Issue 3 - February 2003

Are wireless computers subject to HIPAA?
By Rick Lehtinen and D.H. Leavitt

A story has been circulating about an Ohio-based HIPAA compliance consultant who captured patient files on a wireless computer while sitting in a chiropractor’s waiting area. The objective of his snooping was to make a point: Protected health information (PHI) can be intercepted. And so, HIPAA applies.

HIPAA treats wireless technology much the same as it does a fax transmission. Most experts, even at HIPAA, agree that a transmission from a conventional fax machine to another conventional fax machine is difficult enough to intercept and decode that the exchange is not covered by HIPAA definitions.

A problem occurs, however, if the fax transmission takes place between two computers. Then it is considered a HIPAA transaction because the data can be intercepted, like in the Ohio case.

Wireless computers, such as hand-helds, are incredibly convenient and seem to be made for healthcare practitioners. In fact, one of the earliest applications for the current wireless products family was in healthcare charting.

This wonderful convenience does not make current wireless technologies HIPAA-secure. Hackers don’t even need to touch a wire to intercept communications. All they need is to be in the area.

In fact, a growing body of hacker hobbyists are engaging in mapping and publishing information about “hot spots,” those areas near a home or office where the computer’s radio waves leak out into the street for passers-by to pick up. There is even a practice known as “War Chalking,” in which radio hot spots are detected and marked for others to exploit, using a code similar to the old “Hobo’s Code” which was used to communicate among hobos which households would offer handouts and which would require work for food.

The sad thing is that of all applications where wireless technologies could be of such a convenience, patient care may also be the area most severely affected. Here’s why: A wireless snoop outwits the encryption placed on wireless signals by recording them, and subjecting them to intense cracking processes, usually on a cluster of several PCs working in tandem.

Chronic problems intrigue hackers
Hackers aren’t interested too much in finding spot news – such as rumors on a company officer that could affect the stock market – because this could be “old” news by the time they finish the cracking cluster.

But chronic information – such as just the chronic health problems of old Mr. Swartz’s of Jones, Higglebottom & Swartz, and whether or not he will lead upcoming litigation or pass it off to one of his junior partners – can be leisurely unraveled and exploited.

What can you do?
• Avoid transmitting records over a wireless link. If you transmit, take countermeasures, such as installing an encryption system, which, unfortunately may require expert installation.

• Use an infrared link or wired connection to dock your handheld device to your computer network. This works well for records and is reasonably secure.

• Push for HIPAA-compliancy from wireless providers. Although encryption techniques are available, they are not yet widely implemented in the networking community.

HIPAA privacy and security standards are governmental answers to today’s communications risks. Like airport security, we’ll get used to them, especially as security becomes more available.

Rick Lehtinen is a computer security consultant to the ChiroCode Institute. D. Henry Leavitt is president/CEO of ChiroCode Institute.