Help in setting up Public WiFi in Medical Office Waiting room.

Discussion in 'Wireless Networking' started by PC_Admin, May 27, 2009.

  1. PC_Admin

    PC_Admin Guest

    I'm the Network Admin for a medium sized practice.
    Our Management wants me to configure a way to allow patients internet
    access on their personal laptops while in our waiting rooms in each
    office. We presently have WiFi in our office but, it is secured and we
    use Static IP's for every workstation, Laptop or other device.

    I have two concerns in adding public WiFi access:

    1. Security of our own corporate servers and sensitive patient medical
    data on any workstations.
    2. The legal aspects (If any) allowing patients to freely surf the internet.

    Technical Questions:

    Is it possible to split our network in to two pipes for security reasons?


    Pipe one: Corporate Use (Secured with Static IP's).
    Pipe Two: Public WiFi access (Unsecured).

    Again my biggest concern is to isolate any public use from our medical data.

    Any suggestions much apperciated.

    Thanks, Phil
    PC_Admin, May 27, 2009
    #1
    1. Advertising

  2. PC_Admin

    PC_Admin Guest

    PC_Admin wrote:
    > I'm the Network Admin for a medium sized practice.
    > Our Management wants me to configure a way to allow patients internet
    > access on their personal laptops while in our waiting rooms in each
    > office. We presently have WiFi in our office but, it is secured and we
    > use Static IP's for every workstation, Laptop or other device.
    >
    > I have two concerns in adding public WiFi access:
    >
    > 1. Security of our own corporate servers and sensitive patient medical
    > data on any workstations.
    > 2. The legal aspects (If any) allowing patients to freely surf the
    > internet.
    >
    > Technical Questions:
    >
    > Is it possible to split our network in to two pipes for security reasons?
    >
    >
    > Pipe one: Corporate Use (Secured with Static IP's).
    > Pipe Two: Public WiFi access (Unsecured).
    >
    > Again my biggest concern is to isolate any public use from our medical
    > data.
    >
    > Any suggestions much apperciated.
    >
    > Thanks, Phil


    Just thinking, but I wonder if it would just be easier to order another
    DSL account and dedicate another Wireless router to public WiFi access
    only. This saves the hassle of worrying about security for our existing
    corporate system.

    Ideas? Suggestions ?
    PC_Admin, May 27, 2009
    #2
    1. Advertising

  3. "PC_Admin" <> wrote in message
    news:...

    > 1. Security of our own corporate servers and sensitive patient medical
    > data on any workstations.
    > 2. The legal aspects (If any) allowing patients to freely surf the
    > internet.


    If it is not illegal,...it OUGHT to be.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, May 27, 2009
    #3
  4. "PC_Admin" <> wrote in message
    news:...
    > Just thinking, but I wonder if it would just be easier to order another
    > DSL account and dedicate another Wireless router to public WiFi access
    > only. This saves the hassle of worrying about security for our existing
    > corporate system.


    That is just what I was going to suggest.
    As far as I am concerned that is the only acceptable way,...particularly if
    I was a patient of that doctor.

    You know,..if the doctors would actually keep the appointment times that the
    tell the patient to be there they would never be waiting there long enough
    to startup a laptop in the first place.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, May 27, 2009
    #4
  5. PC_Admin

    PC_Admin Guest

    Phillip Windell wrote:
    > "PC_Admin" <> wrote in message
    > news:...
    >> Just thinking, but I wonder if it would just be easier to order another
    >> DSL account and dedicate another Wireless router to public WiFi access
    >> only. This saves the hassle of worrying about security for our existing
    >> corporate system.

    >
    > That is just what I was going to suggest.
    > As far as I am concerned that is the only acceptable way,...particularly if
    > I was a patient of that doctor.
    >
    > You know,..if the doctors would actually keep the appointment times that the
    > tell the patient to be there they would never be waiting there long enough
    > to startup a laptop in the first place.
    >

    Thanks I agree on the second DSL. A quick and easy fix for the problem.

