Question

1. What advice would you offer the medical office manager about implementing a Wi-Fi access point on the network?

2. What elements would a policy contain?

3. Develop a high-level standard to address the considerations for implementing Wi-Fi under HIPAA security rule constraints.

Answer 1

1. What advice would you offer the medical office manager about implementing a Wi-Fi access point on the network?
Medical office should never use public settings. Shared folders should never be public and should always be kept password protected for access. The medical office should be private and hidden from public. WiFi connection or wifi printer should never be broadcasted.

2. What elements would a policy contain?
Key elements of an information security policy are as follows:

1. Purpose-
Create an overall approach to information security.
Detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems.
Maintain the reputation of the organization, and uphold ethical and legal responsibilities.
Respect customer rights, including how to react to inquiries and complaints about non-compliance.

2. Audience-
Define the audience to whom the information security policy applies. Also specify which audiences are out of the scope of the policy.

3. Information security objectives-

Information security focuses on three main objectives:
Confidentiality—only individuals with authorization canshould access data and information assets
Integrity—data should be intact, accurate and complete, and IT systems must be kept operational
Availability—users should be able to access information or systems when needed

4. Authority and access control policy-
Hierarchical pattern—a senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.
Network security policy—users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts.

5. Data classification
The policy should classify data into categories, which may include “top secret”, “secret”, “confidential” and “public”.

6. Data support and operations-
Data protection regulations—systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and anti-malware protection.
Data backup—encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage.
Movement of data—only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.

7. Security awareness and behavior-
Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.
Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy.

8. Responsibilities, rights, and duties of personnel-
Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy.

3. Develop a high-level standard to address the considerations for implementing Wi-Fi under HIPAA security rule constraints.
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a US law designed to provide privacy standards to protect patients' medical records and other health information provided.
Implementation of Wi-Fi under HIPAA requires you to look at all sections of the Security Rule. This includes looking at the administrative safeguards of risk assessment, risk management, and the policies and procedures governing use.

Technical safeguard standards include:
i. Access — refers to the ability/means to read, write, modify, and communicate the data and includes files, systems, and applications. Controls must include unique user identifiers and automatic logoffs and could include access procedures during emergencies as well as data encryption.
ii. Audit controls — refers to mechanisms for recording and examining activities pertaining to ePHI within the information systems.
iii. Integrity — requires policies and procedures for protecting the data from being altered or destroyed in an unauthorized manner.
iv. Authentication — requires the verification of the identity of the entity or individual seeking access to the protected data.