Setting up a Wi-Fi network in a hospital can be difficult. However, when the right steps are taken IT managers can bypass a lot of headaches and ensure a more reliable and secure network for wireless medical devices. Check out part 4 of the Setting Up Wi-Fi in a Medical Center series, Security.
When transmitting data as sensitive as that found in hospitals, security must be strong. The suggested level of security is Wi-Fi Protected Access II with Advanced Encryption Standard (WPA2-AES). There is no situation in a hospital where Temporary Key Integrity Protocol (TKIP) is acceptable. It is especially vulnerable to Man-in-the-Middle (MITM) attacks and eavesdroppers using brute force to crack the key.
In addition to WPA2-AES, a hospital IT manager should incorporate Extensible Authentication Protocol (EAP) authentication with certificates. This requires the user to provide credentials before gaining access to the network.
Guest Access and Staff Devices
Also, the Bring Your Own Device (BYOD) trend is on the rise in hospitals. If the IT manager chooses to allow BYOD, then the personal devices of staff members should go on another separate VLAN. This allows staff members to check patient records while on the network but also maintains separation from the life-critical devices and records that don’t pertain to their work.
Compliance with HIPAA
In the United States, HIPAA requires that medical information must be encrypted by some method but does not define a specific method. Access control must be put into place so that a user must provide credentials to gain access to particular networks.
The Roles of FIPS and WAPI
IT managers also must ensure they are adhering to any required standards when implementing a Wi-Fi structure in a hospital. For example, Federal Information Processing Standards (FIPS) are created by the United States government and specify the security that can be used for passing information. FIPS identifies the type of encryption, credentials, or authentication required and also requires that the program performing the authentication is using proper encryption. FIPS is required for use in the VA hospitals in the US.
Another standard to keep in mind is WPLAN Authentication and Privacy Infrastructure (WAPI). WAPI is a national standard in China required on any devices with Global System for Mobile Communications (GSM). As long as there is no GSM radio in a medical device, WAPI is not required.
Be sure to check out parts 1-3 of this series:
Keep an eye out for part 5, testing, and don't forget to subscribe!