    This is a waiting room for Laser Vision, Eye Surgery or even Cosmetic
    Surgery, so it's not uncommon for relatives or friends of the patient to
    be waiting an hour or even more. Most patients getting Cataract Surgery
    are in their 60's and most would not even use a WiFi device, but many
    of our younger patients in for Laser Vision correction, or Facial
    cosmetic surgery have iPods, netbooks, and various other communication
    devices, so management feels this may be of service to those long wait
    times. We also offer fresh baked cookies, Large Screen Television, free
    assorted snacks, and cold beverages.. Now we will add free WiFi access
    (Grin)..

    Thank again for your thoughts on the WiFi.. Phil
    PC_Admin, May 27, 2009
    #5
  6. PC_Admin

    Beoweolf Guest

    look into NAP. Since your network is secured based on static IP address, the
    non-compliant computers/laptop could allow access to internet only.

    Exactly how you would set this up is up to you, but it is possible. You do
    not have to use SCCM to garner the benefits. As mentioned by most of the
    other posters. The issue of can it be done might be less important than
    "should" it be done - especially as an adjunct to a supposedly secure
    (HIPPA/SOX) compliant network. The optimum configuration would be to create
    a separate domain, with firewall, edge with the only possibility of
    interface connection thru management interface.

    Your security must be top line, as cheap as most Medical professionals are,
    I'd have to wonder if this "wish list" is serious or more window dressing?
    In the end, the results will reflect on you - as the administrator - rather
    than management. sometimes its better to CYA upfront than to acquiesce to
    every hare-brained request sent your way. Write up the proposal, present it
    to your Dr. and let him decide how far he wants to go with it. The std. for
    proposals is to give 3 options. Good, better - high dollar (best?)...

    http://blogs.technet.com/nap/archiv...ation-manager-nap-remediation-sccm-nap-2.aspx

    "PC_Admin" <> wrote in message
    news:...
    > I'm the Network Admin for a medium sized practice.
    > Our Management wants me to configure a way to allow patients internet
    > access on their personal laptops while in our waiting rooms in each
    > office. We presently have WiFi in our office but, it is secured and we use
    > Static IP's for every workstation, Laptop or other device.
    >
    > I have two concerns in adding public WiFi access:
    >
    > 1. Security of our own corporate servers and sensitive patient medical
    > data on any workstations.
    > 2. The legal aspects (If any) allowing patients to freely surf the
    > internet.
    >
    > Technical Questions:
    >
    > Is it possible to split our network in to two pipes for security reasons?
    >
    >
    > Pipe one: Corporate Use (Secured with Static IP's).
    > Pipe Two: Public WiFi access (Unsecured).
    >
    > Again my biggest concern is to isolate any public use from our medical
    > data.
    >
    > Any suggestions much apperciated.
    >
    > Thanks, Phil
    Beoweolf, May 27, 2009
    #6
  7. "PC_Admin" <> wrote in message
    news:...
    > This is a waiting room for Laser Vision, Eye Surgery or even Cosmetic
    > Surgery, so it's not uncommon for relatives or friends of the patient to
    > be waiting an hour or even more. Most patients getting Cataract Surgery
    > are in their 60's and most would not even use a WiFi device, but many of
    > our younger patients in for Laser Vision correction, or Facial cosmetic
    > surgery have iPods, netbooks, and various other communication devices, so
    > management feels this may be of service to those long wait times. We also
    > offer fresh baked cookies, Large Screen Television, free assorted snacks,
    > and cold beverages.. Now we will add free WiFi access (Grin)..


    That's fine. I just couldn't resist taking a little jab at them for the
    times I've had to sit around and wait for them :)


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, May 27, 2009
    #7
  8. "Beoweolf" <> wrote in message
    news:yKfTl.11321$...

    > than management. sometimes its better to CYA upfront than to acquiesce to
    > every hare-brained request sent your way. Write up the proposal, present
    > it to your Dr. and let him decide how far he wants to go with it. The std.
    > for proposals is to give 3 options. Good, better - high dollar (best?)...


