Read chapters:Introduction to Information Systems for Health Information Technology, Chapters 1 and 8. Chapter 1 introduces the role of computing in health information management while Chapter 8 focus
5/28/2020 Securing Wireless Technology for Healthcare (2013 update)https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 1/7
Secu rin g W ir e le ss T ech nolo gy f o r H ea lt h ca re ( 2 013
u pdate )
Edito r's n ote : T his u pdate s u ppla nts t h e M ay 2 004 p ra ctic e b rie f " S ecu rin g W ir e le ss T ech nolo gy f o r H ea lth ca re "
Overview
W ir e le ss l o ca l a re a n etw ork ( W LA N ) e n vir o nm en ts h av e e v olv ed f ro m s im ple , u nm an ag ed s ta n d-a lo ne a ccess p oin ts ( A Ps) t o
o rg an iz atio nally m an ag ed s y ste m s w ith c en tr a liz ed c o ntr o l a n d m onito rin g. T hese c o ord in ate d A Ps p ro vid e h ealth care
o rg an iz atio ns w ith w ell- d efin ed c o nfig ura tio n, c o ntr o l, m onito rin g a n d m an ag em en t f e atu re s t h at e n ab le o rg an iz atio n-le v el
W LA N i n sta lla tio ns. O ne c o ncern t h at h as c o nstr a in ed h ealth care o rg an iz atio ns i n t h eir g ro w th o f W LA Ns i s t h e q uestio n o f
how s e cu re t h ey a re a n d h ow b est t o s e cu re t h em . F ortu nate ly , t h e e v olu tio n o f w ir e le ss s e c u rity h as r e ach ed t h e p oin t w here
W LA Ns c an b e a s s e cu re a s a w ir e d n etw ork w ith t h e p ro per c o nfig ura tio n a n d i m ple m en ta tio n.
H ealth care o rg an iz atio ns n eed t o m an ag e t h e b asic s o f s e cu rin g w ir e le ss t e ch nolo gy. T hey n eed t o b e a b le t o p ro vid e t h e
ap pro pria te l e v el o f a ccess t o d if f e re n t u se rs i n clu din g g uests . T his p ra ctic e b rie f s e rv es a s a g uid elin e t o h elp e n su re t h at d ue
d ilig en ce h as b een e x erc is e d o n t h e p art o f h ealth care o rg an iz atio ns a n d t h at i n fo rm atio n r is k s p erta in in g t o w ir e le ss
te ch nolo gie s a re a d eq uate ly i d en tif ie d a n d m an ag ed .
N ote : K ey t e rm s u nderlin ed t h ro ughout t h e p ra cti c e b rie f a re f u rth er d efin ed i n A ppen dix A .
Curr ent State of W ireless T echnology in Healthcar e
Today, W LA Ns a re a s ta n dard e x te n sio n o f c o rp ora te n etw ork s. H ealth care o rg an iz atio ns u se a v arie ty o f w ir e le ss
te ch nolo gie s. T re n ds s u ch a s B rin g Y our O wn D ev ic e ( B Y O D) f o r u se rs a s w ell a s p atie n ts a n d v is ito rs a re c o m monpla ce,
in clu din g t h e e x pecta tio n o f c o ntin uous W ir e le ss F id elity ( W i- F i) a ccess a n d a v aila b ility . D ue t o t h ese e x pecta tio ns,
h ealth care o rg an iz atio ns a re e n han cin g t h eir w ir e le ss n etw ork i n fr a str u ctu re a n d e n su rin g s e c u rity i s a d eq uate ly a d dre sse d .
