Sonos & HIPAA

[HCHTech]

One of my very few medical clients (a chiropractic practice) called yesterday with the complaint that their practice management database was slow. This would be unusual since it runs on a 10-month old dedicated server with a 10Gb connection to the network switch, and all workstations are gigabit with SSDs. "Slow" is never one of the normal complaints from them. Finding absolutely nothing wrong after working with one of the frontdesk computers and server over their lunch hour, I chalked it up to a fluke and went on. It was working ok now (they agreed) so we left that they would call if it happened again.

So they call back today complaining that it has been slow again and that's when they mention that they just got a new Sonos system so they could play music in the individual patient rooms. They have 7 or 8 Play:1 speakers connected to the employee wireless (not the guest network), and each one was streaming a different Pandora channel.

So....first - I'll bet I know why the network was slower than it used to be, and second, I'm not sure there is a good fix. Lastly, I'm wondering how streaming services like this might impact their HIPAA compliance.

They have FIOS business service 90/90. I tested almost this exact speed from a workstation when I did my remote session yesterday, although no one was using the Sonos at that time.

I wonder how much bandwidth a Sonos stream of Pandora uses? I'd bet 128kb at least, but that x 8 is still only a bit over 1Mb and they have 90Mb service (although that doesn't account for latency). I wonder if I could tag the traffic and confine it to a carved out portion of their bandwidth, like you would do with VOIP traffic...

I don't think I can put the things on the guest network (without carving a path through the firewall) since they are controlled by controller software that lives on the workstations.

Suggestions?

 

[YeOldeStonecat]

Easy...separate the sonos into a VLAN with other "facilities stuff"...or its own..whatever, so long as its separate from the computer production network.

Get a managed wireless system

Define a user group within this managed wireless system, give it X amount of bandwidth (may need to play with this to find an optimal setting)

Hopefully adequate wireless is there to handle the extra load. More APs...higher density, lower TX power...should spread the load nicely.

 

[HCHTech]

Yeah, all that's doable. We have a Sonicwall and 3 Sonicpoints there, I think... I'll have to check. I'll still have to allow traffic between the LAN and the VLAN for the controllers to work, yes? That's the part that has me concerned.

 

[YeOldeStonecat]

Can't they stick the controller in that VLAN also? Just use an old iPad to control it or something. Can't have client isolation on the SSID but just VLAN it off the main network.

 

[HCHTech]

No...not really. They have 8 speakers, all controlled in the individual exam rooms by the clinician who is working that room. So we would need 8 ipads to isolate them and still give individual control. I'll give this some thought. I have a conversation with the office manager next week, so I'll see what comes of that.

 

[YeOldeStonecat]

Oohhh...ugh. Not like...they just turn it on in the morning and let it rip. Gotta have a control of each room...geeeze.
Well, what do they want to control it from? Smart phones/tablets? Those usually should be on the guest/or other non-production network anyways.

 

[marley1]

Create ssid on same lan just limit
Easy in unifi
What switching is present?

 

[HCHTech]

Yeah, it's not like they called or anything - "Hey, computer guy, we'd like to do this complicated thing, can you help us set it up?". They just went out and bought 8 of these things, installed them, installed the controller on 8 network workstations and then called when things didn't magically work as expected.

 

[fencepost]

Smart phones/tablets? Those usually should be on the guest/or other non-production network anyways.

Normally yes, but I know from personal experience of at least two EMR vendors (Nextech, eClinicalWorks) with iPad client software designed for use by the clinical staff, and we have one client who's been using iPads with Nextech for years.

The bigger problem is the mixing of clinical and non-clinical software on those devices and the network, and that's where things may get a little more squirrely. My feeling is that the devices used for clinical work should not have any other software installed, and the Sonos equipment shouldn't be on the LAN/VLAN where clinical data moves.

 

[biggy213]

How about moving all the sonos on a separate vlan and have the user connect to the same vlan with their personal phones to control the sonos.

Yeah, it's not like they called or anything - "Hey, computer guy, we'd like to do this complicated thing, can you help us set it up?". They just went out and bought 8 of these things, installed them, installed the controller on 8 network workstations and then called when things didn't magically work as expected.

 

[YeOldeStonecat]

Normally yes, but I know from personal experience of at least two EMR vendors (Nextech, eClinicalWorks) with iPad client software designed for use by the clinical staff, and we have one client who's been using iPads with Nextech for years.

The bigger problem is the mixing of clinical and non-clinical software on those devices and the network, and that's where things may get a little more squirrely. My feeling is that the devices used for clinical work should not have any other software installed, and the Sonos equipment shouldn't be on the LAN/VLAN where clinical data moves.

Ahh...yes, so..I fully agree on your second paragraph there..mixing of "personal" stuff on "company" computers. Creates a bigger risk, and increases difficulty of trying to maintain secured computers, with yet another "thing" to have to manage and update.

So, for this client...time to backup and punt and take a fresh approach here. Perhaps with a direction like biggy mentioned above...cleanly separate the whole thing.

 

[nerd2u]

Time for them to truck in a separate internet connection and setup a separate network for their Sonos.

I've had a couple clients go this route. Bring in a seperate 40$ a month internet line and they are free to put what ever they want want on it.

Sent from my SM-G870W using Tapatalk

 

[fencepost]

For smaller medical practices cloud-based EMRs are pretty much the rule these days, so a second Internet connection from a different carrier is not a terrible idea, whether manual cutover with training or with an appropriate router that handles dual WAN connections.