    Agreed. I have gotten myself in to a bit a trouble at times because I am not
    afraid to tell the people I work for that something is a "bad idea" if it is
    a bad idea. After all, if something goes wrong and it doesn't work right
    afterwards, I get the blame,..not the one who thought up the idea.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, May 27, 2009
    #8
  9. PC_Admin

    PC_Admin Guest

    Phillip Windell wrote:
    > "Beoweolf" <> wrote in message
    > news:yKfTl.11321$...
    >
    >> than management. sometimes its better to CYA upfront than to acquiesce to
    >> every hare-brained request sent your way. Write up the proposal, present
    >> it to your Dr. and let him decide how far he wants to go with it. The std.
    >> for proposals is to give 3 options. Good, better - high dollar (best?)...

    >
    > Agreed. I have gotten myself in to a bit a trouble at times because I am not
    > afraid to tell the people I work for that something is a "bad idea" if it is
    > a bad idea. After all, if something goes wrong and it doesn't work right
    > afterwards, I get the blame,..not the one who thought up the idea.
    >

    Yes I agree this Waiting Room WiFi idea is questionable if it will ever
    be fully appreciated by our patients, but if it goes wrong and our main
    system was somehow compromised, I would be the one taking the heat for
    it. So the CYA rule is a important to me.

    Adding a second DSL line completely isolated from our corporate network
    is quick and easy to implement. And at only $35 a month for a slow 1.5MB
    connection its affordable even if only 1 or 2 people a week even use it.

    Heck we spend 10 times that a month in free fresh baked cookies, soda's
    and candy for our patients :)
    Marketing will likely advertise "Free Internet Access while you wait to
    get your laser vision treatment" Now days people want to be connected
    so it may just be a plus.. If it works and people use it, I'll be
    installing it in 5 more offices, if not no big loss..
    PC_Admin, May 27, 2009
    #9
  10. PC_Admin

    PC_Admin Guest

    Phillip Windell wrote:
    > "PC_Admin" <> wrote in message
    > news:...
    >> This is a waiting room for Laser Vision, Eye Surgery or even Cosmetic
    >> Surgery, so it's not uncommon for relatives or friends of the patient to
    >> be waiting an hour or even more. Most patients getting Cataract Surgery
    >> are in their 60's and most would not even use a WiFi device, but many of
    >> our younger patients in for Laser Vision correction, or Facial cosmetic
    >> surgery have iPods, netbooks, and various other communication devices, so
    >> management feels this may be of service to those long wait times. We also
    >> offer fresh baked cookies, Large Screen Television, free assorted snacks,
    >> and cold beverages.. Now we will add free WiFi access (Grin)..

    >
    > That's fine. I just couldn't resist taking a little jab at them for the
    > times I've had to sit around and wait for them :)
    >
    >

    Ha Ha !! No offense taken.. I totally agree, been there myself :)

    I do remember a while back waiting for my Wife having a minor procedure
    in the hospital and while I waited in the waiting room I was able to use
    their free internet access, very cool !
    PC_Admin, May 27, 2009
    #10
  11. PC_Admin

    Jack-MVP Guest

    Hi
    This is one way to do so.
    Public Wireless behind the first Main Router.
    Private Wire and wireless behind the second Router.
    Network Segregation - http://www.ezlan.net/shield.html
    Make sure that the second Wireless Router can be secured at a WPA2 level in
    case you use Wireless on the Private Wireless.
    Jack (MS, MVP-Networking).

    "PC_Admin" <> wrote in message
    news:...
    > I'm the Network Admin for a medium sized practice.
    > Our Management wants me to configure a way to allow patients internet
    > access on their personal laptops while in our waiting rooms in each
    > office. We presently have WiFi in our office but, it is secured and we use
    > Static IP's for every workstation, Laptop or other device.
    >
    > I have two concerns in adding public WiFi access:
    >
    > 1. Security of our own corporate servers and sensitive patient medical
    > data on any workstations.
    > 2. The legal aspects (If any) allowing patients to freely surf the
    > internet.
    >
    > Technical Questions:
    >
    > Is it possible to split our network in to two pipes for security reasons?
    >
    >
    > Pipe one: Corporate Use (Secured with Static IP's).
    > Pipe Two: Public WiFi access (Unsecured).
    >
    > Again my biggest concern is to isolate any public use from our medical
    > data.
    >
    > Any suggestions much apperciated.
    >
    > Thanks, Phil
    Jack-MVP, May 28, 2009
    #11
  12. PC_Admin

    PC_Admin Guest

    HI Jack,
    Thanks for the information. Actually I am curious about this approach
    for other possible projects in the future.
    This is not the first time someone has approached me about allowing
    public internet access on their secured private network.