E nte ra sy s, a g lo bal p ro vid er o f w ir e le ss n etw ork i n fr a str u ctu re a n d s e cu rity s o lu tio ns, c o nducte d a s tu dy i n F eb ru ary 2 013 o n
th e c u rre n t s ta te o f w ir e le ss n etw ork s i n h ealth care . T hey s u rv ey ed l e ad in g h ealth care o rg an iz atio ns o n t o pic s s u ch a s h ow
th ey p la n t o s u pport b io m ed ic al d ev ic es a n d B Y OD w hile k eep in g t h eir W LA Ns s e cu re . S om e o f t h e s u rv ey r e su lts r e v eale d :
3 0 p erc en t o f h osp ita ls c u rre n tly d o n ot o ff e r W i- F i t o p atie n ts a n d g uests
3 2 p erc en t o f h osp ita ls a re n ot u sin g t e ch nolo gy t o e n fo rc e t h eir B Y OD p olic ie s
6 3 p erc en t o f r e sp onden ts r e p lie d t h at t h eir W i- F i i s v ery i m porta n t o r c ritic al t o t h e s u cce ss o f a ch ie v in g g overn m en t
re g ula tio ns s u ch a s t h e " m ean in gfu l u se " E H R I n cen tiv e P ro gra m
7 1 p erc en t o f h osp ita ls h av e b io m ed ic al d ev ic es a ccessin g t h e c lin ic al W i- F i
82 p erc en t o f h osp ita ls a re a llo w in g m obile E H R a ccess o n p hysic ia n -o w ned d ev ic es
7 8 p erc en t o f h osp ita ls a re a llo w in g s o m e p h ysic ia n s t o u tiliz e p ers o nally o w ned d ev ic es a t t h e p oin t o f c are
T his s u rv ey i llu str a te s t h e w id e-ra n gin g u se a n d p re v ale n ce o f W LA Ns i n h ealth care t o day. W LA Ns a re b ein g i n cre asin gly
e n tr u ste d w ith c arry in g m is sio n-c ritic al a p plic atio ns s u ch a s d ata b ase a ccess, v oic e o ver I n te rn et p ro to co l ( V oIP ), e -m ail a n d
In te rn et a ccess. S ecu rin g a W LA N i s n o e asy t a sk g iv en t h e m obility a n d d iv ers ity o f o rg an iz atio nal n eed s a n d d em an ds i n
h ealth care . A dditio nally , a v arie ty o f t h re ats m ust b e a d dre sse d i n o rd er t o p ro vid e t h e e x pecte d a v aila b ility a s w ell a s s e c u rity
f o r a n y W LA N.
Common Thr eats to WLANs
1
http://bok.ahima.org/doc?oid=107105 Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 2/7
WLA Ns a re a n e asily i n te rc ep te d m ed iu m t h at d oes n ot r e q uir e a p hysic al c o nnectio n t o e sta b lis h a n etw ork . S ig nals c a n l e a k
o uts id e a n o rg an iz atio n t h ro ugh w alls , f lo ors , a n d c eilin gs. A W LA N s ig nal c an b e i n te rc ep te d w ith a l o w p ro bab ility o f
dete ctio n f ro m e ith er s e v era l m ile s a w ay o r r ig ht n ex t d oor. W LA N e x plo its o r c o m pro m is e s d o r e q uir e p hysic al p ro xim ity t o
t h e t a rg et n etw ork . A s a r e su lt, t h ey a re l e ss l ik ely t o o ccu r a n d l e ss s u sc ep tib le t o a tta ck t h an t h re a ts d eliv ere d o ver t h e
In te rn et. H ow ev er, W LA Ns a re s till v uln era b le t o s e v era l m ean s o f a tta ck . R easo ns f o r c o m pro m is e i n clu de c o ntin ued u se o f
le g acy e q uip m en t, w eak a u th en tic atio n p ro to co ls , u nen cry pte d p ublic a n d p riv ate W LA Ns, c o nfig ura tio n e rro rs a n d p ers o nal
d ev ic es. T he f o llo w in g i llu str a te s s o m e o f t h e c o m mon t h re ats a ff e ctin g W LA NS i n h ealth care :
D en ia l o f S erv ic e ( D oS ): A ny i n sta n ce t h at p re v en ts a u th oriz ed u se rs f ro m p erfo rm in g t h eir d utie s m ay b e c o nsid ere d
a D oS e v en t. T he 8 02.1 1 W LA N t r a n sm is sio n s ta n dard s a re a s h are d m ed iu m s o t h ey a re s u sc ep tib le t o D oS a tta ck s.
D oS e v en ts c an o ccu r w ith in a n y c o m ponen t o f t h e I T i n fr a str u ctu re . W LA N D oS a tta ck s a re e a sy t o l a u nch f ro m
outs id e t h e f a cility b y u sin g f re ely a v aila b le t o ols a t t h e t a rg et ( i.e ., S lo w lo ris , S ock str e ss , H ig h O rb it I o n C an non
(H OIC ) a n d L ow O rb it I o n C an non ( L O IC ). F or e x am ple , a c o m mon D oS a tta ck s e n ds m an y s im ulta n eo us r e q uests t o
a w eb site a sk in g t o g en era te a r e p ort. T he d ata b ase s e rv er s u pportin g t h e w eb site q uerie s c a n r e ach 1 00 p erc e n t
u tiliz atio n m ak in g i t i n accessib le t o u se r a ctiv ity a n d r e su ltin g i n a D oS .
