Best of the ISP-Lists

Fixed Wireless Business

Be HIPAA than the Competition

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has a reputation for imposing very strict security regulations on the network transmission of medical data. So how's a WISP to play in the healthcare market?

[February 22, 2005]

In the summer of 2004, MS posed this question to the members of ISP-Wireless:

Anyone having success in dealing with the medical industry? Seems that HIPAA has most doctors and clinics running scared when it comes to wireless. We have a client who would like to connect multiple locations together and their initial solution is to use point-to-point T-1s because they are fearful of security holes on a wireless network.

What have you all found to be a successful way to communicate to the medical community that wireless can be a viable means of transport? Any thoughts?

[AC responded tersely] "We do VPNs over wireless for medical folks."

[JB 'nodded' in agreement] "We have a number of customers using VPN or encrypted tunnels in this sort of application."

[TI piped up] "We do a hospital and a number of clinics. We are running WEP on the hospital feed and they run WEP plus VPNs to the clinics. Once we had the hospital on board, the clinics, insurance providers, and medical collections places were easy to convince."

[PD offered a contrasting opinion . . . and solution] "We are offering wireless service to several pharmacies, doctors' offices, a hospital, and a medical billing company. All of them have similar HIPAA requirements. Putting them behind a consumer-grade firewall (TrendNet, LinkSys, etc.) is, in my mind, offering a reasonable level of security, and is an acceptable security measure."

[He went on to point out] "To hack/listen in on a wireless PPPoE link it would require as much effort as to hack a DSL, cable-modem, T-1, etc. link. To communicate over the Internet is as secure as using the U.S. Mail. I could, if I wanted to break the law, steal your mail and find out what prescriptions you are on, which is a violation of HIPAA rules. Insurance companies send that info via U.S. Mail daily.

[FK focused on the encryption piece] "We work with both medical billing and hospitals. Anything on the Internet or wireless uses 3DES or AES encryption. Nothing less. Right now we're working with some APs that have AES built into them. Works nice."

[MC endorsed this view] ""If you dig into the HIPAA docs, straight T-1s are possibly not good enough by themselves. Just like most wireless is not good enough by itself either. Newer wireless products have AES encryption, which is compliant. With T-1 or wireless, if they want to cover their backside they need site-to-site VPN. 128-bit 3DES, although not required. has become the accepted standard. Once the data is encrypted who cares what transport is used!

BTW..We have one of the largest practices in the U.S. across wireless and their security audit was flawless."

MS expressed appreciation and turned the discussion in a new direction:

Thanks for everyone's input—and keep it coming if anyone else wants to chime in. This confirms what we were thinking.

Bottom line is that we need to educate the customer.

[A different MC chimed in with a wry comment] "Ah yes, but when is that not the case?"

[DR amplified] "Explain to them that the issue is not the medium used to transport the traffic, but the fact that the data is encrypted before it leave their office."

[TD wrapped up the discussion with some sage marketing/client-management advice] "Don't use the term 'wireless.' Use 'Fixed Wireless Broadband' or 'Secure Wireless Broadband.'

The medical, government, and insurance industries have regulations to meet regarding security. The fact is, many wireless networks are more secure in many cases [than wired LANs]. Security is an easy one to beat. The barrier is getting the meeting to fight the debate of wireless security.

If you are doing Wi-Fi, of course they would be worried about security. But use a radio like Trango that has another hardware layer of security built in. Boast your security protocol support, such as 'HIPAA compliant,' or 'AES support,' or '168-bit encryption.'

Change your angle. Go in selling them a value-added, high-bandwidth security solution. 'Replace your T-1 with secure, high-speed broadband!' Then throw in wireless in the meeting, as a irrelevant transport mechanism. You are selling security not wireless. Once you have sold security, and they understand security, they will be comfortable using wireless, because they will understand that the transport is irrelevant, as an underlying transport to the secure solution that runs on top of it."

—End