blckflcn23
(blckflcn23)
1
I am setting up WiFi for a dermatology office and need to make sure that they are HIPAA compliant before I set them up. I can not for the life of me find a straight simple answer to what kind of encryption is acceptable in order to be HIPAA compliant. I thought AES was but I have found a few articles that say otherwise.
The router that we will be using is a Buffalo N300.
12 Spice ups
Closest “spec” I’ve found was from summit4med.com
To satisfy the requirements of HIPAA, a hospital Wi-Fi system needs:
Strong, mutual authentication between every authorized client device and a hospital network where electronic protected health information (ePHI) is housed to ensure that only trusted Wi-Fi clients can gain network access and that trusted Wi-Fi clients are not tricked into connecting to an untrusted network
Strong encryption of ePHI that is transmitted between a Wi-Fi client and the hospital network
The Enterprise version of Wi-Fi Protected Access® 2, or WPA2®, satisfies the requirements of HIPAA. WPA2-Enterprise combines:
IEEE 802.1X for strong, mutual authentication of the Wi-Fi client device and the network
AES-CCMP for strong encryption of all transmitted data
The combination of 802.1X and AES-CCMP addresses the three security threats discussed earlier. To ensure HIPAA-compliance, a hospital should follow these best practices:
Ensure that a Wi-Fi client device can gain access to a hospital network only using WPA2-Enterprise with a strong EAP type.
Configure every trusted Wi-Fi client device to connect only to trusted APs.
Do not store EAP authentication credentials on client devices.
6 Spice ups
george1421
(George1421)
3
Unless the standards have recently changed it should be WPA2-AES. Can you point to the articles that discount AES as an encryption technology?
3 Spice ups
That’s because HIPAA doesn’t work that way. It is up to you to determine if something is “enough”, the government does not provide technical details of how to do this.
11 Spice ups
blckflcn23
(blckflcn23)
5
Thank you very much for your quick response. I truly am grateful.
I see that there was a revision to HIPAA Compliancy back in September 23, 2013 as mentioned in the link below. Is the information above current with that update?
http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page?
Having worked in HIPAA environments for years, I’m not aware of any part of the spec that would mandate this as a requirement. There are many ways to handle the need here. There are ways to do it with wide open, unencrypted wireless too.
comstar
(Tarsong)
7
So the short answer seems to be use WPA2 with a strong EAP.
Its a set of guidelines. Basically if there is patient info it had better be secured.
Firehawk has a lot of good info, I would also consider firewall setting, disable unnecessary ports on the router.
3 Spice ups
blckflcn23
(blckflcn23)
9
Interesting, my understanding is that there was a certain criteria to meet in order to be HIPAA Compliant. Well based of the direction that this thread is going it sounds like AES is the way to go.
george1421
(George1421)
10
I should have also mentioned to not use PSK (pre- shared keys) with this deployment. Either use EAP, LEAP, or PEAP for authentication.
1 Spice up
blckflcn23
(blckflcn23)
11
Will keep this in mind, thanks!
Spot on. The phrase 'adequate controls" crops up a lot in HIPAA. What those are is up to you. If I’m in doubt, I’ll usually run a risk assessment and see what falls out of that.
2 Spice ups
blckflcn23
(blckflcn23)
13
Also, is there any formal documentation I can present to my superiors in order to back all this information?
ranhalt
(ranhalt)
14
This thread is pretty formal. You can quote us and everything.
7 Spice ups
Do you have an AD or LDAP server in place already?
1 Spice up
I would also just use SANS as a point of reference and learning.
2 Spice ups
george1421
(George1421)
19
You should be able to quote the document that firehawk159 outlined. If that is a direct quote, it tells you precisely what you need in the last 3 sentences.
Insure that a Wi-Fi client device can gain access to a hospital network only using WPA2-Enterprise with a strong EAP type.
- WPA2 AES-CCMP using for example PEAP (not something like MD5)
Configure every trusted Wi-Fi client device to connect only to trusted APs.
- Block the clients from connecting to ad-hoc networks, only allow them to connect to Enterprise access points.
Do not store EAP authentication credentials on client devices.
- Do not use Pre Shared Keys that remain on the client.
blckflcn23
(blckflcn23)
20
Thanks, you guys are awesome!