"Open" wireless network = HIPAA violation?

[OVERKILL]

Originally Posted By: HangFire
Originally Posted By: dparm
The problem with this is all it takes is one idiot to accidentally plug a wire from an AP into the office network for that separation to be broken.


The moment that cable is plugged in, a VLAN mismatch is detected and that port is shut off.

Unless your IT department is a bunch of rubes using unmanaged networks or something.


Some of the stuff I've seen in hospitals, particularly small and old ones, would make your eyes pop. Picture somebody with their own Apple Airport plugged into some unmanaged D-Link switch they bought at BestBuy under their desk with half their office plugged into it

This stuff happens, and probably more frequently than you'd think.

I've pulled the same garbage (minus the airport) out from behind desks that was put there by the IT department because they didn't have enough drops in the office and so they just tossed some garbage switch in there to "make it work". You can be quite sure there was no MAC filtering or VLAN checking going on there

 

[HangFire]

Originally Posted By: OVERKILL
Originally Posted By: HangFire
Originally Posted By: dparm
The problem with this is all it takes is one idiot to accidentally plug a wire from an AP into the office network for that separation to be broken.


The moment that cable is plugged in, a VLAN mismatch is detected and that port is shut off.

Unless your IT department is a bunch of rubes using unmanaged networks or something.


Some of the stuff I've seen in hospitals, particularly small and old ones, would make your eyes pop. Picture somebody with their own Apple Airport plugged into some unmanaged D-Link switch they bought at BestBuy under their desk with half their office plugged into it

This stuff happens, and probably more frequently than you'd think.

I've pulled the same garbage (minus the airport) out from behind desks that was put there by the IT department because they didn't have enough drops in the office and so they just tossed some garbage switch in there to "make it work". You can be quite sure there was no MAC filtering or VLAN checking going on there

I've seen that, too. It all hooks up to a managed port upstream. STP saved my butt (of course I set it up) when one office quad created a loopback. It took out only that quad... "what was the last thing you changed?" "We plugged this in". "Why do you have 3 unmanaged switches in a circle?" (Dunno shakes heads). "You're allowed one unmanaged switch per drop. Put in a ticket and we'll put in 2 more drops." Meanwhile rest of the building kept humming along...

 

[Donald]

I could have an open wireless network at my house. But I don't. With 26 acres, I am pretty sure someone would need to be in my drive or parking area to use my Wifi. Dog would bark and I would see them.

I suppose someone could hide up in a tree and I might not notice, but my house is not a likely black-ops mission location.

 

[SwampSurvivor]

Originally Posted By: OVERKILL
Originally Posted By: redhat
Originally Posted By: Ed_Flecko
Originally Posted By: redhat
If your friend is a CISSP, then why is he a part of a department letting a loosely secure guest WiFi (sounds as if your friend has influenced your opinions of this network) to exist?


Because he has no choice - he's been given instructions to do this despite his objections. He can implement this and keep his job...or fight it and look for a new one.

This "order" comes from the Company President and has the full backing of all Management, including the I.T. Department Mgr.

Ed


That is a shame. VLAN segregation is good, but I'd still like content filtering on the guest side, P2P blocking, etc.

Could eat up all of their bandwidth. At the very least, I'd say the corporate data shouldn't be accessible. That is, unless, this place is going to let these VLANs communicate with each other. That should be a no-brainer to not allow that traffic.

Then you're relying on OS level to keep the data secure.

I agree on the VLAN point, there's nothing inherently wrong with using VLAN segregation provided you've blocked inter-VLAN routing and most new facilities use this method, as they can then use common access points for both private and public clients. Cuts down on both equipment and wiring costs and when properly executed, provides no security risks.

However the other side of this makes no sense as presented. Even if this place is SUPER cheap and are using common egress equipment, some form of traffic shaping and filtering should be in play with stricter policies in place for guest traffic, usually coupled with significant rate-limiting

Some enterprise wireless solutions now have VPNs for each SSID for traffic back to the controller! Extra layer of encryption I guess

 

[bubbatime]

Originally Posted By: Ed_Flecko
A close friend of mine works at an organization that falls under HIPAA compliance.

