While best-practices exist for the use of Wi-Fi connections, there are no guarantees of absolute security.
Your duty, therefore, is not to achieve 100-percent security (this is impossible) but rather to assess and reduce risk to a level you consider acceptable. To begin, you must first understand the inherent vulnerabilities of Wi-Fi networks.
Data protection: key vulnerabilities
Multiple devices: When multiple devices access a single network, each device becomes a potential point of entry for a virus. An infected device can then push malware to other devices connected to the same network.
Websites and apps: Installed applications and websites you visit, especially unsecured sites (http instead of https), increase the number of access points to your network. The more access points you create, the greater the chances one of those points contains a weakness known to would-be hackers.
Malware: Most people are aware that any device (tablet, laptop, desktop computer, printer, etc.) can be infected with viruses. Less known, however, is how some malware (e.g., spyware, such as key loggers) runs silently in the background, so as to not alert users something is wrong, and pick up information before it is encrypted.
Shared Wi-Fi: Any Wi-Fi connection with no password protection (or if the password is known to people outside your workforce), should be considered public Wi-Fi. Determining the risk of a public connection is extremely difficult because you have no control over the other connected devices or the information being broadcast over the network. Because of this, it is best to avoid public Wi-Fi. However, if you must access practice data over a public connection, the safeguards below become exponentially more important.
Essential safeguards
OS patches: Keeping your computer’s operating system (OS) up to date is arguably the most important safeguard.
Never use an OS that is no longer supported by the vendor. For example, Windows XP and Windows Vista are both unsupported and should not be running on any of your machines.
Software patches: Properly maintaining software installed on your equipment and devices is critical yet often overlooked, because one tends to think of software like a finished product and not a work in progress—but it’s never finished. Software vendors regularly provide security patches to plug vulnerabilities as they are discovered. If you don’t keep up to date with vendor patches your software becomes increasingly vulnerable over time.
Antivirus software: Install a single antivirus software application on every device connected to your Wi-Fi network if possible (this applies to physically wired connections, too). The antivirus you use should be set to update automatically every day to prevent new malware threats from infecting devices.
Https sites: Your browser’s address bar always displays the real web address of the site you’re visiting, which begins with either “http” or “https.” The “s” in https indicates the website uses specific protocols to encrypt (secure) data during transmission. Http, without the “s,” offers no encryption. Be certain to transmit sensitive data to https web addresses only. It is also good practice to double-check the spelling of web addresses you visit. Criminals take advantage of common spelling errors and assumptions by setting up https websites that closely mirror legitimate sites. For example, COSTCO-USA.WIN and COSCO.COM are not legitimate Costco websites.
Router configuration: Modern Wi-Fi routers contain built-in firewalls and encryption; however, these features must be properly configured to be certain the firewall is “on” and the level of encryption is sufficient. Always change the default password and never allow guests on your secure network.
It is recommended you disable Wi-Fi Protected Setup (WPS) encryption on your router and set it to WPA2-level security. You may need to visit the web site of the manufacture to download the user manual and check for updates. You can certainly offer patients free Wi-Fi, but only after setting up a true “guest” access point on your router, which keeps their traffic and yours completely separate.
Virtual private network (VPN): Setting up a VPN creates a controlled virtual tunnel between two points to exchange data. While a VPN does add a layer of security, it does not singlehandedly protect your entire network; therefore, all other safeguards remain relevant. Hire a knowledgeable and reputable IT professional if you are interested in creating a VPN.
It’s true that Wi-Fi can greatly improve your practice’s operational efficiency by providing network flexibility and mobile internet access. However, these same attributes also increase your vulnerability to outside attacks. Should you determine the benefits of Wi-Fi service outweigh the risks, be sure to properly assess the vulnerabilities and apply the safeguards mentioned above.
Jeff Brown, DC, is obsessed with creating easy-to-use software to end the frustration of HIPAA compliance. Brown’s career spans private practice, compliance consulting, and software product management for three health care technology companies. He is a co-founder of HIPAAmate—compliance software designed and priced for small practices—and can be contacted at 614-706-2066, hipaamate@gmail.com, or through hipaamate.com.