If your office network was set up by your internet provider or hasn't had a professional review, there's a real chance it doesn't meet HIPAA's security requirements — even if nothing seems wrong.
WiFi is one of the most overlooked vulnerabilities in a medical or dental practice's IT environment. Most practice owners assume that if the internet works and they have a password on the router, they're covered. They're usually not. HIPAA's Security Rule has specific technical requirements for how electronic protected health information (ePHI) is transmitted, stored, and accessed — and a default router from your internet provider almost certainly doesn't meet them out of the box.
In this episode of NerdSquad Tech Tips, our CEO walks through the exact checklist we use when auditing a practice's wireless environment — fast, practical, and written for non-technical practice owners and office managers.
WiFi is never 100% infallible. When possible, transmit sensitive or patient data over wired infrastructure rather than wireless. This isn't always practical — modern practices are heavily wireless by necessity — but it's the gold standard, and it's worth building toward where you can.
Default router credentials are publicly documented and trivially easy to exploit. If your router still uses its factory-default admin password — or a default IP range like 192.168.0.1 — that's the first thing to fix. Change both immediately, and use a strong, unique password managed through a password manager rather than something written on a sticky note in the server closet.
Your wireless network should be running WPA2 at minimum. WPA3 is better and available on most modern hardware. If you see WEP anywhere on your network, or an open (unencrypted) SSID, patient data transmitted over that connection is exposed. Full stop.
Your primary staff network — the one connected to your practice management system, imaging software, and clinical workstations — should not be broadcasting its name openly. Hiding the SSID won't stop a determined attacker, but it removes your network from casual view and is a recognized best practice in a HIPAA audit context.
This is one of the most common gaps we find. Patients, vendors, and visiting staff should never be on the same network as your clinical systems. Use separate SSIDs — and ideally separate VLANs or a dedicated firewall — to isolate traffic. A guest on your network who encounters a security issue should never have a path to your EHR or practice management software.
HIPAA's Security Rule requires audit controls — the ability to record and examine activity in systems that access ePHI. Your network hardware should be logging access activity for at least several months, and those logs should either be actively monitored or forwarded to a SIEM for automated threat detection. If your router has no logging capability, it's not HIPAA-grade hardware.
Routers, switches, and access points should be in a locked location — not mounted in a waiting room, visible behind the front desk, or accessible to patients or the general public. Physical access to network hardware can bypass every software control you have. Keep firmware updated regularly on all hardware.
Move away from traditional passwords where possible. Passwordless or multi-factor authentication — using tools like Microsoft Authenticator, Duo, or Google Authenticator — significantly reduces the risk of unauthorized access to systems that touch patient data.
This episode was built for healthcare practice owners, office managers, and dental practices running out-of-the-box network setups without a dedicated IT team. If that sounds like you, and you haven't had a professional network assessment, this is a good place to start.
NerdSquad specializes in HIPAA-compliant IT for medical and dental practices across South Florida. We assess existing environments, identify gaps, and implement the controls that keep you compliant and your patients' data protected — without overcomplicating it or overcharging for it.
Ready for a real WiFi checkup?