HIPA and Network Configs

[Gary Nichols]

On Saturday, January 4, 2003, at 12:51  PM, Kevin Brown wrote:
> The company I now work for is still in the ramp-up phase and will be 
> doing medical research and so there is some concern about how we can 
> setup our network to link the various lab spaces that have been 
> donated to us.
>
Only the HIPAA Privacy rule has been finalized, and you have until 
April 14th to comply (unless you've filed for an extension).
The HIPAA Security rule has not been finalized yet.  We were supposed 
to see something around December 27th, but that was delayed... again.  
I'd recommend you grab a copy of the proposed rule and do some reading.

> The concerns are with allowing 802.11 wireless access to our network 
> and using Wireless bridges to link up some labs that are near each 
> other.  Does anyone have any advice/pointers that could help?
>

If you are pushing patient records or anything that is considered 
Protected Health Information (check the rule for the definition of 
PHI), wireless is NOT appropriate even with WEP.    You may consider 
doing a VPN across wireless devices, but I guarantee you that any 
auditor worth his salt will still nail you to the wall on it because 
802.11x is not a government-approved transmission medium for secure 
data.   If you want more details, I can provide them.

The proposed rule requires that any PHI traveling across a public 
network or spectrum be encrypted with the current recommended 
encryption standard.  See the rule for details, too much to mention 
here.

As the ISO for $large_insurance_company, I can tell you that compliance 
with the proposed security rule isn't hard - just requires a lot of 
common sense, money and time.

Good luck.