    I have never considered a router in front of another router.

    Is there a website you can recommend that gives some more information on
    this approach.

    Thanks, Phil

    Jack-MVP wrote:
    > Hi
    > This is one way to do so.
    > Public Wireless behind the first Main Router.
    > Private Wire and wireless behind the second Router.
    > Network Segregation - http://www.ezlan.net/shield.html
    > Make sure that the second Wireless Router can be secured at a WPA2 level
    > in case you use Wireless on the Private Wireless.
    > Jack (MS, MVP-Networking).
    >
    > "PC_Admin" <> wrote in message
    > news:...
    >> I'm the Network Admin for a medium sized practice.
    >> Our Management wants me to configure a way to allow patients internet
    >> access on their personal laptops while in our waiting rooms in each
    >> office. We presently have WiFi in our office but, it is secured and we
    >> use Static IP's for every workstation, Laptop or other device.
    >>
    >> I have two concerns in adding public WiFi access:
    >>
    >> 1. Security of our own corporate servers and sensitive patient medical
    >> data on any workstations.
    >> 2. The legal aspects (If any) allowing patients to freely surf the
    >> internet.
    >>
    >> Technical Questions:
    >>
    >> Is it possible to split our network in to two pipes for security reasons?
    >>
    >>
    >> Pipe one: Corporate Use (Secured with Static IP's).
    >> Pipe Two: Public WiFi access (Unsecured).
    >>
    >> Again my biggest concern is to isolate any public use from our medical
    >> data.
    >>
    >> Any suggestions much apperciated.
    >>
    >> Thanks, Phil

    >
    PC_Admin, May 28, 2009
    #12
  13. Hi
    There is No more to it then what is on the page that I linked above.
    It is quite simple and based on the NAT Firewall of the Routers.
    It makes the first (public) network as the Internet for the second Private
    Network.
    One of the advantages of modern live is that the saying "You get what you
    pay for" is not really valid any more. In many situations simple elegant
    solutions are just as good as the costly ones. :D
    Jack (MS, MVP-Networking)

    "PC_Admin" <> wrote in message
    news:...
    > HI Jack,
    > Thanks for the information. Actually I am curious about this approach for
    > other possible projects in the future.
    > This is not the first time someone has approached me about allowing public
    > internet access on their secured private network.
    >
    > I have never considered a router in front of another router.
    >
    > Is there a website you can recommend that gives some more information on
    > this approach.
    >
    > Thanks, Phil
    >
    > Jack-MVP wrote:
    >> Hi
    >> This is one way to do so.
    >> Public Wireless behind the first Main Router.
    >> Private Wire and wireless behind the second Router.
    >> Network Segregation - http://www.ezlan.net/shield.html
    >> Make sure that the second Wireless Router can be secured at a WPA2 level
    >> in case you use Wireless on the Private Wireless.
    >> Jack (MS, MVP-Networking).
    >>
    >> "PC_Admin" <> wrote in message
    >> news:...
    >>> I'm the Network Admin for a medium sized practice.
    >>> Our Management wants me to configure a way to allow patients internet
    >>> access on their personal laptops while in our waiting rooms in each
    >>> office. We presently have WiFi in our office but, it is secured and we
    >>> use Static IP's for every workstation, Laptop or other device.
    >>>
    >>> I have two concerns in adding public WiFi access:
    >>>
    >>> 1. Security of our own corporate servers and sensitive patient medical
    >>> data on any workstations.
    >>> 2. The legal aspects (If any) allowing patients to freely surf the
    >>> internet.
    >>>
    >>> Technical Questions:
    >>>
    >>> Is it possible to split our network in to two pipes for security
    >>> reasons?
    >>>
    >>>
    >>> Pipe one: Corporate Use (Secured with Static IP's).
    >>> Pipe Two: Public WiFi access (Unsecured).
    >>>
    >>> Again my biggest concern is to isolate any public use from our medical
    >>> data.
    >>>
    >>> Any suggestions much apperciated.
    >>>
    >>> Thanks, Phil

