Hospitals need to get a grip on wireless security

January 13, 2003

Healthcare providers across the country are scrambling to bring their technology, processes, and policies up to compliance with the Health Insurance Portability and Accountability Act (HIPAA). But many institutions are not prepared for the consequences

Healthcare providers across the country are scrambling to bring their technology, processes, and policies up to compliance with the Health Insurance Portability and Accountability Act (HIPAA). But many institutions are not prepared for the consequences of the spread of wireless devices used for note taking or data storage.

"Some choose to simply ignore the problem, while others look to ban the devices completely," said Nathan Clevenger, chair of Mobile Development Association, an organization campaigning to educate the business public about mobile computing technology. "There is a correct solution, but only very few are looking to implement it."

In terms of HIPAA, wireless devices differ from wired devices in two key areas, according to Clevenger.

First, wireless devices have inherent security risks due to the fact they are often easily lost and slow to be missed. They can provide unfettered access to confidential information unbeknownst to IT staff or administration.

Second, the majority of handheld wireless devices currently in use in the healthcare industry were not formally deployed within an organization or institution, but rather were brought into the workplace as personal devices.

"This wave of informal yet widespread adoption did not have the standard IT safeguards traditionally deployed, such as standardized hardware and software, security policies, usage policies, and centralized support and maintenance," he said. "These differences simply highlight the HIPAA privacy and security risks associated with wireless devices."

Clevenger recommends the following HIPAA compliance strategy for wireless devices:

?Wireless networks must be installed and maintained by IT personnel, who should issue usage guidelines for what kind of functions may be performed and limits of private and confidential data that may be stored locally on the device.
?Centralized security and auditing policies for wireless devices must be implemented, to include power-on passwords, data storage encryption, and a self-destruct data mechanism upon security breach, as well as biometric measures since many of these devices now have integrated biometric fingerprint authentication mechanisms.
?Policies and mechanisms for reporting lost or stolen devices should be implemented to block them from all access to wireless networks and databases.

Establishment of security measures can sometimes exceed the time it takes to design a wireless application.

"Designing the database took six months," said Dr. Dennis Fowler, an assistant professor of surgery at Cornell University. "Meeting HIPAA requirements for patient confidentiality, satisfying institutional IT requirements, and ensuring connectivity required an additional eight months before the functional system was complete."