W LA N S ca n nin g a n d M on it o rin g: A tta ck ers u se a v arie ty o f f re ely a v aila b le t o ols t o s c an a n d d is c o ver t h e e x is te n ce
o f W LA Ns a n d t h eir s e rv ic e s e t i d en tifie rs ( S SID s) s u ch a s K is m et o r N etS tu m ble r ( P C -b ase d ) a n d K is M AC o r
M acS tu m ble r ( M ac-b ase d ). O nce a W LA N i s d is c o vere d , t h e a tta ck er c an l o ok f o r r o gu e A Ps, c o nnect t o o nes t h at w ill
a ccep t a n a d h oc c o nnectio n, e av esd ro p o n w ir e le ss t r a ff ic , o r t r y t o c ir c u m ven t a u th en tic a tio n p ro ced ure s. I f
s u ccessfu l, t h en t h e a tta ck er c an f u rth er p ro b e s e rv ers a n d d ata b ase s t h at a re c o nnecte d t o t h e w ir e d n etw ork . D ata s e n t
o ver W LA Ns c an b e c ap tu re d b y a tta ck ers w ith in p ro xim ity o f t h e t a rg et n etw ork .
R ogu e o r U nau th oriz ed A Ps: R ogue o r u nau th oriz ed A Ps r e p re se n t a t h re a t t o h ealth care o rg an iz atio ns b y c re atin g a n
o pen e n tr y p oin t t o t h e n etw ork t h at b ypasse s e x is tin g s e cu rity m easu re s. T his c an i n clu de l a p to ps, m obile d ev ic es,
w ir e le ss b ar c o de s c an ners a n d p rin te rs a ctin g a s A Ps. A tta ck ers c an u se a n y i n se cu re A P a s a p ath t o p en etr a te t h e
netw ork 's s e cu rity . W LA N A Ps a re i n ex pen siv e a n d e asy t o i n sta ll. T his m ay b e a cco m plis h ed b y s im ply p lu ggin g a n
A P i n to a n E th ern et p ort o n t h e w ir e d n etw ork . U nau th oriz ed W LA N A Ps c an b e c o nnecte d t o a n etw ork u nw ittin gly
o r w ith m alic io us i n te n t w ith out t h e k now le d ge o f t h e I T d ep artm en t. S in ce r o gue A Ps a re t y pic ally d ep lo yed b y
em plo yees l o okin g f o r q uic k w ir e le ss a ccess, t h ey a re u su ally i n sta lle d w ith out s ta n dard s e c u rity c o ntr o ls a n d c a n
easily b e m is c o nfig ure d . E ven h ealth care o rg an iz atio ns t h at d o n ot a llo w t h e u se o f W LA Ns m ust s e c u re t h em se lv es
ag ain st i n se rtio n o f r o gue A Ps a n d t h e u se o f a d h oc w ir e le ss n etw ork in g b y w ork sta tio ns a n d o th er d ev ic es.
M is c o n fig u re d A Ps: T he l a te st 8 02.1 1 s ta n dard s o ff e r a v arie ty o f r e la tiv ely c o m ple x c o nfig ura tio n o ptio ns a n d
v aria b le c lie n t c ap ab ilitie s. P rio ritiz atio n a n d s e g m en ta tio n c an f u rth er c o m plic ate t h e c o nfig ura tio n p ro cess. A Ps c an
b e l e ft w ith f a cto ry d efa u lt s e ttin gs o r i m pro perly c o nfig ure d , w hic h a llo w s a tta ck ers e asy a c cess t o t h e W LA N. M ost
A Ps a llo w r e str ic tio ns o n w hic h d ev ic es c an c o nnect t o i t b ase d o n f ilte rin g o f m ed ia a ccess c o ntr o l ( M AC ) a d dre sse s
o f a u th oriz ed d ev ic es. M AC a d dre ss f ilte rin g c an p ro vid e s o m e c o ntr o l o ver w hic h d ev ic e s c a n c o nnect t o y our
n etw ork . A tta ck ers c an c o py M AC a d dre sse s f ro m t h e W LA N a n d c h an ge t h e M AC a d d re ss o n t h eir l a p to p t o m atc h
th e v alid M AC a d dre ss. T here a re s till l e g acy p ro ducts t h at u se T em pora l K ey I n te g rity P ro to co l ( T K IP ) a n d W ir e d
E quiv a le n t P riv a cy ( W EP) . T K IP i s v uln era b le t o m essa ge i n te g rity c h eck ( M IC ) a tta ck s. T he w eak nesse s o f t h e W EP
pro to co l h av e b een w id ely d ocu m en te d . A lth ough v en dors o ff e r p atc h es t o a d dre ss t h ese v uln era b ilitie s o nce
d is c o vere d , d riv er u pdate s a re n ot t y pic ally d is tr ib ute d a u to m atic ally a lo ng w ith opera tin g s y ste m ( O S) u pdate s.