    >>
    Jack [MVP-Networking], May 29, 2009
    #13
  14. PC_Admin

    PC_Admin Guest

    I'll have to play with this a little at home and get an idea how well it
    would work.
    I have many things that enter in to the mix to complicate this option.
    We use VPN to connect our remote offices to our servers here, and
    several other hardware devices that are interconnected to consider in
    the mix. Also our existing internal static IPs can not be changed.
    I'll need to do some more research on the internet before I consider
    trying this.
    For now a second DSL account wins for simplicity and security. :)
    Phil

    Jack [MVP-Networking] wrote:
    > Hi
    > There is No more to it then what is on the page that I linked above.
    > It is quite simple and based on the NAT Firewall of the Routers.
    > It makes the first (public) network as the Internet for the second
    > Private Network.
    > One of the advantages of modern live is that the saying "You get what
    > you pay for" is not really valid any more. In many situations simple
    > elegant solutions are just as good as the costly ones. :D
    > Jack (MS, MVP-Networking)
    >
    > "PC_Admin" <> wrote in message
    > news:...
    >> HI Jack,
    >> Thanks for the information. Actually I am curious about this approach
    >> for other possible projects in the future.
    >> This is not the first time someone has approached me about allowing
    >> public internet access on their secured private network.
    >>
    >> I have never considered a router in front of another router.
    >>
    >> Is there a website you can recommend that gives some more information
    >> on this approach.
    >>
    >> Thanks, Phil
    >>
    >> Jack-MVP wrote:
    >>> Hi
    >>> This is one way to do so.
    >>> Public Wireless behind the first Main Router.
    >>> Private Wire and wireless behind the second Router.
    >>> Network Segregation - http://www.ezlan.net/shield.html
    >>> Make sure that the second Wireless Router can be secured at a WPA2
    >>> level in case you use Wireless on the Private Wireless.
    >>> Jack (MS, MVP-Networking).
    >>>
    >>> "PC_Admin" <> wrote in message
    >>> news:...
    >>>> I'm the Network Admin for a medium sized practice.
    >>>> Our Management wants me to configure a way to allow patients
    >>>> internet access on their personal laptops while in our waiting rooms
    >>>> in each office. We presently have WiFi in our office but, it is
    >>>> secured and we use Static IP's for every workstation, Laptop or
    >>>> other device.
    >>>>
    >>>> I have two concerns in adding public WiFi access:
    >>>>
    >>>> 1. Security of our own corporate servers and sensitive patient
    >>>> medical data on any workstations.
    >>>> 2. The legal aspects (If any) allowing patients to freely surf the
    >>>> internet.
    >>>>
    >>>> Technical Questions:
    >>>>
    >>>> Is it possible to split our network in to two pipes for security
    >>>> reasons?
    >>>>
    >>>>
    >>>> Pipe one: Corporate Use (Secured with Static IP's).
    >>>> Pipe Two: Public WiFi access (Unsecured).
    >>>>
    >>>> Again my biggest concern is to isolate any public use from our
    >>>> medical data.
    >>>>
    >>>> Any suggestions much apperciated.
    >>>>
    >>>> Thanks, Phil
    >>>

    >
    PC_Admin, May 29, 2009
    #14
  15. "PC_Admin" <> wrote in message
    news:...
    > I'll have to play with this a little at home and get an idea how well it
    > would work.
    > I have many things that enter in to the mix to complicate this option.
    > We use VPN to connect our remote offices to our servers here, and several
    > other hardware devices that are interconnected to consider in the mix.
    > Also our existing internal static IPs can not be changed.
    > I'll need to do some more research on the internet before I consider
    > trying this.
    > For now a second DSL account wins for simplicity and security. :)
    > Phil


    Then a second DSL is the way to go here. Creating a Back-to-Back DMZ using
    a pair of NAT Devices (the actual name of the "design model" you've been
    discussing) could possibly make a mess of your VPN situation and the
    Publicly addressed devices. Not saying it couldn't be dealt with, but it
    just depends on how much trouble you want to go through.


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, Jun 1, 2009
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page