Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 531: Quick Wins: Securing Your Wi-Fi Network for HIPAA Peace of Mind.

 

Liath Dalton 

We love quick wins, don’t we?

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

And this is really something that, in relative terms, is a small but very practical action that makes a massive impact to your practice. So why are we talking about this? Well, Evan, what role does a Wi-Fi network play in a practice’s security picture?

 

Evan Dumas 

Yeah, well, your Wi-Fi network is a link between you and your client data, or sometimes just you and your client so when we’re looking at security for a practice, we look at all links along the chain, and the Wi-Fi is just one of them.

 

Liath Dalton 

Exactly. And if it’s not secured, if you have that broken link, everything that is like downstream, upstream, to mix metaphors here, is broken or vulnerable, right? It’s not secured. So essentially, another way to think of it is that if your Wi-Fi network isn’t secured, it’s like leaving your office door unlocked, right?

 

Evan Dumas 

Yeah, totally, yeah.

 

Liath Dalton 

But the good news, and this is something that we talk with our folks about so frequently, and are really committed to making sure that folks feel empowered to tackle this, is that it doesn’t require technical expertise.

 

Evan Dumas 

Nope.

 

Liath Dalton 

You don’t have to get an IT expert in to help you do it. It is all something that is manageable and accessible to you as a tech novice, even right? So let’s get into it.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So why does Wi-Fi security matter so much? Well, Evan, you already really illustrated that by explaining how it’s a link in the chain and that if your Wi-Fi network isn’t secured, that means that you have unsecured PHI access point.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Now, something that comes up really often is that this aspect of the HIPAA security chain gets overlooked.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Because we are, you know, operating in the practice context where most folks are really using HIPAA secure, online, third party, cloud based services, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Your EHR, your telehealth platform, Google Workspace, etc, and you’ve got a BAA with them.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So folks will think, Well, that’s all secured, they’re securing it, so I’m covered, and good to go. But we really need to clarify that the HIPAA Business Associate Agreement is covering the vendor’s system, like your service provider’s system, but not your connection to them. They don’t have the ability to control that.

 

Liath Dalton 

So your Wi-Fi and the devices that you use to access those HIPAA secure, cloud based systems are within your domain of HIPAA responsibility.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So let’s talk before we get into the practical steps, just to drive home why this is so important, what the actual and like tangible risks of weak Wi-Fi security are. Evan, can you give us the overview of that?

 

Evan Dumas 

Oh, yeah, yeah. So say someone does get access to your Wi-Fi network. Because you’re using an old router, because you’re using an old encryption protocol, then that means your devices are compromised.

 

Evan Dumas 

So once they’re in your network, they could potentially get into your phones, tablets, laptops, smart TVs, things like that. So anything you have stored locally is at risk.

 

Evan Dumas 

They could also intercept what you’re doing. This is one reason why we advocate VPNs and other things when you’re out in public Wi-Fi, because you don’t know how secure the Wi-Fi is. They can sort of listen in on your keystrokes, on your credentials, on like if you do online shopping from crappy Wi-Fi, the chance that they might snag your credit card or things like that is, is up there. It’s more than a secure thing.

 

Evan Dumas 

They pretty much get access to anything on your computer, or they could, which is pretty scary. And also, you’re, you’re sort of, it’s a gap in your compliance because you’re responsible for your client’s data, and if your clients data travels through something that’s unsecure, that’s your responsibility, and that’s that’s not so great.

 

Evan Dumas 

So it kind of has this ripple effect. That if your Wi-Fi is unsecure, you know, everything uses your router, everything uses your Wi-Fi, it then also becomes at risk. So it’s a very delicate point to have secured, and can affect a lot of things.

 

Liath Dalton 

Absolutely. So let’s situate like, in a real world situation, what this could look like. So you’re sitting in your practice office after a day of client sessions, you’re logged into your EHR and doing your charting for the day, and out in the parking lot within your Wi-Fi range, someone with a laptop is scanning for networks. And if your Wi-Fi is running an old, weak security protocol, they can just get into your network and they can see the traffic, and things, like Evan said, your your login credentials, or if you’re uploading any client documents from your device to your EHR, they can see that. Or if they’re keystroke logging, they can get your login credentials to your EHR and then view all of the contents within your EHR. So this is the exact sort of low hanging fruit that attackers look for. But what’s the good news, Evan?

 

Evan Dumas 

Yeah, the good news is all of this can be avoided. Because, yes, pretty much any router made after 2018 will have updated security protocols. And we can talk about how you make those changes, and how you may even be notified right now by your phone that you might need to make those changes.

 

Liath Dalton 

Ooh, yes. And I’ll share my own little story, that kind of prompted me to think, this is a good thing to talk about right now.

 

Liath Dalton 

So I recently switched internet service providers because I finally had more than one option in my neighborhood, and the new option was fiber. To which I was like, yes, please. I would like fiber. And when we got it set up, and I connected my phone and laptop to it for the first time, I got a warning of: this is weak security. And the reason being was that the router, that was provided from the the new internet service provider, was, by default, set to WPA, which is the security protocol for it.