It's my understanding their I.T. Department will soon be offering a truly "Open" wireless network for, literally, anyone to connect to. You heard right - not WEP, not WPA, WPA2, etc., etc., etc. Open.

I'm told their I.T. Management has assured upper-management they have no cause for worries, whatsoever, because the wireless network is protected by their firewall. It's hard for me to write that and not spit coffee from laughing all over my keyboard.

Isn't creating an "Open" wireless network, in and of itself, a HIPAA violation since they're no encryption, auditing, etc., of any kind?


I'm thinking you dont know as much about computers as you might think.

 

[L_Sludger]

HIPAA gets played really fast and loose in a lot of practices.
I remember being at a doctor's office, sitting down in one of their examination rooms for maybe ten minutes unattended. The computer was on, logged into an X ray program, and it had a prior patient's vital and personal information shown right on the screen, along with an X-ray image.
Pretty sloppy.

 

[pandus13]

Originally Posted By: redhat
...Then you're relying on OS level to keep the data secure.

bu, but, but, i have to open the RDP port to the hackers scan.... (admins joke)

 

[pandus13]

Originally Posted By: L_Sludger
HIPAA gets played really fast and loose in a lot of practices.
I remember being at a doctor's office, sitting down in one of their examination rooms for maybe ten minutes unattended. The computer was on, logged into an X ray program, and it had a prior patient's vital and personal information shown right on the screen, along with an X-ray image.
Pretty sloppy.

neh,
they just collected full name, driver license and SSN# at the registry....
on a paper sheet to be seen by everybody...

 

[pandus13]

Originally Posted By: OVERKILL
Some of the stuff I've seen in hospitals, particularly small and old ones, would make your eyes pop.


DO NOT DO A FACE PALM (especially in a lab setting! you don't know where their fingers have been )

do you know that one with the windows xp server with a stripe array (not even parity) where the 10 years old HDDs crashed....?
and nobody had backups in place.... (yep the year was just last year....)

 

[L_Sludger]

pandus, sounds like you've managed IT at a practice or two.

 

[pandus13]

Originally Posted By: OVERKILL
I've pulled the same garbage (minus the airport) out from behind desks that was put there by the IT department because they didn't have enough drops in the office and so they just tossed some garbage switch in there to "make it work". You can be quite sure there was no MAC filtering or VLAN checking going on there

hehehe, you where lucky... those where clean.


imagine something in the ceiling of a manufacturing plant for 5 years.....(oil + coolant + dust.... I didn't get that dirty working on my car....)

 

[pandus13]

Originally Posted By: L_Sludger
pandus, sounds like you've managed IT at a practice or two.

Birds of a feather flock together....

good recipe for releasing IT Customer Service induced headaches....

 

[stockrex]

Originally Posted By: Ed_Flecko
A close friend of mine works at an organization that falls under HIPAA compliance.

It's my understanding their I.T. Department will soon be offering a truly "Open" wireless network for, literally, anyone to connect to. You heard right - not WEP, not WPA, WPA2, etc., etc., etc. Open.

I'm told their I.T. Management has assured upper-management they have no cause for worries, whatsoever, because the wireless network is protected by their firewall. It's hard for me to write that and not spit coffee from laughing all over my keyboard.

Isn't creating an "Open" wireless network, in and of itself, a HIPAA violation since they're no encryption, auditing, etc., of any kind?

Ed



I work at a hospital, I use open network all the time, I will go to jail if I violate HIPAA.

I use open network but all my connections are secure "https:", 2 levels of authentication.

 

[simple_gifts]

I guess I don't understand whether this has been done safely or not. The OP says "There is only one physical netowrk" In modern networking that really doesn't mean anything since there is a whole level of mgmt on top of the actual cabling.

As redhat pointed out, it is a common practice to provide a vlan with outgoing internet access only with no access controls which is ENTIRELY separate from the company's production network. Where I work the address space even appears as 'internal company addresses' even tho there is no access to other VLAN; there is only internet access with no content filtering. Regular internal users are content filtered via the web filtering software.

