Home Forums Discussions General Discussion Wireless Network Advice

Yes, yes; I know, I know! It is the consensus of the User Board that wired network connections are the best. Well and good.

Now, supposing a clinic must have a wireless network.

What is your advice? -- for security, reliability, affordability.

Hi Brian:

Some good articles-

CNET- somewhat dated, but good (c2005)
http://reviews.cnet.com/4520-3243_7-5124418-1.html?tag=nl.e501

Excellent article from Laptop Magazine (c2007)
http://archive.laptopmag.com/Features/Common-802-11n-Myths-Debunked.htm

Wikipedia article- very thorough and up-to-date (c2008)
http://en.wikipedia.org/wiki/IEEE_802.11

The bottom line- the 802.11n will be the way to go when the TGn workgroup finalizes the standardization process in or after November 2008. The 802.11n is 4.5 times faster than the current sweet spot, the 802.11g. If you get something NOW, go to the 802.11g, but for 2009 probably go for the 802.11n.

Cheers,
Al

The most reliable connection is to use 802.1x authentication - and the best authentication mechanism is, to my mind, EAP Tunneled Transport Layer Security. This is only really viable in a business environment, as you require RADIUS. And you can choose to use this in conjunction with WEP, or not.
For the most reliable wireless - choose this method without WEP.


For security - I would advise utilizing WPA2 Enterprise, though - but this isn't the most reliable type of connection - but it could be, depending on environmental factors, number of AP's etc.

http://www.lawtechguru.com/archives/2004/08/01_wireless_networking_best_practices_version_20.htm

These are all quotes from Experts Exchange. Certainly not from me.

From what I understand both WPA's are pretty good. We have been doing WPA2 for a while now. I really can not stress enough just how much our network has improved since we changed internet security packages. It never dawned on me how much these things can have a positive or negative impact on such things. I thought I loved Trend Micro until all my network traffic and only for AC in P2P mode went to hell in a hand basket...

Since we have changed all the computers to Kaspersky half the issues I thought we things like needing to reboot the router were really probably the internet security package messing things up.... Not to Jinx myself, but I don't think I have had to reboot the router once since the swap months ago. And almost no connection to database issue anymore either. AC and Kaspersky is a really solid combination. The best we have had to date, and I'm sticking to it.

Brian,

There are two very basic things you can do to "SECURE" your wireless network:
1) Encryption - your basic WPA should serve you fine when coupled with
2) Wireless MAC filter - This feature means only PRE-DEFINED MAC ADDRESSES/Computers are allowed on the network.

It will also help if you run your wireless network in STEALTH mode by setting Wireless SSID Broadcast to DISABALED.

Of course none of this means anything if your router password is still "ADMIN"

For security

Use Windows Server 2003/2008 with strong passwords, limited user account, authentication with 802.1x and a RADIUS server. Good antivirus, IP Filtering, antispyware and iron fisted IT policies of not installing unapproved software like "file sharing" and internet games are just an necessary.

Using 802.1x allows you to allow/revoke users on Windows Domain. Using WPA/WPA2 alone on each workstation computer is more risky because that information can be discovered, compromised, etc. and is not centrally managed. The encryption certificated is installed on the client computer without ever being broadcast across the network.

Using MAC filtering is a waste of time. The MAC is broadcast by the client computers and can be easily spoofed. It is just an administration headache with little benefit.

Using a hidden SSID is useful.

Reliability

Windows server placed on good hardware. Do not go out and buy the Staples $50 toy router. Get an enterprise or small business class router appliance. Usually $200-500. Cisco makes pretty good stuff. I do not have any recomendations, I flash my home routers with DD-WRT but that is a "hack" job. My clinic is part of a group with IT staff that use Cisco routers.

Affordability

That is a relative concept. What is the affordability of an unsecure system? Cost is only one part of the problem.

Geoffrey, while I agree with all of what you have written, the question becomes how many Docs can configure and operate these things?

I use a FortiGate 60B Firewall/Router.

For me I believe in the "REASONABLE CARE" standard. Data can be stolen from ANY SYSTEM. If someone wants to get into your system bad enough they will pay the cleaning company to let them sit at a terminal at night; or they will pay an employee. The bottom line is THEY WILL GET WHAT THEY WANT!

At what point do doctors stop practicing medicine and become Network Security Experts or have to hire a network security expert?

How much must each doctor spend on this, ESPECIALLY, when the payments to doctors are decreasing?

One doc I know, spends $850/month on "network management / security." That is nearly 10K/per year.

For my doc, we will use the "REASONABLE CARE" standard:
1) WPA
2) MAC Address Filtering - if an intruder has the ability to spoof the mac addresses, I can guarantee he/she has other tools at his/her disposal.
3) No SSID Broadcast
4) Strong Password Policies

Oh don't forget there is FISA also! If the telecoms can get retroactive immunity, the software companies, INCLUDING RADIUS, Microsoft can also!

Yes I do have a bit of paranoia...who do I think writes computer viruses? who benefits the most from it? the Anti-virus companies. Just a thought...lol

Ya know Gee the more I get to know you the more I appreciate you. Did you read the link I posted from the medical privacy section of the ACLU? Part of it spoke to the FBI, FISA and many other scary things...

You know the old saying about paranoia if they are really out to get you???

for a cheap solution, look for a router that can handle linux firmware (ie. dd-wrt or tomato-which i prefer because it seems to have better qos-important if you're using things like voip for your office), which can take a 50$ router and make it have features that cost alot more.

we are actually using 802.11g for our office, and haven't had too many problems in terms of speed. we have the AC db installed on the main computer we use, and other computers take usually a couple more seconds to login, but once logged in, it will work at similar speeds. you also want to make sure your computers not only support the g protocol (n is faster, i know, but g speed is fully functional, and i don't think there's linux firmware for the n based routers now), but also the WPA protocol(hopefully 2, and AES). WEP, even 128bit, can be broken with off the shelf stuff, i hear. if you want to go RADIUS, u can also do it with the linux firmwares.

