|
Joined: Dec 2002
Posts: 9,424 Likes: 1
Member
|
OP
Member
Joined: Dec 2002
Posts: 9,424 Likes: 1 |
One of my customers, an optometrist's office called me today. They are upgrading their practice software and are looking at getting a wireless network setup so they can use a laptop to do patient charting in the exam rooms. I do not really know what is required as far as encryption goes with HIPAA standards. I also am not too sure about mid-level business wireless access points. I don't want a residential Linksys AP, nor do I want a 500 dollar Cisco AP. I was hoping someone might have some advice. Thanks guys- Jeff
Jeff Moss Moss Communications Computer Repair-Networking-Cabling MBSWWYPBX, JGAE
|
|
|
Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.
|
|
|
Joined: Jan 2007
Posts: 1,951 Likes: 2
Member
|
Member
Joined: Jan 2007
Posts: 1,951 Likes: 2 |
If I were you, I would start with those HIPAA requirements. Here is a white paper on this very topic from Meru Networks. It's a far easier read than The offical HIPAA Standards as published by the Department of Health and Human Services. This is going to be a touchpoint for this install. Every time I run into HIPAA, it's a whole bunch of drama. My most recent experience was with University of California bookstores' credit card transactions. It's not a bad thing (I want MY credit card info kept safe), but just realize that this can be a can of worms...even if you do your homework.
"Press play and record at the same time" -- Tim Alberstein
|
|
|
|
Joined: Nov 2004
Posts: 290
Member
|
Member
Joined: Nov 2004
Posts: 290 |
You might want to look at this AP it has what you need https://us.zyxel.com/web/product_fa...20161256&CategoryGroupNo=PDCA2007128 Also once your network key is defined & the use of mac adress filters to allow only the laptops that are listed will work After that disable the ssid broadcast. Hope this helps mike
|
|
|
|
Joined: Jan 2002
Posts: 2,328
Moderator-Comdial
|
Moderator-Comdial
Joined: Jan 2002
Posts: 2,328 |
If you have a computer science department, ask them and don't forget about doing a wireless survey!
|
|
|
|
Joined: Apr 2001
Posts: 1,390
Member
|
Member
Joined: Apr 2001
Posts: 1,390 |
There is nothing in Hipaa that tells you to implement xyz in the case of wireless security. It does however, give you some statutory clauses in regards to security, "reasonable and expected". In your case it sounds as if this is a small office so at a minimum I would implement.
WPA/AES Mac authentication No SSID Broadcast, with a fairly obscure/random SSID.
|
|
|
|
Joined: Jun 2005
Posts: 512
Member
|
Member
Joined: Jun 2005
Posts: 512 |
I was going to ask Jeff how his project is going.
|
|
|
|
Joined: Dec 2002
Posts: 9,424 Likes: 1
Member
|
OP
Member
Joined: Dec 2002
Posts: 9,424 Likes: 1 |
Right now I'm still doing some research and looking at products. The customer is still in the financing stage so it will be a while before it's all done. I also have to go there next time I am home to figure out where the AP needs to go and see about a data cable and power outlet.
Jeff Moss Moss Communications Computer Repair-Networking-Cabling MBSWWYPBX, JGAE
|
|
|
|
Joined: Jan 2002
Posts: 2,328
Moderator-Comdial
|
Moderator-Comdial
Joined: Jan 2002
Posts: 2,328 |
Use POE capable devices and forget about the electrician!