 

Liath Dalton 

And WPA is super outdated, like it’s been outdated for over a decade, right, Evan?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And it’s very, it’s the the weak protocol that we’re just talking about, being sort of that gateway to those worst case scenarios. So then my process was to use our resources to guide me on getting the router configured so that I was using WPA3, which is the latest and most secure, basically, network encryption protocol.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So what does that mean? The good news is that your devices, like if you’re using an iPhone, I’m not sure what the Android warnings are, but I imagine they do it too. Do you know, Evan?

 

Evan Dumas 

Oh, with Androids? No, not so much.

 

Liath Dalton 

Well, iPhones and Apple devices will give you a warning if you connect to a network that has WPA instead of WPA2 or WPA3. So don’t ignore those. And really the action there is to change your router settings so that it’s using the strongest security protocol possible.

 

Liath Dalton 

WPA3 is really the current gold standard, but in some instances, you may want to set it to a WPA2 WPA3 combo, because that sort of has backwards compatibility. You may have some devices that can’t connect to WPA3, right?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

But you never want to use WEP or WPA alone. And if you do have a router that can’t run on those protocols that are stronger and sufficient for what our needs are, for any device that’s handling or accessing systems that contain client info, or your own personal financial or sensitive info, we want to make sure those are only connecting to those secured networks, right? So if you have our router that can’t do that, which would only really be the case, if it’s a old router, older than 2018, then you want to upgrade your, your router.

 

Evan Dumas 

Mhm, yeah, yeah.

 

Liath Dalton 

But thankfully, routers aren’t very expensive now. They’re a lot less expensive than they used to be a few years ago.

 

Liath Dalton 

So check out the show notes, actually, because we are linking to our go-to resource for all hardware recommendations and reviews, and that’s Tom’s Hardware. And they’ve got reviews for the best Wi-Fi routers of 2025, high speed, low cost choices, etc. So if you do need to upgrade your router, there are some great options for you there.

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then what are the other primary steps? I mean, that’s the biggest impact one, right? Because that’s really the gateway to to what makes things vulnerable or not vulnerable. But above and beyond that, there are a few really important steps that we guide folks on in our Workspace and Device Security Centers. Can you give us a good overview of those?

 

Evan Dumas 

Yeah, sure. So first of all is just familiarizing yourself with the interface for your router. Now, your router, the little thing with antenna sticking out of it, is a little computer, and you can log into it and change some settings and things. That’s where you would go to change the password on it.

 

Evan Dumas 

So by default, you know, it comes with a series of random characters and letters, and maybe you put it on the fridge, and it’s really annoying to share, but you can come up with your own now. We definitely recommend it be 12 to 16 characters, mix of words, numbers and symbols, etc. And, you know, maybe change it once in a while. So like, because, because that’s nice knowing that router’s interface will also let you update your router, which is great, because just like it’s a little computer, it also needs little updates. Sometimes they update themselves, sort of. When you when you buy a router, it’ll let you know if it auto updates. But some of them, you’d need to go and manually hit some buttons.

 

Evan Dumas 

Also, our little guide guides you through making a guest network, which is really handy if you’re sharing your Wi-Fi with anyone else who doesn’t handle PHI, who just wants to use the internet. So you can make your work account that handles the PHI, little network, and you can make one for family. So that’ll also sort of protect your network quite a bit.

 

Evan Dumas 

Those things, updating your router and making a little guest network, changing passwords, setting your security settings, which I read, WPA just stands for Wi-Fi Protected Access, so that’s, you know, that’s just what it does. That’s all done through your your router’s interface.

 

Liath Dalton 

Exactly. So check out the show notes, because we made a handy little checklist for you that guides you on how to check your Wi-Fi security settings, update your password, set up a guest network, etc, just a checklist so that you can take care of those basic steps and get your quick win.

 

Liath Dalton 

And then if hearing this has you thinking, I really want to make sure I have this nailed down, and want a little more guidance than just a checklist, we do, of course, have you covered, because this is part of the resource set that’s included in our Practice Care, premium service, specifically a Device Security and Workspace Security Center, which provide not just tutorials for each step, like Evan said, how to update your router, set up a secure guest network, lock down your devices, but also has the documentation component. Because, as always with HIPAA, it’s documentation or it wasn’t done.

 

Liath Dalton 

So we’ve got a version for group practices and group practice leaders and then solo practitioners, because obviously those contexts and needs are a little bit different. So in either case, we’ve, we’ve got you covered, but please do check out the show notes for that Wi-Fi security checklist and the link to the router recommendations should the need to upgrade your router be applicable for you.

 

Liath Dalton 

We hope this has been helpful. Thanks for joining us. We love supporting you in getting quick wins and for the more complex pieces, but it always feels important to intersperse some of the easier and super practical application oriented pieces with the bigger theoretical conversations that we’re having, like last week’s discussion of client use of AI and all of the implications of that.

 

Liath Dalton 

So thanks for listening, and we’ll talk to you next week.

 

Evan Dumas 

Talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.