E ndpoin t A tta ck s: N um ero us e x plo its h av e b een p ublis h ed t o t a k e a d van ta g e o f v uln era b le W i- F i d riv ers . A uto m ate d
to ols s u ch a s M eta sp lo it c an b e u se d t o l a u n ch e n dpoin t a tta ck s w ith m in im al e ff o rt. F or e x am ple , v uln era b ilitie s c an
re su lt w hen p atc h es a re n ot a p plie d i n a t im ely m an ner. P atc h es a re u su ally i s su ed b y v en dors o nce v uln era b ilitie s a re
d is c o vere d . W i- F i d riv er p atc h es a re n ot t y pic ally d is tr ib ute d a u to m atic ally w ith o pera tin g s y ste m u pdate s t h at w ould
r e q uir e a m an ual a p plic atio n.
W LA N M alw are : T he n um ber o f m obile m alw are t h re ats i s o n t h e r is e a n d c y berc rim in als a re f in din g m ore w ay s t o
i n fe ct m obile d ev ic es. H ealth care o rg an iz atio ns a re a t a h ig her l ik elih ood t o e n co unte r m alw are i n fe sta tio ns o n
bio m ed ic al d ev ic es d ue t o o utd ate d o pera tin g s y ste m s a n d v en dor r e sis ta n ce t o u pgra d e o r r e c o nfig ure . M ost w ir e le ss-
e n ab le d b io m ed ic al d ev ic es a n d s u pportin g s y ste m s h av e i n ad eq uate s e cu rity a n d a re d if f ic u lt t o p atc h . A n A ugust
2 012 r e p ort w as p re se n te d t o t h e U S F ood a n d D ru g A dm in is tr a tio n ( F D A) b y t h e U S G overn m en t A cco unta b ility
O ff ic e ( G AO) e n title d " F D A S hould E xpan d I ts C onsid era tio n o f I n fo rm atio n S ecu rity f o r C erta in T ypes o f D ev ic es."
T his r e p ort h ig hlig hte d t h e v uln era b ilitie s i n b io m ed ic al d ev ic es s u ch a s h eart d efib rilla to rs a n d i n su lin p um ps a n d h ow
th ey c o uld b e m alic io usly m an ip ula te d .
W ireless Security Recommendations
2
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 3/7
The b est d efe n se a g ain st a n y t h re at i s t o b e p ro activ e i n y our s e cu rity e ff o rts . T he f o llo w in g a re b asic w ir e le ss s e c u rity
r e co m men datio ns f o r e n su rin g y our W LA N i s a d eq uate ly p ro te cte d :
Im ple m en t W LA N P olic ie s a n d E duca te W ork fo rc e: E very h ealth care W LA N n eed s a p olic y t o p ro vid e d ir e ctio n
on a d dre ssin g a n d m an ag in g i ts s e cu rity . W LA N p olic ie s s h ould b eg in w ith t h e b asic s o f f o rb id din g u nau th oriz e d A Ps
th at c an c ir c u m ven t s e cu rity a s w ell a s t h e u n au th oriz ed r e co nfig ura tio n o r a lte ra tio n o f A Ps a n d o th er W LA N
te ch nolo gie s. T he p olic y s h ould a ls o l im it W LA N t r a ff ic t o o pera te o n s e t c h an nels a n d c o nnectio n s p eed s. B y
esta b lis h in g a s e t c h an nel f o r e ach A P, a ll t r a ff ic o n t h e o th er c h an nels c an b e m ore e asily i d en tif ie d a s s u sp ic io us.
W ork fo rc e e d ucatio n i s i m porta n t a n d s ta ff s h ould b e a d vis e d t o o nly c o nnect t o p ro vis io ned W LA NS w hen
co nductin g b usin ess. A ls o , e d ucate t h e w ork fo rc e t o u se vir tu al p riv a te n etw ork ( V PN ) t e ch nolo gy s u ch a s In te rn et
P ro to co l S ecu rity ( IP Sec) a n d Secu re S ockets L ayer ( S SL ) w hen c o nnectin g t o a p ublic W LA N t o c o nd uct b usin ess.
D ep lo yin g a w ir e le ss i n fra str u ctu re m ean s d ev elo pin g, m an ag in g, a n d e x ecu tin g a s c ala b le w ir e le ss s e c u rity p olic y
w ith a n a p pro pria te ly e d ucate d w ork fo rc e.
