Setting up a doctors office
We're an IT firm setting up an new doctors office. We've been lucky enough not to be asked to setup a doctors office. But as our office grows, so does our demand.
We have a doctors office that we will be setting up from scratch. New equipment, new computers (75), new everything. With HIPAA in mind, what are the basic requirements and supplies needed to consider for any network. (Servers, switches, routing, sonic walls, ect.) Any suggestions, tips will be welcomed.
We have a doctors office that we will be setting up from scratch. New equipment, new computers (75), new everything. With HIPAA in mind, what are the basic requirements and supplies needed to consider for any network. (Servers, switches, routing, sonic walls, ect.) Any suggestions, tips will be welcomed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Depending on the type of practice, the requirements are different.
Most offices require high bandwidth connectivity, 1/10GB core and 1 GB CAT 6 on the LAN. I would choose a manged switch (POE capable as most offices would eventually want wireless access and POE AP's would be easier to deploy.
Archival storage is another area that is big in those offices as they scan documents continually. I would go with either a virtual solution with shared storage or a high end server with plenty of capacity.
You can pick any firewall but just ensure the throughput can handle the amount of traffic they could potentially have.
Most offices require high bandwidth connectivity, 1/10GB core and 1 GB CAT 6 on the LAN. I would choose a manged switch (POE capable as most offices would eventually want wireless access and POE AP's would be easier to deploy.
Archival storage is another area that is big in those offices as they scan documents continually. I would go with either a virtual solution with shared storage or a high end server with plenty of capacity.
You can pick any firewall but just ensure the throughput can handle the amount of traffic they could potentially have.
At the end of the day, I agree with nick2253 - get a compliance expert to review things with you AND the client. IT Companies that implement and especially technologies at Doctor's offices can be held in violation of HIPAA themselves and FINED HEAVILY if you fail to properly manage the network. Unfortunately, HIPAA is not a set of definitions you can follow - it's "guidelines" as to what is "reasonable". What's reasonable for a 2 person office is different for what's reasonable for a 50 person office which is different from what's reasonable for a Hospital... so what you do has to be reasonable in an effort to protect PHI and reasonable is open to interpretation.
One thing that can be considered reasonable is encryption - with BitLocker and TPM chips in business class systems, you should consider enabling Bitlocker on the server and the workstations ESPECIALLY any laptops to be a requirement. It's a simple thing that can help protect in the event the hardware is stolen or someone breaks in at night. You would also likely have to enforce screen savers that lock the machine after a few minutes - otherwise, someone steps away for a few minutes and now someone else could have access to other people's records.
One thing that can be considered reasonable is encryption - with BitLocker and TPM chips in business class systems, you should consider enabling Bitlocker on the server and the workstations ESPECIALLY any laptops to be a requirement. It's a simple thing that can help protect in the event the hardware is stolen or someone breaks in at night. You would also likely have to enforce screen savers that lock the machine after a few minutes - otherwise, someone steps away for a few minutes and now someone else could have access to other people's records.
In a doctors office, security is paramount. Everything needs to be access controlled, with some kind of auditing enabled to know who's accessing what, when. You'll need a robust backup system, which will also need to be access controlled. There may be requirements for encryption as well.
You'll also need to figure out what core software the office is running. For example, many medical offices run a UniVerse database on Linux or AIX. You need to be prepared to setup the servers with these databases and software, as well as configure the client devices for access (e.g. Hyperterm).
You'll also want to investigate the idea of using thin-clients for access. This may be more cost-effective for the office, and would allow them to use devices like tablets and still access all their software. This is a common trend in the medical field today.
With things like HIPAA, I would strongly recommend not trying to figure it on your own. The security and reporting setup necessary for HIPAA compliance is not trivial. There are companies out there that specialize in IT HIPAA compliance, and I would recommend retaining one of those companies to both educate you on exactly what is required, and to perform a check of the systems after you have it set up.