Re: HIPPA and Wireless Network Security

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

The HIPAA Security Rule doesn't get that specific.  Below is a snippet from the Security Rule that would apply to a 
wireless network that transmits ePHI.


--- <snippet> ---

164.312(e)(1) Standard: Transmission security.  Implement technical security measures to guard against unauthorized 
access to electronic protected health information that is being transmitted over an electronic communications network.

164.312(e)(2) Implementation specification:  (i) Integrity controls (Addressable).  Implement security measures to 
ensure that electronically transmitted electronic protected health information is not improperly modified without 
detection until disposed of.  (ii) Encryption (Addressable).  Implement a mechanism to encrypt electronic protected 
health information whenever deemed appropriate.

--- </snippet> ---


The fact that both implementation specifications are "addressable" means you have some leeway in what you decide to do 
as long as you document your controls and how they address the specified requirements.  In a perfect world, I would strive for 
adherence to the 802.11i standard.  Alas, its not a perfect world.  :-)

Hope this helps.



Babb, Robert wrote:
> Hi All,
>
> Does anybody know if there is a specific wireless security requirement in HIPPA (i.e. WPA w/AES, 802.1X)?
>
> Thank You,
>
> Robert Babb
> Network Manager
> Information Technology Services
> Union College