C on duct W ir e le ss S ecu rit y A sse ssm en ts : W LA Ns a re j u st l ik e w ir e d n etw ork s i n t h at t h ey n eed t o b e a sse sse d t o
p ro activ ely d ete ct w eak nesse s a n d v uln era b ilitie s. T he s a m e s h are w are u se d b y a tta ck ers ( K is m et, N etS tu m ble r a n d
M acS tu m ble r) c an b e l e v era g ed t o a sse ss t h e a ir w av es f o r r o gue/u nau th oriz ed A Ps a n d v uln era b ilitie s. C om merc ia lly
s o ld s c an ners a re a v aila b le f o r p urc h ase a s w ell. T he w ir e le ss s e cu rity a sse ssm en t t y pic ally i n clu des a n i n ven to ry o f
w ir e le ss t e ch nolo gie s, a s w ell a s n earb y w ir e le ss c o nnectio ns. A r e v ie w o f e x is tin g w ir e le ss p olic ie s a n d a n a sse ssm en t
to d ete rm in e i f t h ey a re b ein g f o llo w ed , s h ould a ls o b e c o nducte d . U pon c o m ple tio n o f t h e a sse ssm en t, a
c o m pre h en siv e r e p ort s h ould d ocu m en t v uln era b ilitie s a n d r e co m men d p rio ritiz ed r e m ed ia l a c tio ns.
Im ple m en t C on fig u ra tio n M an agem en t a n d P atc h M an agem en t: K eep c u rre n t o n p atc h es, c o nfig ura tio ns a n d
polic y e n fo rc em en t a s w ell a s c h eck in g t o e n su re a ll w ir e le ss A Ps a re s e cu re a n d u p-to -d ate w ith t h e l a te st p atc h es a n d
co nfig ura tio ns. T his i n clu des f o llo w in g t h e g uid an ce o utlin ed i n t h is P ra ctic e B rie f.
R estr ic t A ll A ccess P oin ts a n d D ev ic es: Id eally , h ealth care o rg an iz atio ns s h ould l im it a ccess t o t h e W LA N b ase d o n
physic al p ro xim ity . I n a w ir e d n etw ork , i n div id ual p orts m ay b e e n ab le d o r d is a b le d t o c o ntr o l c o nnectiv ity t o t h e
L A N. W ith W LA Ns, t h e ra dio f r e q uen cy ( R F) s ig nal p ro pag ate s t o a re as t h at m ig ht n ot i n itia lly b e c o nsid ere d , s u ch a s
a p ark in g l o t o r r e cep tio n a re a. T he a b ility t o m an ag e c o nnectiv ity b y u se r l o catio n c an i m pro ve s e c u rity b y e n su rin g
th at c o nnectio ns o uts id e c le arly d efin ed a re a s a re n ot p erm itte d . L ock in g d ow n E th ern et p orts o n t h e w ir e d n etw ork
w ill p re v en t r o gue o r u nau th oriz ed A Ps a n d d ev ic es f ro m a rb itr a rily c o nnectin g. O rg an iz a tio ns s h ould d ep lo y
en te rp ris e -c la ss A Ps t h at o ff e r a d van ced s e c u rity a n d m an ag em en t c ap ab ilitie s. C han ge a ll d efa u lt p assw ord s a n d
fe atu re s. T he S SID s s h ould b e c h an ged t o n am es t h at a re m ean in gle ss t o o uts id ers . A n S SID o f " c ard io lo gy
d ep artm en t" p ro vid es a d ditio nal i n fo rm atio n f o r a n a tta ck er. H ealth care o rg an iz atio ns s h ould a ls o c o nfig ure A Ps t o
d is a b le t h e b ro ad cast m ode w here i t c o nsta n tly b ro ad casts i ts S SID i n s e arc h o f d ev ic es w ith w hic h t o c o nnect. B y
tu rn in g t h is d efa u lt f e atu re o ff , d ev ic es m ust k now t h e S SID i n o rd er t o c o nnect. I f p ossib le , i n sta ll A Ps o ut o f s ig ht
fro m v is ito rs , p atie n ts , a n d t h e g en era l p ublic , s u ch a s h id in g t h em o n t h e o th er s id e o f d ro pdow n c e ilin g t ile s. T his
c o nceals t h e e x is te n ce o f a W LA N f ro m c asu al i n sp ectio n a n d w ill a ls o m ak e t h e l o catio n o f t h e A P m ore d if f ic u lt t o
d ete rm in e.
