Wireless Networks Need HIPAA-Focused Makeover
By Peter Poulin
For The Record
Vol. 26 No. 12 P. 30
There's little doubt that health care organizations of all sizes acknowledge the value of utilizing wireless technologies to quickly adopt and demonstrate meaningful use. After all, providers, nurses, administrators, and patients alike can only benefit from constant connectivity. Ultimately, they are all consumers who have come to expect wireless access be as pervasive in their personal and professional lives as oxygen. As a result, it makes sense that an industry so dependent on advancing health care capabilities through new technologies be eager to implement the latest and greatest on the operational side as well.
According to advertisements, Apple and Android should be saving the day—and dollars—for providers. However, it's a safe bet that many hospitals and clinics are starting to acknowledge that satisfying workforce wireless expectations isn't as simple as installing a few plug-and-play Wi-Fi routers or adding an extra layer or two of sign-on security requirements for consumer-grade devices accessing their networks. In fact, providers are probably realizing that none of the specialized challenges—privacy, security, reliability, and speed when accessing patient records and clinical data—that the health care environment faces when transferring full operational reliance to wireless networks can be addressed by consumer technologies. That's because consumer wireless networks weren't designed with HIPAA protections in mind.
The bottom line is that health care organizations are businesses with a unique responsibility to protect consumers' private information at all costs. If a hospital network is hacked, it can't just close patient accounts and issue new ones like retailers recovering from a credit card system breach. An invasion of private health care records carries far more severe implications for both the organization and the patient. From a patient's perspective, the repercussions often are irreparable. That is why the same level of "critical care" must be given to the development of purpose-built, business-class wireless networks as to the patients whose lives depend on the information being shared—and ultimately protected—via these networks.
Establishing the Baseline
While the term "business class" may sound pricey, the cost of investing in the right wireless network in a health care setting will never exceed the cost of failing to protect patients' privacy rights. There are too many regulatory and federal requirements dictating information confidentiality levels that can't be guaranteed by consumer-grade wireless standards.
Plus, hospital and clinical care wireless networks are considered mission critical, meaning that most of the business conducted over them can alter quality of life and the efficient delivery of critical patient care. Health care networks can't afford the frequent and irritating side effects of oft-prescribed consumer-grade—and even some enterprise—wireless networks. Spotty signals, dropped connections, bandwidth bottlenecks, and mobile device freeze-ups can do serious harm in a health care setting.
Reverting to good old paper records would seemingly appear more reliable. But we all know saving trees is a priority these days. Perhaps that's why clinicians have long preferred the trustworthiness and reliability of wired networks—a happy middle ground between the past and the future. Yet wires only reach so far, thereby limiting the technology's operational and patient care capabilities.
What is not limited are the dozens of different devices and literally hundreds of patient and administrative applications being utilized at any given time within the facility. Any wireless network must accommodate the special security needs of these simultaneous use cases without compromising access, integrity, or authentication.
When establishing the baseline for a patient-friendly and HIPAA-compliant Wi-Fi network in a complex health care setting, it is important to consider three factors: the physical building, end-user requirements, and access priorities.
The Physical Building
Although the most obvious of the considerations, it's also the most challenging. When conducting a wireless survey, it's important to call out wireless inhibitors within the facility, which may include materials such as brick, block, and wireless mesh. In addition to conducting a general site survey, extra attention must be given to specialty care areas such as radiology, oncology, and biomedical departments; operating rooms; autoclaves; and labs that use equipment with the potential to disrupt some Wi-Fi signals.
Besides obstacles within the building, wireless bleed-through must be accounted for. For example, the wireless signal from the second floor may inadvertently extend to the third floor. This could lead to a situation in which a user on the third floor connects (inadvertently or intentionally) to the weaker signal, causing the connection to drop after a short period and resulting in a disruption for users on both floors. Another reason this issue needs to be resolved upfront is that it could compromise location-based access control policies, which are an important part of a hospital's IT security and compliance requirements.
Without proper forethought and planning, one or more groups of key stakeholders will most likely be overlooked during the wireless infrastructure planning process. For example, in a hospital setting, in addition to physicians and nurses that regularly work on a specific floor and in a particular area of a hospital, other clinical staff such as visiting physicians, specialty care, pharmacy, and hospice must be considered.
Additionally, proper bandwidth and security measures must be deployed for nonclinical staff such as security personnel, dietary staff, IT, administration, volunteers, and facility personnel who may need access to the network to better perform their jobs.
And don't forget about the needs of patients and guests. After all, they are ultimately footing the bill for the network upgrade and the ones who arguably benefit the most from such an investment.
With careful wireless network planning, health care providers can gain a better sense of how much bandwidth is necessary to support their mobile user ecosystem. However, due to the wide range of possible loads on the network—both in terms of the number of physical users accessing the network at any given time and the types of applications being accessed—it's impossible to build a perfectly elastic network that never experiences bottlenecks. With that in mind, it's vital to add quality-of-service capabilities to the wireless network design. Doing so will ensure that during heavy network use, the clinicians, whose use of the network is mission critical and directly affects patient care, can perform their duties without network- and application-related delays or interruptions.
Weighing In on Costs
Because health care organizations are businesses, finances always will be a factor in any technology decisions. Settling for a wireless solution that may seem "fine for now" will almost certainly lead to fines later. In today's health care environment, security is a top priority as patient data breaches can lead to stiff HIPAA fines in addition to severely damaging an organization's reputation.
Health care organizations that opt to use plug-and-play Wi-Fi network setups also are opting to gamble with people's livelihoods. Couple these more vulnerable networks with limited security and remote management applications supported by iOS and Android devices that administrators may authorize for access to the network, and the result could be disastrous. Though costs will vary depending on whether existing infrastructure can be retrofitted or must be completely overhauled, any dollars spent will be minimal compared with the potential cost of a HIPAA breach. Whether for a small private practice or a 500-plus-bed hospital, any investment in the proper business-class Wi-Fi network will mitigate the risks presented by the bring-your-own-device challenges gaining traction every day.
In a nutshell, health care organizations are going to get what they give. There is too much on the line to cut corners or save pennies with plug and play. In the long run, facilities may find that a complete strategy reboot—and infrastructure rebuild—will save money and headaches. Consider it preventive financial health care for providers and patients.
— Peter Poulin is vice president of marketing at Motion Computing.