So I guess I don't see the evidence in what was posted that what I described is not what was implemented.

Goes without saying that what is available @ the enterprise level is "a bit more feature rich' than a home network.

 

[OVERKILL]

Originally Posted By: HangFire
Originally Posted By: OVERKILL
Originally Posted By: HangFire
Originally Posted By: dparm
The problem with this is all it takes is one idiot to accidentally plug a wire from an AP into the office network for that separation to be broken.


The moment that cable is plugged in, a VLAN mismatch is detected and that port is shut off.

Unless your IT department is a bunch of rubes using unmanaged networks or something.


Some of the stuff I've seen in hospitals, particularly small and old ones, would make your eyes pop. Picture somebody with their own Apple Airport plugged into some unmanaged D-Link switch they bought at BestBuy under their desk with half their office plugged into it

This stuff happens, and probably more frequently than you'd think.

I've pulled the same garbage (minus the airport) out from behind desks that was put there by the IT department because they didn't have enough drops in the office and so they just tossed some garbage switch in there to "make it work". You can be quite sure there was no MAC filtering or VLAN checking going on there

I've seen that, too. It all hooks up to a managed port upstream. STP saved my butt (of course I set it up) when one office quad created a loopback. It took out only that quad... "what was the last thing you changed?" "We plugged this in". "Why do you have 3 unmanaged switches in a circle?" (Dunno shakes heads). "You're allowed one unmanaged switch per drop. Put in a ticket and we'll put in 2 more drops." Meanwhile rest of the building kept humming along...


Yeah, that could have ended much worse if the configuration had been different

 

[OVERKILL]

Originally Posted By: pandus13
Originally Posted By: OVERKILL
Some of the stuff I've seen in hospitals, particularly small and old ones, would make your eyes pop.


DO NOT DO A FACE PALM (especially in a lab setting! you don't know where their fingers have been )

do you know that one with the windows xp server with a stripe array (not even parity) where the 10 years old HDDs crashed....?
and nobody had backups in place.... (yep the year was just last year....)


Oh... My.... God.... seriously???? Like we are talking a straight-up RAID0 on a server with valuable data????

 

[OVERKILL]

Originally Posted By: pandus13
Originally Posted By: OVERKILL
I've pulled the same garbage (minus the airport) out from behind desks that was put there by the IT department because they didn't have enough drops in the office and so they just tossed some garbage switch in there to "make it work". You can be quite sure there was no MAC filtering or VLAN checking going on there

hehehe, you where lucky... those where clean.


imagine something in the ceiling of a manufacturing plant for 5 years.....(oil + coolant + dust.... I didn't get that dirty working on my car....)


I may have you beat

Many, MANY moons ago, when I was doing my own thing and primarily doing SMB stuff I had a customer that was a small shop that refurbished diesel equipment like injectors, turbos, pumps....etc. You touched ANYTHING in there and it was like you had just stuck your hands in a 25,000 mile OCI Cummins sump. And you smelled like Diesel and couldn't get it off, it was incredible! I've done a few auto shops and some work at a large truck shop and it wasn't anywhere near as bad as this place

But Healthcare is a whole other ballgame, it's what you don't see that freaks you out, particularly when you are doing stuff in and about the labs

I'd rather smell like diesel for a week than touch some of that stuff.

 

[JustinH]

In a corporate network, you can have multiple SSID's, including public ones.

You can control what each SSID can get to, and what users can join what SSID.

It is typical to have an employee network authenticated by a users login password, connecting them automatically via group policy on their work laptop.

Guests normally get an open network, which they can't get to anything but the filtered internet, and they have no access to the corporate side at all.

There is no HIPAA issue here.

 

[Mr Nice]

Interesting topic since I work in healthcare and see obvious HIPAA violations.

All it takes is someone from the inside to get info and sell it to identify thieves. Many hospitals and doctors offices had patient info stolen from office workers that are trusted to do the right thing.

Randsomware is what many hospitals also need to be worried about.

 

[redhat]

Big hospital near me, ECMC, just went through a randsomware outbreak. What a mess.