[ Friday, June 03, 2005 ]


Bluetooth Security: Know much about Bluetooth? It's a protocol that allows wireless devices to communicate with each other over a short range (10-100 yards). Some new cars come with Bluetooth capability, so if your cell phone is so wired, your phone and your car can "talk" to each other. This allows you to use the hands-free capabilities of your car to control your phone; without having to physically hook your phone up to your car, you can get in the car with your phone in your pocket, purse or briefcase, activate the car's Bluetooth capabilities (usually a button on the steering wheel), and say, "phone home," and the car will cause your cell phone to call home, using the speakers and hands-free microphone built into the car. It's a pretty amazing technology.

Obviously, like WiFi, using Bluetooth can be risky. As this article in New Scientist shows, the signal between two Bluetooth devices is encrypted, but hackers have figured out a couple of ways to intercept the key. Mainly, this allows the hacker to "hijack" the phone and use it as their own to make calls. Presumably, this would also allow the hacker to eavesdrop on the phone conversation as well, decrypting the encrypted communications between the Bluetooth devices.

The lesson, of course, is that you need to be careful using any type of wireless devices. At the very least, you need to be knowledgeable of the risks, and avoid situations where the risk of hacking could be great; driving down the interstate at 70 mph and using the bluetooth enabled phone in your car is probably OK, for example. And keep a few things in mind: you will never be able to defeat the best hackers if they are very determined, but you can deter them so they try to find an easier target; most PHI isn't of interest to hackers because it's boring and of little value to them (who wants to know about your gall bladder surgery?), but identifying PHI can be very valuable (especially social security numbers); and in many instances where you are using wireless means to communicate PHI, you don't really need to identify the individual by name or social security number.

Hat tip on the article: Alan Goldberg

Jeff [9:08 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template