Question Setting up secure vs non-secure connection in a small clinic

[roguesurgeon]

I am in a small clinic and we have hired a terrible IT professional who has been just on a rollercoaster on reliability and consistency and they have me fooled, or so I think.

Clinic:
We are a small clinic where we have about 2 Providers, 5 nurses, 2 lab techs, and 1 practice manager. Here is the breakdown of connections that are involved in our clinic.
I am going to divide this in three categories.
Category A: Connections that can be used by Staff - be it PC, Tablet, Phones, or Laptops.
Category B: Non-HIPAA Compliant devices such as ROKU.
Category C: Internal Surveillance Cameras that do not violate HIPAA Law and are placed in locations where PHI(Protected Health Information) does not apply such as Lobby, Kitchen, Supply Closet, Medication Closet, etc.
Category D: Guest connections.

We have been storing everything on a physical server/database and this is causing tons of issues with our IT personnel who keeps giving us excuses. We are planning to switch to a proper IT company that has experience in setting up networking in Healthcare and become cloud-based. Now I know that ISP gives us one connection to the modem that spits out one external IP address to which is relayed towards the router...or so I think.

What we want to do is create a system where Category A is ALWAYS on a secure line whenever connected and they are able to connect to the cloud server/storage (we are still exploring the cloud products and I am still having a hard time understanding the difference between a cloud server and cloud storage) and have Category B, C, D all on another line that is not secured. Both of these lines go into the Modem, to the ISP, and to the Internet: For Category A - towards both WWW and Cloud and for Category B only towards WWW. Is this possible? If so, could you explain be in brief how this would occur so I don't look like a dumbass and be fed stupid information thinking I will not know by whomever the next IT professional we hire.

 

[USAFRet]

I am in a small clinic and we have hired a terrible IT professional who has been just on a rollercoaster on reliability and consistency and they have me fooled, or so I think.

Get a new IT guy.

In the medical world, this is NOT where you want to get it wrong, or try to wing it yourself.

You may be the best medico on the planet.
But you're not an IT guy.

Similarly, if you have a plumbing issue, or HVAC....you hire a competent expert.
Your network infrastructure is no different.

 

[roguesurgeon]

Get a new IT guy.

In the medical world, this is NOT where you want to get it wrong, or try to wing it yourself.

You may be the best medico on the planet.
But you're not an IT guy.

Similarly, if you have a plumbing issue, or HVAC....you hire a competent expert.
Your network infrastructure is no different.

100%. And that's why we took a hard stop to this IT company and decided we are going to spend a little bit more but for less stress, better reliability, and no violations of Laws.
To make sure the next guy tells me correctly and I am not blindly following, is the infrastructure we want to create possible?

 

[USAFRet]

100%. And that's why we took a hard stop to this IT company and decided we are going to spend a little bit more but for less stress, better reliability, and no violations of Laws.
To make sure the next guy tells me correctly and I am not blindly following, is the infrastructure we want to create possible?

Sure, all that is very possible, even desirable.

Your task is to tell him at the 50,000 foot view. This location needs X, that user needs Y.
The IT company task is to get into the weeds of exactly 'how'.

 

[bill001g]

You likely need to find a company that specialized in HIPAA and cloud storage. I am not sure if there is any form of certifications that companies that do hippa work might have. I know a IT business a friend of mine had if he saw HIPAA requirements he immediately went the other way because of the legal mess you can get into.

So I will just assume that the cloud storage companies have a way to guarantee that data stored will meet the requirements for security in HIPAA. Some general comments on design. When you run cloud based stuff if your internet would go down your business stops. You generally need to find some method of having a backup
internet connection. Likely something like a cell provided service even if it is expensive. You could have someone dig up a fiber and it could take many days for them to fix it.

You could also consider a local server that you replicate to the cloud for backup.

