[ Wednesday, September 17, 2003 ]
Here's a scary story about wi-fi, from Clyde Hewitt of Phoenix Health System's HIPAAnotes:
"In early September, an individual was arraigned in Raleigh for hacking into a physician office's computer system and accessing electronic protected health information (ePHI). After gathering the information, he contacted patients and insurance companies to warn them that their ePHI wasn't safe. (See story
"The hacker did not need any tools beyond a wireless card and his personal computer because the wireless network was unsecured. In the past, hackers attacked modems by 'war dialing' and looking for the familiar screech of the modem. Once they found a modem, they had to guess a username and password. Now, hackers practice "war driving" where they drive around searching for those Wireless Access Points (WAPs). Many of the WAPs today broadcast 800 feet in all directions. Other offices, and even those sitting in the parking lot, will likely be able to see the WAP and gain access to the unprotected network.
"Rather than guessing at usernames and passwords, it only takes some tools that are readily available on the Internet to sniff usernames and passwords once a wireless network is detected. In other instances, computers behind the corporate firewall may have shared drives that are inviting to anyone on the network.
"With the proliferation of cheap wireless devices, many under $100, small providers may be tempted to install wireless networks in their office rather than pay the average of $75 to $100 per network drop just to install the Ethernet cable. The typical setup is relatively simple and for those who have home broadband or DSL connections, relatively non-technical. This simplicity often leads medical practices to take the easy road and install wireless networks without considering security.
"Wireless is a cheap and highly efficient solution to wiring an office, but if sound security practices are not put into place, they are potential "sieves" ready to leak information to anyone with a wireless card. Today, it doesn’t even require a PC to do this since many PDAs also have wireless WiFi capabilities. The issue facing office managers and security officials is how to provide capability and still maintain security. The first line of defense is always policies. Because of the relatively cheap cost, end users may be tempted to bypass the information technology staff and install their own wireless network. Policies and procedures must be put in place to prohibit this behavior and to take serious action if an unauthorized wireless network is installed. With very few exceptions, an unsecured wireless network has no place in the healthcare environment. Nearly all of the reputable vendors provide the ability to encrypt the transmission between the WAP and the workstation. These encryption algorithms are adequate for the near future to prevent all but the professional spy from getting access in real time. That is, providing the installer took the time to set up a non-guessable algorithm.
"Setting up WAP encryption normally requires a 40-, 64-, or 128-bit encryption "key." This key is derived from a word or passphrase the installer chooses during the install process. If the passphrase is easily guessed, a hacker may not need to break the full 128-bit encryption key, but rather just the passphrase. Imagine an installer choosing "Downtown Pathology" as the passphrase which automatically generates the key C01CE3C8E7E433C23142F3B46B. The passphrase could certainly be guessed, but the key would require a professional and a lot of luck.
"Next, covered entities should consider other, more robust, forms of wireless access. Hardware and software solutions exist that require each wireless device to login through the WAP before gaining network access. Unauthorized users will see the WAP, but will not see the network behind it.
"Wireless networking is rapidly exploding in the healthcare environment. The benefits are great, especially with the clinical workstation environment. Security officials and IT staff need to build security into the project plan before the first piece of equipment is purchased. Without it, your organization may be the lead story on the six o-clock news."
Lesson of the story: if you're going wireless or using wi-fi, make sure you're protected
Jeff [1:24 PM]
Blogger: HIPAA Blog - Edit your Template