Home Forums Discussions General Discussion Wireless Internet

My office is in a semirural area with not great DSL service. I am paying $75.00 for 768k/347k service which is very slow. I have recently upgraded to a different carrier for a bit more cost, but twice the speed. My plan was to discontinue the slower service and get Sprint 4g service with a phone that can act as a wireless hot spot for my office in the event the dsl goes down. When I called the slower service (oneComm) to D/C, I was forced to speak to my account representative who insisted that use of wireless internet would not be HIPPA compliant, he also stated that repair time would be much lower priority with the asymmetrical DSL of Verizon compared with the symmetrical service I have with them. Is he just giving me a line, or does he have a point.

Thanks,

Rich

As far as wireless being inherently non-HIPPA compliant, he is trying to talk using an orifice other than his mouth.

Having lived through service interruptions in different parts of the US (record snow in Sierras, firestorms in SoCal), one of the first things that get fixed is antenna coverage. Some of the same towers that have cell repeaters also have the antennas, power supplies, and network backhaul that first-responders depend on for operational communications. I'd argue that in most places your rep has it exactly backwards. See para #1.

DocMartin and I will be covering this, along with several other enabling technology subjects in our session.

The short answer about the Internet and HIPPA is all in how you use it, and protecting patient data.

I don't understand the asymmetrical DSL comment. The 768/347 is asymmetrical, so they are both the same in that regard.

Why were you forced to speak with your account representative. I think in retrospect, I would have just told him I would like to disconnect my service. Why? Because I would like to disconnect my service.

Indy has it completely right. It depends what you use it for. If you surf the web, there are no issues. If you send a non-certified email, there is.

The carrier now insists that you speak with your rep and then fax a written order to D/C on letterhead. At that point I became skeptical. I agree with the asymmetrical comment. They may think I am getting symmetrical 768k, but I know different from the speed test.

At this point in the conversation I was about done and mentioned using wireless service as backup (with encrypted email) when he brought up this HIPPA thing, ending the sentence with "one patient file intercepted by someone else and you're out of business". So I guess I guess I am still not clear on whether there are any legitimate security concerns with wireless based internet solutions that do not exist with hardwired solutions with or without wifi. If I am accessing Quest labs or my local pacs, accessing Updox or logmein to AC,or transmitting encrypted files/dictation between offices is this more of a real issue over a wireless internet service that over ground. I really think the rep was trying to save another account, but it brings up in interesting point. Oh, I called Sprint support on this issue and they were clueless. (The verizon tech I spoke with this AM said my DSL service is "HIPPA certified"). I didn't know there was such a thing.

Rich

UpDox, LogMeIn, and (I greatly suspect) Quest Labs use encrypted connections. The encryption occurs between client and server, and once they have a encrypted session started at the very beginning, there is no information in the clear.

Examples of things that are no-nos, as Bert mentioned, unencrypted emails with patient data, a letter attachment that mentions patient data, or uploading a patient record through FTP.

To be clear, the rules are no different between a wired or wireless connection; the communication is encrypted or it isn't.

Sounds like the infamous FUD technique - Fear, Uncertainty, and Doubt.

Exactly. I would love to look at that contract they have. I have never heard of a contract that stipulates you can't cancel your service without talking to your rep. Now they may have other statements that say you have to pay the remainder of your contract, etc., but this having to talk to this rep is crazy. I would have your lawyer draft a letter stating that you wish to drop your service agreement.

You can also tell your representative that you will sign a contract for the next ten years if he can name one doctor who ever was "put out of business" for violating HIPAA.

I guess I am not clear on two things. First, is there an inherent possibility that the DSL will go down? I have no backup plan if Roadrunner goes down. I don't really need Internet service to get by for quite awhile. And, why does your current provider need to know anything about your Sprint 4G plan?

I was trying to explain to him why I was switching (my first mistake). He said people had in the past cancelled service then claimed they hadn't and caused trouble. Sounds Fishy. Funny thing is they were about 1/2 the price of Verizon about 8 years ago when I made the switch for voice lines, but recently Verizon's pricing has gotten much more aggressive (they actually have people call you from their "Win Back Group") and I think OneComm is feeling the heat.

Rich

Well, turn up the hea then. Just make sure if you write him a letter and mention HIPAA, that you spell it HIPAA, lol.

I would bet that 90% of practices have some portion of the work going wireless (laptops etc) but now you have me wondering. We have 3 printers we have added which are wireless, (which saved the need to pull cable to put them in the location we wanted). But are they encrypted? And how do I know?

Now I feel really stupid.

I'm pretty sure he was referring to the internet wireless service and not the WiFi

I am sure he meant the wireless internet service also - again fear and unknown. The internet is not HIPAA certified either, again your application needs to send data securely which is why your off site backup is encrypted, e prescribing is encrypted, etc.

People say anything to make or keep a sale - they really don't know what they are talking about. It is like someone saying their EMR is certified for the new bonus......none are and it took a year to define "meaningful use" and now they are working on "certified".

On your wifi, if you use WPA2 and 14 numbers in your password that consist of lower case, upper case and numbers which are generated by a random generator, you should be all set. I can't speak completely for wireless Internet, but for WiFi you are all set. MAC addresses do nothing, although it can't hurt.

Martin, don't stop printing. These are 1s and 0s in the air. If you read through HIPAA (and I have word for word), a lot of it states doing your best within reason in the face of an extremely good hacker.

I will never forget a certified expert in networking and the Internet and confidentiality (yes remember confidentialty) told me, "He said, Bert, is there anyone out there that can break into your network and take all your data? Yes, there are thousands. Is there anyone out there who will target your network and hack it so as to get your data? Doubtful. Let's see: Key Bank, Citicard, Visa, Enron, Pentagon, Bert's network.

If you are really worried about HIPAA, then read the manual and make sure your office paperwork is up to speed. The stupid manuals you should have in place.

I say this. Fire that SOB. Hire Verizon and don't give it another thought. Then send him a letter asking him if his family would like to join your practice.

I have sent plenty of PDFs that were encrypted and password protected, where I send the password via separate cover. The only bad thing is if you make it too HIPAA compliant, 2/3 of the doctors can't open it.

Rich,

Just make sure that everything that is on your WIFI is using a WPA/WPA2 key to talk to the access point (ala Bert's suggestion above), and you can put your mind at ease.

As far as the portable cellular hotspot - enable WPA/WPA2 and you'll be running encrypted there as well.

Don't let the FUD get to you, sounds like you have a solid plan to protect your practice and your patient data.

Seriously doubt that an account rep selling DSL has years of experience in IT security, much less ISSA experience. (https://www.issa.org/)