Selecting the Right Wireless DevicesTips for Ensuring Security
PDAs and smart phones vary widely in their security capabilities, so it's important that physicians use the right devices to remotely access clinical information, Borten stresses.
In an interview (transcript below), Borten says:
- Hospitals and clinics must select appropriate wireless tools, making sure devices that physicians and others use have adequate authentication and encryption capabilities.
- Organizations need to understand and take full advantage of the new security capabilities most wireless networks have to offer.
- IT staff must aggressively monitor wireless networks, using vulnerability scans and other technologies to identify weaknesses that could enable an unauthorized user to gain access and violate patient privacy.
Borten, CISSP, CISM, is president of The Marblehead Group Inc. She advises healthcare organizations on information security strategies and compliance issues. She formerly served as head of information security at Massachusetts General Hospital and chief information security officer at Beth Israel Deaconess Medical Center. Borten is a frequent speaker on HIPAA and health information privacy and security. She is also the author of "Guide to HIPAA Security Risk Analysis" and "HIPAA Security Made Simple."
HOWARD ANDERSON: Today we want to talk to you about wireless network security. How does the growing use of wireless networks and wireless devices affect healthcare organizations' risk management strategies?
KATE BORTEN: When the proposed HIPAA security rule came out, I don't think there was a mention of wireless. These days, even smaller healthcare organizations have wireless. The good news, in terms of security risk, is that wireless networks typically include out-of-the-box security that is much better than it was in the past. Of course, you add a wireless network, and you may feel as though its part of your private LAN. But because these signals go out over the airwaves, you really need to think of it more like you think of using the Internet public network.
Encryption, AuthenticationANDERSON: So as more hospitals and clinics implement wireless networks within their facilities, what are the most important steps they can take to ensure the security of information traversing those networks?
BORTEN: As I mentioned there is better and better security in terms of encryption and authentication. In the early years, we had WEP, which wasn't worth much and most organizations recognized that and implemented something like a virtual private network at a much higher level. Today, though, we have not only the WPA Enterprise level, but we've got WPA 2 that gives AES level encryption and, in general, much stronger implementations that are compliant with the IEEE 801.11 standards. So we've got better tools. ...
Selecting Wireless DevicesANDERSON: What additional security factors must healthcare organizations address when they consider offering clinicians remote access to clinical information via a wireless device such as a smart phone?
BORTEN: Of course those small ... handheld devices raise all sorts of problems. Wireless is only a part of the whole picture. Increasingly, organizations are recognizing that certain handhelds simply don't have quite the security capabilities that others do. I don't want to name any brands, but some of these devices should not be used if you want to store or access any confidential information or resources, not just limited to the protected health information, but anything else that you need to protect. You want to make sure that there is authentication capability in these devices and encryption ... as well as the encrypted transmission on the wireless network until you get back to the wired enterprise network.
Understanding the capabilities and then choosing the right tools to work with can be a challenge in an organization where every doctor gets to go out and choose their own device. ... So we're begging organizations to say, "We need to have some consistency; we have to set certain standards and limit this to certain devices that we know we can control with certain software and processes."
ANDERSON: So the encryption and authentication capability of various smart phones and PDAs are all over the map?
BORTEN: I would say that there are some differences in capabilities. Again, my hope is that as time passes, any hand-held device is going to come with easy-to-use encryption and authentication capabilities. But I don't think we are consistently there today.
Monitoring Wireless NetworksANDERSON: Based on your experiences advising a wide variety of healthcare organizations, what other advice would you give to hospitals and clinics that are ramping up their use of wireless technologies about how to accurately address security and maintain the privacy of patient information?
BORTEN: Just as the ... IT staff needs to be regularly monitoring the wired network, having tools that will watch the traffic and send alerts or drop packets and conducting vulnerability scans of the network, you also need to use these sorts of tools on the wireless portions of your network as well.
So you certainly want to use discovery tools to identify rogue access points that some one might have put up. Maybe it was an employee who simply thought it would be nifty to extend the wireless into a new department and didn't actually get this approved. Maybe it's someone with more malicious intent from the outside. So certainly conduct access point discovery, which is fairly easy to do.
The companion piece to that is do war driving to understand how your signals are leaking out, because they certainly do, and testing to make sure that you are using the wireless network at an appropriate level of encryption and authentication. ... That makes it quite hard for anybody to actually hop onto your network, whether they want to use if for free Internet access or for much more damaging purposes of really poking into your network and snooping, taking data or destroying data.