How can I prevent staff members from installing personal wireless access points?
HIPAA Weekly Advisor, July 27, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: How can I prevent staff members from installing their own personal wireless access points on the facility's network?
A: The short answer is that there's no realistic way to completely prevent people from doing this.
A great starting point is to have a policy stating, at a minimum, that no one can install an access point (AP) without at least notifying the information technology or information security department first. You must also explain to all staff that introducing random APs onto the network is like installing new doors or windows (usually without locks) on a building without ever telling the owner. These doors or windows may have locks (i.e. passwords, encryption, etc.) installed by random individuals, but there's no way for the building owner (network/security managers) to keep up with who has access to the building (network) or to ensure that the access (security) is properly monitored and maintained.
Wireless local area networks (WLANs) that have been set up ad hoc and are not properly secured have not been properly hardened from the elements. If not managed properly, they could very well be in direct violation of several of the security rule requirements, and technically the privacy rule as well. A WLAN that's properly secured, monitored, and maintained should be fine. The only way to know is to perform a risk analysis.
If you've got a large enough potential for WLAN misbehavior and you have the budget, there are third party products from companies like AirDefense, BlueSocket, etc., that can, among other things, monitor your WLAN for rogue APs and other intrusions. If you cannot justify the purchase of a WLAN security appliance and you have the time and patience, you can simply install a product such as Network Stumbler on a laptop with a WLAN card and walk through your building every so often to scan for APs that don't belong.
Editor's note: Answered by Kevin Beaver, CISSP, founder and president of Atlanta-based information security consulting firm Principle Logic, LLC, and adapted from the upcoming July 2003 issue of Healthcare Information Security.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched