"Open" wireless network = HIPAA violation?

Status
Not open for further replies.
Joined
Dec 1, 2014
Messages
1,283
Location
California
A close friend of mine works at an organization that falls under HIPAA compliance.

It's my understanding their I.T. Department will soon be offering a truly "Open" wireless network for, literally, anyone to connect to. You heard right - not WEP, not WPA, WPA2, etc., etc., etc. Open.

I'm told their I.T. Management has assured upper-management they have no cause for worries, whatsoever, because the wireless network is protected by their firewall. It's hard for me to write that and not spit coffee from laughing all over my keyboard.

Isn't creating an "Open" wireless network, in and of itself, a HIPAA violation since they're no encryption, auditing, etc., of any kind?

Ed
 
I'm not a HIPAA expert, but yeah, that seems like a disaster waiting to happen.

The only way I can see that being permitted is if the guest network is physically isolated from the rest of the office network, meaning totally separate APs, switches, wiring, and even a different circuit from the LEC. The problem with this is all it takes is one idiot to accidentally plug a wire from an AP into the office network for that separation to be broken.
 
This is more than likely for guest WiFi. Employee/corporate WiFi should (best case scenario) not have it's SSID broadcasting and use 802.1x RADIUS authentication by computer name and MAC filtering for enterprise nodes. Can also have a broadcast-able SSID that takes username and password again with RADIUS for employee use.

Open wireless network with a captive portal and TOS that needs to be accepted.

This SSID on a separate VLAN that only has traffic going out to the internet.

Pretty common.
 
Last edited:
It is quite possible to create an entirely separate, firewalled and traffic limited wireless network for the purposes of being "public". Generally these networks have a disclaimer you have to agree to before you can do anything and they are severely rate limited with rather liberal content filtering as well.

Most hospitals have something like this for guests and patients. The networks are open, but as described above. Depending on the age of the facility they may share access points with the facility's existing network or use entirely new hardware.
 
It depends what the open network is used for. Usually the hospitals have a number of protected networks that are used by devices involved in the hospital business.

Then they have an open network, completely separated from the main network (separate ISP, separate physical route to the ISP), that is for the public. They still install a firewall to block out content prohibited by hospital policy (porn, P2P, etc.).

IT departments are not stupid -- it was probably misinterpreted by an information-deficient person.
 
Originally Posted By: Alfred_B
It depends what the open network is used for. Usually the hospitals have a number of protected networks that are used by devices involved in the hospital business.

Then they have an open network, completely separated from the main network (separate ISP, separate physical route to the ISP), that is for the public. They still install a firewall to block out content prohibited by hospital policy (porn, P2P, etc.).

IT departments are not stupid -- it was probably misinterpreted by an information-deficient person.


Exactly
thumbsup2.gif


Though I will add that sometimes they are not on a separate ISP, simply a separate IP address, as they usually have a decent pool of external addresses assigned to them. From behind the point of service from the ISP there is significant firewalling and traffic filtering as well as rate limiting so as to have next to zero impact on whatever available bandwidth is being provided by the ISP. I've seen this configuration many times and it is fun sometimes hopping on those networks when they are first setup and the facility is not active to see what you can pull before they put the brakes on it to make it reflect go-live.
 
I will use those.. but only with VPN..

One said I was visiting an adult site and violating their TOS when I was on BITOG... lol.

Adult site=/=motor oil...

Tunnelbear works pretty good and 1GB free.. with easy app for android.

I only use them if I'm in the middle of the hospital with no signal.
 
Originally Posted By: dparm
...all it takes is one idiot to accidentally plug a wire ...

I sense you have some good stories.....
:))
 
Originally Posted By: 3800Series
Aren't these the types of networks where you have to manually ban pretty much every proxy and VPN program on the net?


No, companies like Cisco keep updated lists that are used for that purpose that the appliance downloads periodically.
 
Like others have said, it's very likely on it's own VLAN with Internet access ONLY. Should be good as you can't access internal client data
 
Originally Posted By: Ed_Flecko
A close friend of mine works at an organization that falls under HIPAA compliance.

It's my understanding their I.T. Department will soon be offering a truly "Open" wireless network for, literally, anyone to connect to. You heard right - not WEP, not WPA, WPA2, etc., etc., etc. Open.

I'm told their I.T. Management has assured upper-management they have no cause for worries, whatsoever, because the wireless network is protected by their firewall. It's hard for me to write that and not spit coffee from laughing all over my keyboard.

Isn't creating an "Open" wireless network, in and of itself, a HIPAA violation since they're no encryption, auditing, etc., of any kind?

Ed



Every hospital has guest wifi, so.....
 
Originally Posted By: Alfred_B
It depends what the open network is used for. Usually the hospitals have a number of protected networks that are used by devices involved in the hospital business.

Then they have an open network, completely separated from the main network (separate ISP, separate physical route to the ISP), that is for the public. They still install a firewall to block out content prohibited by hospital policy (porn, P2P, etc.).

IT departments are not stupid -- it was probably misinterpreted by an information-deficient person.


This information is 100% accurate - my friend who shared this with me works in the I.T. Department, and one of his 27 certifications includes CISSP.

There's only one physical network, no content filtering intended of any sort on this new Open network, and the only thing that separates the wireless from the rest of the confidential network infrastructure is that's it's going to be assigned a different VLAN tag.

Oh, and I almost forgot - the Terms of Service "agreement" isn't anything you'll have to "agree to" in the strict sense in order to proceed, it's just a pop-up you can ignore as you proceed to enjoy the free wifi service!

Ed
 
I do not think you have all the facts and seem a little paranoid. Many secure facilitates have guest networks, that is how they keep guests out of the the corporate systems.
 
If your friend is a CISSP, then why is he a part of a department letting a loosely secure guest WiFi (sounds as if your friend has influenced your opinions of this network) to exist?
 
It's entirely feasible to secure information with application-level encryption. The scrambling provided by WiFi WEP/WPA/etc provides minimal additional security.

If done properly, the only reason to secure the WiFi at the link level is to indicate "don't bother connecting -- this network isn't a general Internet access point".

But I suspect that this is really a guest network, and someone is doing hand-wringing to create drama.
 
Originally Posted By: redhat
If your friend is a CISSP, then why is he a part of a department letting a loosely secure guest WiFi (sounds as if your friend has influenced your opinions of this network) to exist?


Because he has no choice - he's been given instructions to do this despite his objections. He can implement this and keep his job...or fight it and look for a new one.

This "order" comes from the Company President and has the full backing of all Management, including the I.T. Department Mgr.

smile.gif


Ed
 
Originally Posted By: Ed_Flecko
Originally Posted By: redhat
If your friend is a CISSP, then why is he a part of a department letting a loosely secure guest WiFi (sounds as if your friend has influenced your opinions of this network) to exist?


Because he has no choice - he's been given instructions to do this despite his objections. He can implement this and keep his job...or fight it and look for a new one.

This "order" comes from the Company President and has the full backing of all Management, including the I.T. Department Mgr.

smile.gif


Ed


That is a shame. VLAN segregation is good, but I'd still like content filtering on the guest side, P2P blocking, etc.

Could eat up all of their bandwidth. At the very least, I'd say the corporate data shouldn't be accessible. That is, unless, this place is going to let these VLANs communicate with each other. That should be a no-brainer to not allow that traffic.

Then you're relying on OS level to keep the data secure.
eek.gif
 
Originally Posted By: redhat
Originally Posted By: Ed_Flecko
Originally Posted By: redhat
If your friend is a CISSP, then why is he a part of a department letting a loosely secure guest WiFi (sounds as if your friend has influenced your opinions of this network) to exist?


Because he has no choice - he's been given instructions to do this despite his objections. He can implement this and keep his job...or fight it and look for a new one.

This "order" comes from the Company President and has the full backing of all Management, including the I.T. Department Mgr.

smile.gif


Ed


That is a shame. VLAN segregation is good, but I'd still like content filtering on the guest side, P2P blocking, etc.

Could eat up all of their bandwidth. At the very least, I'd say the corporate data shouldn't be accessible. That is, unless, this place is going to let these VLANs communicate with each other. That should be a no-brainer to not allow that traffic.

Then you're relying on OS level to keep the data secure.
eek.gif



I agree on the VLAN point, there's nothing inherently wrong with using VLAN segregation provided you've blocked inter-VLAN routing and most new facilities use this method, as they can then use common access points for both private and public clients. Cuts down on both equipment and wiring costs and when properly executed, provides no security risks.

However the other side of this makes no sense as presented. Even if this place is SUPER cheap and are using common egress equipment, some form of traffic shaping and filtering should be in play with stricter policies in place for guest traffic, usually coupled with significant rate-limiting
21.gif
 
Originally Posted By: dparm
The problem with this is all it takes is one idiot to accidentally plug a wire from an AP into the office network for that separation to be broken.


The moment that cable is plugged in, a VLAN mismatch is detected and that port is shut off.

Unless your IT department is a bunch of rubes using unmanaged networks or something.
 
Status
Not open for further replies.
Back
Top