Engineering the Wireless Hospital: Security
By: Natalie Sheerer, Marketing Specialist
In its 2012 white paper, Wi-Fi in Healthcare: Security Solutions for Hospital Wi-Fi Networks, the Wi-Fi Alliance took an in-depth look at security for hospital wireless networks. There are strong regulations that exist around the security and privacy of sensitive data such as patient health information. Noncompliance to these regulations can mean a financial penalty running into the millions of dollars and a poor public listing on a government website, both of which can cause immeasurable damage to a facility’s reputation.
The Health Information Technology for Economic and Clinical Health (HITECH) Act mandates that health care providers close off networks and maintain better security in order to obtain Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance. To satisfy the requirements of HIPAA, a hospital Wi-Fi system needs:
- Strong, mutual authentication between every authorized client device and a trusted hospital network to ensure that:
- Only trusted Wi-Fi clients can gain network access
- Trusted Wi-Fi clients are not tricked into connecting to an untrusted network
- Strong encryption of all data, especially protected health information, that transmits between a Wi-Fi client and the hospital network
Fortunately, the Enterprise version of Wi-Fi Protected Access 2®, or WPA2®, provides authentication and encryption that are sufficient for HIPAA compliance. WPA2-Enterprise addresses the main security threats against Wi-Fi networks, namely network exposure, data exposure, and man-in-the-middle attacks.
By default, Wi-Fi client devices are “open”, meaning that they have no security configured. For every client device that is managed by hospital IT, an administrator must change the device’s default configuration to ensure that the client uses WPA2-Enterprise with a strong EAP type to gain access to a hospital Wi-Fi network.
Many hospitals try to prevent unauthorized users from having physical access to certain devices that can connect to the hospital network. Physical device security is rarely foolproof and Wi-Fi client devices sometimes fall into the wrong hands. Because a stolen device probably runs a limited set of applications, a thief will not typically use a stolen device to break into the Wi-Fi network and the resources behind it. Instead, the thief will copy Wi-Fi network configuration information from the stolen device to a specially configured laptop that can be used to hack into a hospital Wi-Fi network. Therefore, hospitals should not store EAP authentication credentials on client devices.
While doctors and nurses love the ability to use their personal devices on hospital Wi-Fi networks, the bring your own device (BYOD) phenomenon creates security headaches for hospital IT personnel because they cannot configure the devices to use WPA2-Enterprise. Even when a hospital restricts personal devices to guest Wi-Fi networks, those devices can introduce mobile malware onto a hospital network. It is crucial for hospital IT staff to implement a well-planned BYOD security policy that includes centralized management capabilities such as remotely wiping lost or stolen devices, device and application monitoring, and encryption enforcement. Hospital IT staff should ensure that employees fully understand regulations, security, and expectations.
For more information about wireless security in a healthcare setting, download our white paper on this topic, here.