|
|
|
|
Joined: Mar 2008
Posts: 78
Member
|
Member
Joined: Mar 2008
Posts: 78 |
Jeff, Hope this post isn't too late for you.... I also hope I'm not preaching to the choir, as I get the impression you've been at this sort of thing a while too. I agree with jwooten, POE is the best for situations like this. Just use any inexpensive POE injector and leave the power stuff at the network cabinets, that way they can be power protected. I did a bunch of similar McDonald's rollouts, so I've developed a method: To be sure your AP is in the right location, download netstumbler (see https://www.netstumbler.com/downloads/) on your XP or 2000 based laptop, start scanning, and walk around with it. Stop for about 30 seconds at all critical locations (say, 6) You want to be able to get at least 60% signal at all locations that will need to be accessed. No, this is not the same as using your wireless card drivers because it shows the strength of other wireless AP signals at those locations also. Then, you can print out the reports and a draw up a signal strength map for the administrators to satisfy them it isn't your fault when EUs can't get on the network. A little homework here will save you lots of headaches later on. Hope this helps. Jason
|
|
|
|
Joined: Dec 2002
Posts: 9,424 Likes: 1
Member
|
OP
Member
Joined: Dec 2002
Posts: 9,424 Likes: 1 |
No, you are not too late...they aren't doing the wireless just yet. I'm going in Monday to install their new server and the wireless will be somewhere down the road. Thanks for all the help!
Jeff Moss Moss Communications Computer Repair-Networking-Cabling MBSWWYPBX, JGAE
|
|
|
|
Joined: Jun 2005
Posts: 261
Member
|
Member
Joined: Jun 2005
Posts: 261 |
You could try this: treat the wireless as insecure, and put it outside the firewall, on the insecure portion of the network, and then use a VPN between the laptop(s) and the server. They could even offer wireless access to their patients, without compromising security.
at a local non-profit that I work with, our network looks something like this:
(DSL from ISP) / / / (Router/WAP) -- (wireless guest users) / / / (server/firewall) / / / (user PC's)
|
|
|
|
Joined: May 2007
Posts: 1,218
Member
|
Member
Joined: May 2007
Posts: 1,218 |
Actually the best way is to use a Cisco ASA for the router and use a cheap wireless AP. What I did with my Cisco ASA was to create a VLAN for the wireless. Vlan1 is the inside interface, Vlan2 is outside and Vlan3 is the wireless. Vlan 3 cannot see Vlan1, so I don't need to worry about someone getting on the wireless network and getting to my servers. I still use WEP keys and MAC filtering for security.
Now how do I get my laptops on the wireless to see the network? Simple... I use the Cisco VPN client on the laptop to make the connection.
This makes for a very secure wireless network and all data between the AP and any notebook travels the VPN, so that data is secure.
I know you want to keep the wireless open for the public, so just don't use any WEP or MAC filtering. The VPN client will be plenty secure and because of the Vlan, users will not be able to get to your internal network.
A base model Cisco ASA 5505 is only around $500 and it's security is tremendous.
Let me know if you need any help setting up the network.
|
|
|
|
Joined: Dec 2002
Posts: 9,424 Likes: 1
Member
|
OP
Member
Joined: Dec 2002
Posts: 9,424 Likes: 1 |
Well, the first stage of the project is done. I installed their server on Saturday. They now want wireless in a couple spots so I think I'm going to need to install 2 access points.
Jeff Moss Moss Communications Computer Repair-Networking-Cabling MBSWWYPBX, JGAE
|
|
|
|
Joined: Jan 2008
Posts: 148
Member
|
Member
Joined: Jan 2008
Posts: 148 |
I know this is an old post, but...
If you can get them to spring for it Marc's recommendation is the one I'd follow. It will also let you provide two additional sell points to your client.
1) You can configure the VPN to authenticate through LDAP to the server you just setup which means that a user only needs to remember the one password and thus will be less likely to write it down.
2) the principles and yourself will be able to work from home if the need arises.
One word of caution. Netstumbler wont see a network that is not broadcasting its SSID unless you set your SSID to that name instead of 'ANY'. If you are familiar with Linux, you should instead run KISMET which is a listen only scanner. Provided your network card supports it, you should still get signal and noise level information.
The ideal method for site surveys is a notebook running with a WiSPY Spectrum Analyzer left over night, then you can record not only potential WiFi networks, but other devices which operate in the 2.4G ISM band(cordless phones, bluetooth, wireless cameras, wonky microwave ovens, etc) and if you spring for the full version 5.8G bands as well.
About me: 8 years of network support 7 years IT field service
Always looking for the next project to be done.
|
|
|
Forums84
Topics94,299
Posts638,872
Members49,770
|
Most Online5,661 May 23rd, 2018
|
|
0 members (),
136
guests, and
320
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|