Over the past two years, I have watched the 802.11(x) wireless protocol develop and mature. Currently I use an 802.11b wireless network in my office, which allows me adequate speed to access my EMR. Because of security concerns, I installed a SonicWALL SOHO TZW Internet Security Appliance: Secure Wireless, Firewall, VPN and did not use one of the consumer level wireless routers such as a Linksys or Netgear. The result is that I use a wireless Virtual Private Network to maintain as high a level of security as possible. The difference in cost is quite significant $1000+ for the SonicWall vs. $199 for a consumer level device.
I am concerned that physicians may be installing wireless access points in clinics that provide inadequate security. Even if the WEP encryption is enabled on these access points, the security is not sufficient to guarantee protection of clinical data that may reside in that physician office.
If using a wireless access point in a clinic, physicians should ensure that a careful review process is undertaken to ensure that sensitive data is protected.
Surely you have hit the nail on the head. Not only do I have to pay for the hardware, when and where do I find the time to understand all the nuances of wireless security? I maintain a LAN with wireless capability, digital camera, scanner, EMR faxing, secure firewalled internet and telnet access to our local hospital, PC Anywhere from home to office, VPN from home to hospital, and use a Palm. I manage this network with little professional help. How can I hope to practice medicine and maintain my network abilities without extra finances and help? I am after all a solo physician. I have had to learn all the ins and outs of RAID cards, external backup disks, and internet storage issues. Realistically, how many other MD's are going to take the time and effort to do all this?! Now if I have to investigate wireless security and pay big bucks for hardware, I think I may end up accepting more risk than is wise. Experimenting and learning on one's own is expensive and risky business for the MD venturing into EMRs
Posted by: DSeguin | February 11, 2004 at 06:30 PM
I think that Dr. Seguin has brought up an extremely important issue. Currently, in order to become part of the digital world of healthcare, a physician (or an individual in that physician's office) has to be very tech savvy. There is no such thing as a 'turnkey' EMR based medical practice.
This means retooling for a completely different set of skills in order to support and maintain a network and even more importantly, understand just how the different components work with one another.
Home networking has become very simple. Fire up the computer, plug in the wireless access point and the system basically configures itself. This is in stark contrast to a medical practice, which has significant complexity and potentially many interfaces that need to be supported and maintained. This results in a situation where the physician needs to be a clinician and skilled in network management.
Posted by: Alan Brookstone | February 11, 2004 at 10:05 PM
I think my EMR provider is missing the boat on "Add 0n" software. I have laboured long and mightily to list the addresses and FAX numbers of the pharmacies that my patients employ, as well as the details of the hundreds of local medical consultants, physiotherapists, and imaging facilities. Then there is the issue of macros for WCB and antenatal forms. I pale to think of every new user of this EMR having to develop their own lists and macros, and in every city! While the EMR provider does not "provide", neither do they encourage subsidiaries to develop and distribute this vital data.
Another hidden cost is the high cost of staff turnover. I have trained and lost three very well paid staff members due to (their) personal illness, family problems, and transport issues. We are not talking MacDonald's minimum wage, cloned staff here!
The movie title: "Eyes wide shut" might well apply to physicians who dare to venture into EMR.
We all have had venders take our money, only to sell out, merge or fold. There are the hidden software costs (communication programs, query programs, drug interaction software) that creep into the equations. This is a quagmire indeed!
Posted by: DSeguin | February 19, 2004 at 08:23 PM
Wireless-G VPN Broadband Router
$299 Canadian and dropping fast.
Linksys: WRV54G - Wireless-G VPN Broadband Router
Can you give me 1 reason why this router is not as secure as your SonicWall router ?
128-bit WEP encryption,
Supports the industrial-strength wireless security of 802.1x authentication and authorization.
Has a powerful SPI firewall to protect your PCs against intruders
It can be configured to filter internal users' access to the Internet, and has MAC or IP address filtering so you can specify exactly who has access to your network.
Configuration is a snap with the web browser-based configuration utility.
Posted by: Wireless MD | March 26, 2004 at 02:47 AM
Good comment. I am not promoting any particular solution over another, however the main point that I wanted to clarify is that VPN technology is superior to standard 128 bit wireless encryption and this would be critical in a medical office.
It appears that every three months, there is a leap in features and products are continuously updated and improved.
With regard to the product that you have mentioned, my understanding is that the Linksys lacks support for integrated security features, such as Client/Server Antivirus, Gateway Email Scanning, and Content Filtering. I also believe that the Linksys does not support AES encryption for site-to-site or client VPN connections.
Whichever solution one chooses, it is best to seek professional guidance from a security expert to ensure that you have maximum security protection, particularly if using a wireless device.
Posted by: Alan Brookstone | March 26, 2004 at 12:40 PM
I sometimes wonder whether regular paper based offices go to the exreme lengths as described above to secure their paper files, from unauthorized access. I am not saying we should neglect simple network security, but the more security we employ the more expensive this gets.
Posted by: Johan Blignaut | March 26, 2004 at 03:08 PM
Johan,
I entirely agree that excessive security is expensive and cumbersome. Certainly I feel the authorities are trying to cure all the ills of the old paper based system in one giant move and personaly I think they may fail because they are trying to do too much. Unfortunately security in this world is not an option.
Posted by: David Woolliscroft | March 27, 2004 at 10:32 AM
There are three things that need to happen to be robbed. The thief has to have opportunity, value and escape. The Romanow (sp) report said security is really a none issue. First, if you think it is hard for you who is resonably intelligent to understand routers, WEP keys, Ip addresses, mac address etc the person who wants to break in has to know all this PLUS, even with "cheap" wireless router, how to break a WEP key (no small task). Next, value, to the point, what value you is there in accessing your patient records - gossip? Maybe for a big insurance company to deny coverage but no insurance company could risk getting caught. Which is the third point, every access leaves a trail, even with a 'cheap" router. The biggest problem to security is not the computer or network but the person sitting behind the desk answering your phones.
Posted by: Michael Milne | April 10, 2004 at 03:11 PM
I also operate an inexpensive Linksys 54 MB/sec wireless router. Not only can it be encripted with 128 bit WEP, the access can be resstricted to the MAC addresses, unique to each machine in the office. Tell me why that is not enough security. Meanwhile, small surgical instruments and pocketable things like electronic thermometers continue to disappear from the office...
Posted by: Michael Rath, MD | April 20, 2004 at 09:41 AM
Hi Michael,
Good points. It sounds as if you have done as much as possible to protect your network. As mentioned in a previous comment on this topic, there has to be opportunity and value. What scares me a bit are the hackers who drive around with laptops and signal amplifiers searching for wireless networks and will hack in just for the nuisance factor.
Hacking technology seems to become more sophisticated and easier as time goes by. Just as one can not have too much virus protection, I don't think you can have too much security. I always suggest checking with a security consultant to ensure there are not holes in the wireless network.
Posted by: Alan Brookstone | April 21, 2004 at 01:09 PM