atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking wireless recommendations

One of my customers, an optometrist's office called me today. They are upgrading their practice software and are looking at getting a wireless network setup so they can use a laptop to do patient charting in the exam rooms. I do not really know what is required as far as encryption goes with HIPAA standards. I also am not too sure about mid-level business wireless access points. I don't want a residential Linksys AP, nor do I want a 500 dollar Cisco AP. I was hoping someone might have some advice.
Thanks guys-
Jeff

If I were you, I would start with those HIPAA requirements. Here is a white paper on this very topic from Meru Networks. It's a far easier read than The offical HIPAA Standards as published by the Department of Health and Human Services.

This is going to be a touchpoint for this install. Every time I run into HIPAA, it's a whole bunch of drama. My most recent experience was with University of California bookstores' credit card transactions. It's not a bad thing (I want MY credit card info kept safe), but just realize that this can be a can of worms...even if you do your homework.

You might want to look at this AP it has what
you need https://us.zyxel.com/web/product_fa...20161256&CategoryGroupNo=PDCA2007128
Also once your network key is defined & the use of mac adress filters to allow only the laptops
that are listed will work

After that disable the ssid broadcast.

Hope this helps mike

If you have a computer science department, ask them and don't forget about doing a wireless survey!

There is nothing in Hipaa that tells you to implement xyz in the case of wireless security. It does however, give you some statutory clauses in regards to security, "reasonable and expected". In your case it sounds as if this is a small office so at a minimum I would implement.

WPA/AES
Mac authentication
No SSID Broadcast, with a fairly obscure/random SSID.

I was going to ask Jeff how his project is going.

Right now I'm still doing some research and looking at products. The customer is still in the financing stage so it will be a while before it's all done. I also have to go there next time I am home to figure out where the AP needs to go and see about a data cable and power outlet.

Use POE capable devices and forget about the electrician!

Jeff,

Hope this post isn't too late for you.... I also hope I'm not preaching to the choir, as I get the impression you've been at this sort of thing a while too.

I agree with jwooten, POE is the best for situations like this. Just use any inexpensive POE injector and leave the power stuff at the network cabinets, that way they can be power protected.

I did a bunch of similar McDonald's rollouts, so I've developed a method: To be sure your AP is in the right location, download netstumbler (see https://www.netstumbler.com/downloads/) on your XP or 2000 based laptop, start scanning, and walk around with it. Stop for about 30 seconds at all critical locations (say, 6) You want to be able to get at least 60% signal at all locations that will need to be accessed.

No, this is not the same as using your wireless card drivers because it shows the strength of other wireless AP signals at those locations also.

Then, you can print out the reports and a draw up a signal strength map for the administrators to satisfy them it isn't your fault when EUs can't get on the network. A little homework here will save you lots of headaches later on.

Hope this helps.
Jason

No, you are not too late...they aren't doing the wireless just yet. I'm going in Monday to install their new server and the wireless will be somewhere down the road.
Thanks for all the help!

You could try this: treat the wireless as insecure, and put it outside the firewall, on the insecure portion of the network, and then use a VPN between the laptop(s) and the server. They could even offer wireless access to their patients, without compromising security.

at a local non-profit that I work with, our network looks something like this:

(DSL from ISP)
/ / /
(Router/WAP) -- (wireless guest users)
/ / /
(server/firewall)
/ / /
(user PC's)

Actually the best way is to use a Cisco ASA for the router and use a cheap wireless AP. What I did with my Cisco ASA was to create a VLAN for the wireless. Vlan1 is the inside interface, Vlan2 is outside and Vlan3 is the wireless. Vlan 3 cannot see Vlan1, so I don't need to worry about someone getting on the wireless network and getting to my servers. I still use WEP keys and MAC filtering for security.

Now how do I get my laptops on the wireless to see the network? Simple... I use the Cisco VPN client on the laptop to make the connection.

This makes for a very secure wireless network and all data between the AP and any notebook travels the VPN, so that data is secure.

I know you want to keep the wireless open for the public, so just don't use any WEP or MAC filtering. The VPN client will be plenty secure and because of the Vlan, users will not be able to get to your internal network.

A base model Cisco ASA 5505 is only around $500 and it's security is tremendous.

Let me know if you need any help setting up the network.

Well, the first stage of the project is done. I installed their server on Saturday. They now want wireless in a couple spots so I think I'm going to need to install 2 access points.

I know this is an old post, but...

If you can get them to spring for it Marc's recommendation is the one I'd follow. It will also let you provide two additional sell points to your client.

1) You can configure the VPN to authenticate through LDAP to the server you just setup which means that a user only needs to remember the one password and thus will be less likely to write it down.

2) the principles and yourself will be able to work from home if the need arises.

One word of caution. Netstumbler wont see a network that is not broadcasting its SSID unless you set your SSID to that name instead of 'ANY'. If you are familiar with Linux, you should instead run KISMET which is a listen only scanner. Provided your network card supports it, you should still get signal and noise level information.

The ideal method for site surveys is a notebook running with a WiSPY Spectrum Analyzer left over night, then you can record not only potential WiFi networks, but other devices which operate in the 2.4G ISM band(cordless phones, bluetooth, wireless cameras, wonky microwave ovens, etc) and if you spring for the full version 5.8G bands as well.