E nsu re P ro p er A uth en tic a tio n : E sta b lis h in g a u se r's i d en tity i s t h e f ir s t s te p t o c o ntr o llin g a ccess t o s p ecif ic n etw ork
r e so urc es. A uth en tic atio n m eth ods s h ould b e d ep lo yed w ith V PN s a n d R A DIU S s e rv ers . V PN s c an e m plo y s tr o ng
au th en tic atio n a n d e n cry ptio n m ech an is m s b etw een t h e A Ps a n d t h e n etw ork . R AD IU S s e rv ers c an b e u se d t o m an ag e
au th en tic atio n, a cco untin g, a n d a ccess t o n etw ork r e so urc es. W hile V PN s c an b e a s e cu re s o lu tio n f o r W LA Ns, o ne-
w ay a u th en tic atio n V PN s a re s till v uln era b le t o e x plo ita tio n. M utu al a u th en tic atio n w ir e le ss V PN s o ff e r s tr o nger
au th en tic atio n c o ntr o ls .
D ep lo y I n tr u sio n D ete ctio n a n d P ro te ctio n S yste m s ( I D S/I P S): W hile h ealth care o rg an iz atio ns m ay h av e a lr e ad y
dep lo yed i n tr u sio n-d ete ctio n s y ste m s f o r t h eir w ir e d n etw ork s, o nly a W LA N-s p ecif ic I D S/I P S c a n p ro te ct a w ir e le ss
n etw ork f ro m a tta ck s i n t h e a ir w av es b efo re t h e t r a ff ic r e ach es t h e w ir e d n etw ork . T he d is c o very o f
ro gue/u nau th oriz ed A Ps a n d w ir e le ss v uln era b ilitie s c an b e m ore e ff e ctiv ely a cco m plis h ed w ith 2 4/7 m onito rin g o f t h e
W LA N. T his c an b est b e a cco m plis h ed t h ro u gh I D S/I P S. C ontin uous m onito rin g c an i d en tif y w hen a n d w here t h e
ro gue/u nau th oriz ed A Ps f ir s t a p peare d , w ho i t c o nnecte d t o , h ow m uch d ata w as e x ch an g ed a n d t h e d ir e c tio n o f t r a ff ic
i n r e al t im e.
E nab le S tr o n g E ncry p tio n : H ealth care o rg an iz atio ns t h at i m ple m en t W LA Ns m ust e n su re t h at t h ey e n ab le a d eq uate
e n cry ptio n c o ntr o ls t o p re v en t u nau th oriz ed a ccess t o d ata . W PA 2 i s t h e m ost s e cu re e n cry ptio n m eth od a v aila b le f o r
w ir e le ss n etw ork s. W PA 2 s u pport i s m an dato ry i n a ll W i- F i c ertif ie d d ev ic es a n d i s w id ely a v aila b le . W EP w as t h e
orig in al w ir e le ss e n cry ptio n p ro to co l b ut i t i s u nse cu re a n d s h ould n ev er b e u se d . I n f a ct, t h e u se o f W EP w as
p ro hib ite d a s o f J u ne 3 0, 2 010 b y t h e P aym en t C ard I n dustr y D ata S ecu rity S ta ndard ( P C I D SS) . W PA r e p la ced W EP
w ith a s tr o nger e n cry ptio n t e ch nolo gy c alle d Tem pora l K ey I n te g rity P ro to co l ( T K IP ) w ith M essa g e I n te g rity C heck
(M IC ). W PA s h ould n ot b e u se d e ith er. W PA 2 p ro vid es t h e s tr o ngest e n cry ptio n a v aila b le u sin g t h e A dva nced
3
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 4/7
Encry p tio n S ta ndard ( A ES ), d ynam ic k ey e x ch an ge a n d s tr o ng a u th en tic atio n b ase d o n 8 02.1 X . H ealth care
o rg an iz atio ns s h ould a ls o d ep lo y a V PN u sin g In te rn et P ro to co l s e cu rity ( IP se c) o r S ecu re S ockets L ayer ( S SL ) f o r
use rs w hen t h ey c o nduct b usin ess o n a p ubli c o r u ntr u ste d n etw ork .
