9. Limit Network Access
Ease of use and flexibility make contemporary networking tools very appealing. Web 2.0 technologies like peer-to-peer file sharing and instant messaging are popular and widely used. Wireless routing is a quick and easy way to set up broadband capability within a home or office. However, because of the sensitivity of health care information and the fact that it is protected by law, tools that might allow outsiders to gain access to a health care practice’s network must be used with extreme caution.
Wireless routers that allow a single incoming Internet line to be used by multiple computers are readily available for less than $100. For the small practice that intends to rely on wireless networking, special precautions are in order. Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes. Since electronic health information flowing over the wireless network must be protected by law, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal. Wireless routers must be set up to operate only in encrypted mode.
Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access. When a wireless network is configured, each legitimate device must be identified to the router, and only then can the device be permitted access.
Peer-to-peer applications, such as file sharing and instant messaging, can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed. Check to make sure peer-to-peer applications have not been installed without explicit review and approval. It is not sufficient to just turn these programs off or uninstall them. A machine containing peer-to-peer applications may have exploitable bits of code that are not removed even when the programs are removed.
A good policy is to prohibit staff from installing software without prior approval.
Network Access Checklist
Policies are in place prescribing network configuration and access.
All staff members understand and agree to abide by network use policy.
Access to the network is restricted to authorized users and devices.
Guest devices are prohibited from accessing networks that contain Protected Health Information (PHI).
Wireless networks use appropriate encryption. Computers contain no peer-to-peer applications.
Public instant messaging services are not used. Private instant messaging services, where used, are secured appropriately.