Covered entities (“CEs”) need to be aware that their wireless networks and portable devices such as iPhones and BlackBerrys are not necessarily secure.
Almost twelve people have been charged with various counts of computer intrusion, fraud and identity theft, among other charges, for participating in a crime ring that allegedly hacked into nine major retailers’ wireless computer networks. The feds believe that the conspirators stole credit and debit card numbers through “wardriving,” which involves one person who drives a car around while another person in the car attempts to gain access to a wireless network through a laptop computer.
CEs could be targeted in similar schemes and should make sure that their wireless networks are properly encrypted. CEs should have already converted from using the Wired Equivalent Privacy (“WEP”) system of encryption to the more secure Wi-Fi Protected Access (“WPA”) protocol. WEP encryption was more common until about a year ago, when researchers discovered weaknesses in it.
Additionally, CEs should remind staff members to use portable devices with care. There are two main risks: (1) if a doctor is in a public place and is using an unsecured network to transmit PHI [i.e., protected health information], then people could intercept that traffic if it is not encrypted or if it is encrypted with a weaker method; and (2) piggybacking on a signal to get into a laptop. The second risk is much more difficult to accomplish, but it can be done so that perpetrators can look at the traffic coming from the device.
Use of portable devices like laptops and iPhones falls under HIPAA’s workstation use and security policies. Therefore, CEs should remind staff members about where they can or cannot use these devices. An airport is a particularly risky place to use such devices because anyone can log in for wireless access with a credit card and can intercept information. Also, employees should use the locking features of the devices so that no one can open them without a password. Finally, CEs should go over what kind of information is acceptable to transmit. This will help to ensure that patient information is protected and HIPAA compliance is maintained at all times.
Health Business Daily, Sept. 17, 2008.