Im ple m en t N etw ork S eg m en ta tio n : T he a d ditio n o f g uest a ccess a n d e m plo yee-o w ned d ev ic es i s d riv in g h ealth care
o rg an iz atio ns t o u se m ultip le S SID s t o s e g m en t W LA N t r a ff ic . A s w ith g uest a ccess, s e g re g atin g B Y OD t r a ff ic i s o ne
te ch niq ue u se d t o p ro te ct t h e o rg an iz atio nal i n fr a str u ctu re . S eg m en tin g t h e n etw ork a ls o p ro vid es f le x ib ility i n c o nte n t
filte rin g a n d t r a ff ic m onito rin g t o d ete ct i n ap p ro pria te a ccess o r m alw are , s e le ctiv e p olic y e n fo rc e m en t b y d ev ic e c la ss,
a n d s e le ctiv e e n dpoin t m onito rin g. O ff e rin g g uest a ccess e n ab le s a n I n te rn et c o nnectio n w hile i s o la tin g t h e v is ito r
fro m t h e o rg an iz atio n's s e n sitiv e i n fo rm atio n. T he W LA N i m ple m en ta tio n s h ould s u pport m ultip le S SID s t o a llo w
tr a ff ic s e g re g atio n. A t t h e m in im um , t h ere s h ould b e t w o S SID s: o ne f o r t r a ff ic f ro m o rg an iz atio n-m an ag ed d ev ic es
an d o ne f o r u nm an ag ed g uest d ev ic es. A ddit io nal S SID s c o uld b e a d ded t o s u pport e m plo yee-o w ned o r p hysic ia n -
o w ned d ev ic es. B io m ed ic al d ev ic es s h ould a ls o b e o n a s e p ara te W LA N. C ontr a cto rs c o u ld b e t r e ate d a s e m plo yees
an d a llo w ed a ccess t o t h e o rg an iz atio n-o w ned n etw ork , p la ced i n t h e e m plo yee-o w ned e q uip m en t n etw ork , o r g iv en a
s e p ara te S SID f o r t h eir o w n u se .
D ep lo y N etw ork A ccess C on tr o l ( N AC): N AC i s a p ro activ e, e n d-u se r n etw ork in g s o lu tio n f o r w ir e d a n d W LA N
co nnectio ns t h at i d en tif ie s p ote n tia l s e cu rity g ap s o r p ro ble m s o n a d ev ic e b efo re i t a ccesse s t h e n etw ork . N AC
en fo rc es s e cu rity p olic ie s o n t h e W LA N s o t h at o nly a u th oriz ed a n d s a fe u se rs a n d d ev ic es a re a llo w ed a c cess t o
a p pro pria te r e so urc es. W ith B Y OD c h alle n ges, N AC c an p ro file p ers o nally o w ned d ev ic es a n d a p ply c o ntr o ls t h at a re
c o nsis te n t w ith e x is tin g p olic y. N AC's a b ility t o d ete ct w hat t y pe o f d ev ic e i s c o nnectin g t o t h e n etw ork a n d a p ply
l im ite d a ccess c ap ab ility w hen r e q uir e d i s a c o re c o m ponen t o f m an ag in g r is k .
P ro te ct W ir e le ss M ed ic a l D ev ic es: In A ugust 2 013, t h e F D A p ublis h ed a g uid e o n t h e u se o f w ir e le ss d ev ic es i n
h ealth care s e ttin gs. T he d ocu m en t, " R adio F re q uen cy W ir e le ss T ech nolo gy i n M ed ic a l D evic es— Guid ance f o r I n dustr y
a nd F ood a nd D ru g A dm in is tr a tio n S ta ff," c o nta in s r e co m men datio ns a im ed a t w ir e le ss b io m ed ic al d ev ic es. A s
m alic io us i n te n t o r u nin te n tio nal i n te rfe re n ce s b eco m e m ore p re v ale n t a n d p ublic iz ed w ith b io m ed ic al d ev ic es,
m an ufa ctu re rs a re b ein g c h alle n ged t o r e sp o nd a n d t a k e a ctio n. U nfo rtu nate ly , t h e m ajo rity o f b io m ed ic al d ev ic e
m an ufa ctu re rs d o n ot t y pic ally h av e t h e i n te rn al s k ill n ecessa ry t o a d dre ss e x is tin g o r e m erg in g s e c u rity i s su es. A s a
r e su lt, t h ey s tr u ggle t o b uild s e cu rity i n to t h eir h ard w are , s o ftw are , a n d f ir m ware p la tf o rm s. B io m ed ic al d ev ic e
m an ufa ctu re rs s h ould r e v ie w t h e G AO a n d F D A r e p orts a n d b eco m e i n volv ed w ith w ork gro ups d ev elo pin g s e c u rity
g uid elin es. T hey s h ould a ls o l e v era g e e x is tin g o r a cq uir e s e cu rity k now le d ge n ecessa ry t o d ev elo p a n d a d ap t m ore
ro bust s e cu rity p ro te ctio ns. H ealth care o rg an iz atio ns s h ould w ork w ith t h ese b io m ed ic al d ev ic e m an ufa c tu re rs ' p ro duct
d ev elo pm en t, r is k , r e g ula to ry , a n d v alid atio n t e am s o n e x is tin g s e cu rity i s su es t o d ete rm in e v ia b le o ptio ns.
