until next time….have fun :o)
iionIT Network Solutions Inc.