HIPA and Network Configs

[Tony Wasson]

WEP is broken, and was only designed to prevent 'casual eavesdropping'. Do
NOT rely on it for security, no matter what any salespersons tell you.

>> The replacement for WEP that's coming out is supposed to be
>> sufficient.

>Any idea where we can find info on this new replacement, and when it's
>slated for release (if at all)?

For secure wireless access, you can use a VPN or you can use the new
802.11i.
(Disclaimer: I receive money from Cisco for consulting.) Cisco has been
doing a prestandard 802.11i for a few years, it is known as LEAP. The
downside is that you'll need to use all Cisco NICs and access points. There
may be other vendors who sell similar technologies, but you'll save yourself
headaches if you go with a single vendor -- at least until 802.11i is proven
to be interoperable. There is also a newer security feature called WPA being
pushed. Please note that it is an interim fix until we all get to 802.11i,
and I would treat it as an interim technology only.

HIPAA regulation make several references to the word 'reasonable' and the
need to 'secure protected health information.' These are rules that go into
affect April 14, 2003. Only a marketing person could say using WEP qualifies
as 'reasonable' efforts to secure information. ;-)

The proposed security rule (which won't go into effect for at least 2 years)
requires encryption to be used on 'open networks'.  This would logically
include wireless networks. There is NO verbage in HIPAA I've seen forbidding
802.11a/b/g networks. The regulations do not state what specific
technologies to use for encryption (thankfully!). However, any company that
is doing a real compliance process should document why they made their
choices and how they are securing them.

Hope this helps!
Tony Wasson
Desert Computing
(623) 332-5280