I agree with George on the going way overboard on the security piece. And, I agree with good passwords, etc. But, please get at least a Cisco firewall. Sure, configuring 443, 444, SMTP, 4125, port direction and translation, NAT, etc. can be the job of an IT person or a doctor with little else to do. But, a PIX 501 (which they are discontinuing), your static IP and your ISP's default gateway and subnet mask and the wizard will walk you right through it. Then, if you want to configure RWW, etc., call me. I am a doctor with little else to do.

Network security is a practice, not a destination. Too many AC users disregard basic security practices in the name of speed, convenience, cost, etc. While it is true that data can be stolen from any system, you better make sure that it is not your system. Your patients will not be too happy if your EMR databases is stolen and now all of their private information is out in the open (whether it actually is or not is a mute point).
Especially if the attitude is "well a determined hacker can get it anyways so why bother".

"Reasonable standard" is an open ended question. I do not worry about being HIPPA compliant, I worry about being out of compliance. Since that standard is going to be determined in a court of law at some point, I certainly would not want to be that person.

I wish that we could practice medicine exclusively however that is not the case. IT security should be taught in medical school as far as I am concerned and basic competency assessed. You do not have to be a networking guru but the basics are still important. Solid understanding of basic IT security is essential. You need to hire out what you do know how to do however.

However there are situations where just using the basics can work. A home environment is fine with WPA2 and perhaps a small installation of two or three wireless clients. But just remember there are worse things than having you data stolen. A hacker could steal off of your internet access and start downloading kiddy porn. Try explaining that to your patients or the police.

At least make sure the you use the WPA2 w/ AES encryption and change the keys regularly and use very long passphases. Also I would place an internet filter on the router or through the ISP to limit porn, file sharing, facebook, etc on your network.

Geoffrey,

Thanks. I much more worry about people's not using a good backup strategy. A good router, strong passwords, using a domain when possible is a good step in the right direction for security. As EMRs become the gold standard, doctors are not only not going to be "gurus" in these areas, they are not going to be able to afford spending a lot on IT. People talk about what they know. And, some of us on here know security.

My domain is secure. But, at some point it is risk benefit. At some point, I can't worry about the super hacker. They, generally, are hacking into Sun Microsystems or the Pentagon. What if someone steals my records? What will I tell my patients? I will tell them that some hacker broke into a network that met the standard of care. I wouldn't lose any sleep over it. Again, the chance that someone can just walk in and grab the server are ten times higher than a hacker. Everyone should have a separate room that is locked. And, taking home a backup unencrypted on a thumb drive is 1,000 times more dangerous than a hacker. At least 1,000 times. How hard is that. You drop it. They pick it up. The databases all say AmazingCharts on them. They download AmazingCharts, and guess what?

So coming from someone who is obsessed with backups and security, I just can't worry about the super hackers, and I don't want to scare everyone out there about all the holes in their firewalls and Microsoft's latest security glitch. Use a good software firewall, a good antivirus program (they are all pretty good) and a Cisco firewall or the sonic version and then do some doctoring.

Geoffery,

I agree 100% with what Bert has written.

In every profession there are some people who have knowledge/talents which exceed their primary field of knowledge. You are obviously one of those persons; however, to suggest that everyone else should be brought to that standard AND TESTED is not rational.

Like you said, "You hire out what you don't know."

I want my doctor to be a medical doctor, not a medical doctor and network/IT security guru.

Data Doctors are not medical doctors, no matter what they say!!! .

George,

Excellently put.

But, Geoffrey, your points are WELL TAKEN and in a perfect world would be implemented. I am not trying to completely downplay your important sentiments.

I think the best thing to say is:

1. There are many people on here willing to help those who want help with AC and paperless records and other medical topics in general.
2. For those who wish to improve their backup strategies, fortunately, there are many on here who have knowledge in that area AND are ready to help.
3. And, the same goes for security. I am always willing to help anyone, and from reading your posts and your passion for security and from knowing George, I know that three three of us and others would be willing to help anyone with these issues.

Have a good weekend.

I offered a simple opinion about what I thought the answer to the question posed in the original posting should be.

I would never expect that every doctor to become an IT professional (I am not) but a basic understanding of concepts like password security, wireless/wired networks, client/server OS, and safe internet practices need to be a part of the physician knowledge base. Just like basic business skills are necessary to run a practice, basic IT skills will be necessary in the future as our profession moves to a more EMR structure. And where I work in a large group practice I am able to defer the business aspects to others but I still need to know the basics about accounts receivable, proper employee relations, OSHA, etc. That is what I meant to say. I hate the business aspects of medicine that detract me from the work of practicing medicine just as much as some hate the IT stuff. However I still need to know it and deal with it. (I would point out that you would need far more business know-how than IT know-how)

Perhaps the comment I made about basic IT knowledge being assessed was a little too much. I have got to quit posting things when I am tired,

There is certainly no end to the layers of security that a person can deploy. Everyone will have to make that judgement for themselves how many layers they need to have. For me those layers for wireless security are a domain set up with 802.1x auth. For others it will be different.

I certainly will chime in on those topics that I think that I can help with.

I love IT stuff. Even better than medicine.

And yet here are all of you guys (Vinny too where ever he is hiding) on this side of the fence. At least the IT guys like George still get to charge and be paid whatever the market will bare... I think I hear ITT tech calling, bye!