The separation of data internal to the office is actually the easy part. If you are paranoid you use separate physical equipment. This is how a lot of government restricted stuff is done. The more common way is to use simple vlans. Correctly configured they tend to be very secure. They in effect give you virtual separate networks.
You would then use some form of firewall to allow any communication if any between these different networks.

You do not need different internet connections. I would assume that the secure network would use some form of VPN or other encrypted connection to talk to the cloud storage. The other traffic would be controlled by firewall rules so you could limit internet access.

These are very general design concepts. Any repuitble IT company will likely propose something similar. The part I don't know since I also always avoided HIPAA stuff is what cloud based functionally put on restrictions. It is bad enough trying to prevent and track someone who has allowed access from looking at stuff they are not suppose to.

 

[ex_bubblehead]

Those 5 little letters........ "HIPPA"

You absolutely do not want to touch anything related to patient information unless you can recite the HIPPA rules forward and backward, and even then a single slip up can cost you millions in fines. If you are the last one to touch that network, and a violation occurs, you will be the one held responsible. Now as for the cloud. Unless your cloud storage is in house and certified HIPPA compliant you are inviting violations. You need to hire a HIPPA certified consultant for this.

 

[roguesurgeon]

Sure, all that is very possible, even desirable.

Your task is to tell him at the 50,000 foot view. This location needs X, that user needs Y.
The IT company task is to get into the weeds of exactly 'how'.

Thank you. I did a bit of google search and created a drawing of how I want connections in our clinic. I am going to present this to our next IT professional.

 

[roguesurgeon]

You likely need to find a company that specialized in HIPAA and cloud storage. I am not sure if there is any form of certifications that companies that do hippa work might have. I know a IT business a friend of mine had if he saw HIPAA requirements he immediately went the other way because of the legal mess you can get into.

So I will just assume that the cloud storage companies have a way to guarantee that data stored will meet the requirements for security in HIPAA. Some general comments on design. When you run cloud based stuff if your internet would go down your business stops. You generally need to find some method of having a backup
internet connection. Likely something like a cell provided service even if it is expensive. You could have someone dig up a fiber and it could take many days for them to fix it.

You could also consider a local server that you replicate to the cloud for backup.

The separation of data internal to the office is actually the easy part. If you are paranoid you use separate physical equipment. This is how a lot of government restricted stuff is done. The more common way is to use simple vlans. Correctly configured they tend to be very secure. They in effect give you virtual separate networks.
You would then use some form of firewall to allow any communication if any between these different networks.

You do not need different internet connections. I would assume that the secure network would use some form of VPN or other encrypted connection to talk to the cloud storage. The other traffic would be controlled by firewall rules so you could limit internet access.

These are very general design concepts. Any repuitble IT company will likely propose something similar. The part I don't know since I also always avoided HIPAA stuff is what cloud based functionally put on restrictions. It is bad enough trying to prevent and track someone who has allowed access from looking at stuff they are not suppose to.

Yup, I have searched cloud and have came across Atlantic.net and Box as good companies. Going to consult our next IT professional who is trained in handling HIPAA regulations. Luckily, our previous IT professional was smart enough to keep connections separate and there have not been issues regarding HIPAA violation. It was mainly us trying to access files backed on to our physical server, leading to lock out, down time, internet stops working despite ISP not reporting outages, etc etc. So we are safe and that was our biggest relief.

 

[roguesurgeon]

Those 5 little letters........ "HIPPA"

You absolutely do not want to touch anything related to patient information unless you can recite the HIPPA rules forward and backward, and even then a single slip up can cost you millions in fines. If you are the last one to touch that network, and a violation occurs, you will be the one held responsible. Now as for the cloud. Unless your cloud storage is in house and certified HIPPA compliant you are inviting violations. You need to hire a HIPPA certified consultant for this.

Thank you. I am going to do that and I have already found some qualified companies that primarily specialize in HIPAA compliance in IT. Luckily there are cloud-based servers but I am going to let our next professional do all the heavy lifting.

Thank you all for this. Seriously!