Many healthcare organizations are surprised to learn they’re number one on the list of most attacked industries. In fact, even the FBI has released warnings about how vulnerable healthcare organizations are. But why are they so commonly targeted? Because personal information, like patient records, is incredibly lucrative for cybercriminals. CBS News notes a few interesting numbers relating to the cost of personal information on the dark web:
- Patient records: $1,000
- Social security numbers: as little as $1
- Credit card information: $110
Think about it… Patient records typically contain all of the information a cybercriminal would need to commit identity or financial fraud. This is even truer in the event of terminally ill or recently deceased persons.
Did you know a cyber-attack occurs every 39 seconds? [1]
There is a strong and growing interest in having wi-fi available in doctor’s waiting rooms. When people may have to wait for a while (even the most efficient doctor sometimes runs late), they want to be able to check their email or even potentially work in the waiting room. But with a cyber-attack occurring every 39 seconds, it’s important to ensure your network is secure against threats.
Unfortunately, allowing patients to access wi-fi can create security problems. Incorrect use of the network by employees can also cause issues. HIPAA compliance makes this particularly thorny for medical offices, as a security breach can have significant regulatory and legal implications.
So, what can medical offices do to provide wi-fi access and convenience without endangering patient records? Here are some tips:
- Have a separate private and public network: This is the most important step you can take. Waiting room wi-fi should, ideally, be separate from the office wi-fi network, using a different router or at least a separate virtual network. Your public-facing wi-fi should use separate SSIDs. Having a separate network also helps keep the person who is streaming video in the waiting room for their restless kid from eating up bandwidth the office needs.
- Secure the waiting room wi-fi for the protection of your patients: Make sure that the network ID is posted visibly so that nobody can use a fake network to get their personal data. Alternatively, provide the receptionist with the information. Even your public wi-fi should be encrypted rather than open.
- Configure a proper firewall: A proper firewall should be configured behind the wireless access points to protect both the public and office networks.
- Keep the router and any other equipment in an access-restricted area: This ensures it can’t be tampered with whatsoever. Locking it in a cabinet is the best way, with only people who need the key having it.
- Back up your wi-fi configuration: Back up your wi-fi configuration and store a copy offsite, so that if you have a problem, you can easily put everything back the way it was and restore your settings.
- Log WLAN events: This should include administrator logon and logoff. Make sure that your wireless access can monitor bandwidth consumed, source/destination information, and block traffic. Also use a solution that detects common wireless security threats, such as rogue access points.
- Use WPA2 with PSK encryption: This should be the bare minimum level of encryption for your private network. In fact, you should be able to do better. Use the highest security you can implement and afford, but WPA2 with PSK encryption is a good starting point.
- Train your employees properly: Ensure that employees are trained not to use the public wi-fi for any office functions, as it will not be as thoroughly secured. Additionally, make sure they never send patient information through public hotspots while traveling or at home. They should also be shown proper password best practices.
- Use a filter that blacklists known malware sites: This should be used on both the public and office networks. This helps protect employees from phishing attempts by blocking them from going to the fake site. Additionally, you may want to use manual filtering, both to keep employees away from distracting sites and, if needed, to block extremely high bandwidth sites from the public wi-fi. You should also block sites with inappropriate material.
- Have a clear terms of service for the public wi-fi: This should be visible when the patient or visitor logs on. Sample terms of service templates can be found on the internet.
- Make sure that anti-virus and anti-malware software is installed: Once installed, make sure they’re kept up-to-date on all devices used on the office network. This includes devices employees may bring from home.
- Have an appropriate BYOD policy: If you are going to allow employee-owned devices on the network, have a BYOD policy. Given the highly sensitive nature of medical information, it is appropriate to limit the applications installed on devices that will connect to the network. The policy should balance protecting patient information with preserving the rights of employees. Require that devices used to connect to the system are encrypted.
- For the private office network, disable broadcast of SSID: This means that people from the outside will only see the public network on their devices. Patients will not attempt to connect to the employee network.
- Change the default vendor password on all routers: A lot of people forget to do this, and these routers may ship with the same password on hundreds of devices.
- Enforce an employee acceptable use policy (AUP): Make sure that your employee AUP is not excessively onerous. An onerous AUP is more likely to be circumvented or ignored. Another alternative is to allow employees to do these things for a limited time using their own (not managed) device and the visitor wi-fi, keeping all such personal use off of the network which has the patient information on it.
- Perform a full risk analysis audit: This should be performed on your wi-fi systems. Make sure it’s done by a healthcare IT company. This will help you find any problems you might not have seen and close loopholes before they become a problem.
Wi-fi is an essential part of a working medical office and an important benefit to patients and visitors, especially in clinics where a visitor may be waiting for several hours. However, it is very important to ensure that patients and visitors are unable to access electronic protected health information (ePHI) and that employees follow the rules to help prevent this. Protecting patient information is the most important goal for security in clinics and hospitals. To find out more about how to provide technology solutions without risking patient privacy, contact Kraft Technology Group today.
