For a HIPAA covered entity (i.e., a health provider), there is often a direct relationship between the health of the network and the health of the entity’s wallet, so to speak. A healthier network with strong security measures, is one less likely to be the subject of a complaint made to (and resultant fine assessed by) the Department of Health and Human Services’ (HHS) Office for Civil Rights. The topic of HIPAA network security requirements is discussed below.
What is HIPAA Network Security?
HIPAA Network Security – ensuring your computer network is secure, as required under the HIPAA Security Rule – consists of several measures and requirements. This HIPAA compliance network security article discusses one of these measures: wireless LAN protection.
HIPAA Network Security and Wireless LANs
One component of HIPAA network security requirements is properly securing your organization’s wireless LAN. A wireless LAN (local-area network) is a wireless computer network. This network links two or more devices through wireless connection, to form a LAN within a given area. The area is a limited area, such as a home, an office building, or a college campus. Through use of a wireless LAN, individuals may move around the area while connected to the network at all times.
Electronic protected health information (ePHI) can flow between networks through the use of what is called a gateway. Through the gateway, the wireless LAN provides a connection to the wider Internet.
No single provision of the HIPAA Security Rule covers wireless LAN requirements. Rather, these HIPAA network security requirements are sprinkled within the HIPAA Security Rule’s three categories of required safeguards: administrative safeguards, physical safeguards, and technical safeguards.
The administrative safeguards consist of workforce training requirements, password security requirements, access controls, proper backup, and the requirement to develop data security policies and procedures, among other items. Physical safeguards consist of maintaining the physical security of hardware and devices. Technical safeguards consist of specific security measures, such as securing and encrypting WLAN traffic.
Administrative safeguard WLAN security measures should include:
- Collecting logs of the WLAN administrators’ logon and logoffs.
- Enforcing strong password policies.
- Changing passwords when employees leave the organization.
- Maintaining administrator account passwords in a secure system.
- Using a WLAN that detects wireless security threats.
- Backing up the WLAN configuration, and storing it safely (e.g., at an offsite location or the cloud).
- Configuring the WLAN so employees who must access ePHI can remain connected to that ePHI.
Physical safeguard WLAN security measures should include:
- Using access points that offer protection from physical tampering, such as a locking mechanism or encryption modules. A wireless access point is hardware that allows Wi-FI devices to connect to a wired network. The access point typically connects to a router, via a wired network.
- Store WLAN controller equipment (a WLAN controller is hardware that manages network access points that allow wireless devices to connect to the network) in access-restricted areas (i.e., in areas that can only be accessed by specific authorized personnel, for whom access is required in the performance of job duties).
Technical safeguard WLAN security measures should include:
- Encrypted connection: WI-Fi Protected Access 2 (WPA2) and WI-FI Protected Access 3 (WPA3) are security protocols that offer more powerful encryption than their predecessor, WPA.
- Strong password requirements.
- Don’t broadcast your SSID.
- Use good wireless encryption.
- Use another layer of encryption when possible.
- Restrict access by media access control (MAC) address.
- Provide a separate network for guests.