Summary
T he s ta te o f s e cu rin g w ir e le ss t e ch nolo gie s h as s ig nif ic an tly i m pro ved o ver t h e y ears . H ea lth care W LA Ns c a n b e e ff e ctiv ely
h ard en ed a g ain st i n tr u sio n a n d m is u se . H ow ev er, e n d-to -e n d s e cu rity s till c an not b e a ss u m ed . S im ply e n ab lin g e n cry ptio n
w ill n ot m ak e a p plic atio ns r u nnin g o ver W LA Ns " se cu re ." T ech nolo gie s, p ro ducts a n d t h re a ts w ill c o ntin ue t o e m erg e a n d
ev olv e. H ealth care o rg an iz atio ns w ill n eed t o k eep a b re ast o f n ew t h re ats , a n aly ze t h eir r is k , a n d t a k e a p pro pria te a c tio n.
T he b est a p pro ach t o t a k e t o w ard s w ir e le ss s e cu rity i s t o b e c o nsta n tly v ig ila n t. E nsu re t h e s e c u rity u se d o n a W LA N s ta y s
cu rre n t a s t h e s ta n dard s, t e ch nolo gie s, a n d t h re at e n vir o nm en t c h an ges. W hate v er a p pro ach i s c h ose n , i t s h ould b e s c a la b le ,
d ynam ic , a n d a d dre ss t h e o rg an iz atio n's s p ecif ic b usin ess a n d e n vir o nm en ta l n eed s. A sp ects o f o rg an iz atio nal m is sio n,
o pera tio ns, s e rv ic e l e v el, b udget a llo tm en t, a s w ell a s r is k t o le ra n ce a re a ll p art o f t h e b ala n ce i n e ff e ctiv ely s e c u rin g w ir e le ss
te ch nolo gy.
Appendix A: Securing W ireless T echnology for Healthcar e Glossary
Defin it io n s
802.1 1 S ta n dard : a n e v olv in g f a m ily o f s p ecif ic atio ns f o r w ir e le ss L A Ns, d ev elo ped b y a w ork in g g ro up o f t h e I n stitu te o f
E le ctr ic al a n d E le ctr o nic s E ngin eers ( IE EE). 8 02.1 1 s ta n dard s u se t h e E th ern et p ro to co l a n d c a rrie r s e n se m ultip le a c cess
w ith c o llis io n a v oid an ce ( C SM A/C A ) f o r p ath s h arin g.
802.1 X S ta n dard : d esig ned t o e n han ce t h e s e cu rity o f w ir e le ss l o cal a re a n etw ork s ( W LA Ns) t h at f o llo w t h e 8 02.1 1
sta n dard . 8 02.1 X p ro vid es a n a u th en tic atio n f ra m ew ork f o r W LA Ns a llo w in g a u se r t o b e a u th en tic ate d b y a c e n tr a l
4
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 5/7
au th ority .
A ccess P oin t (A P): a s ta tio n t h at t r a n sm its a n d r e ceiv es d ata ( s o m etim es r e fe rr e d t o a s a t r a n sc eiv er). A n a cce ss p oin t
co nnects u se rs t o o th er u se rs w ith in t h e n etw ork a n d a ls o c an s e rv e a s t h e p oin t o f i n te rc o nnectio n b etw ee n t h e W LA N a n d a
f ix ed w ir e n etw ork . T he n um ber o f a ccess p oin ts a W LA N n eed s i s d ete rm in ed b y t h e n um ber o f u se rs a n d t h e s iz e o f t h e
n etw ork .
In te rn et P ro to co l S ecu rit y ( I P Sec): a s e t o f p ro to co ls f o r s e cu rin g I n te rn et c o m munic atio ns a n d i s c o m monly u se d i n
c o nju nctio n w ith v ir tu al p riv ate n etw ork s ( V PN s).
M ed ia A ccess C on tr o l ( M AC) A ddre ss F il t e rin g: T his i s a d ata b ase o f a u th oriz ed c lie n t d ev ic e s b y M AC a d dre ss, r e sid en t
on t h e a ccess p oin t. O nly c lie n t M AC a d dre sse s s p ecif ie d i n t h is a ccess l is t a re a llo w ed t o a sso cia te , t h e f in al o pera tio n o f t h e
au th en tic atio n p ro cess w hen a w ir e le ss n etw ork u se r a tte m pts t o a ccess t h e w ir e le ss n etw ork . F or l a rg e d ep lo ym en ts ,
m an ag em en t o f M AC a d dre sse s c an b eco m e t e d io us b ecau se M AC a d dre sse s n eed t o b e r e g is te re d o n e a ch a c cess p oin t.
M essa ge I n te g rit y C heck ( M IC ): m eth od t h at e n su re s t h e c o nte n ts o f a m essa g e h as n ot b een i n ap pro pria te ly a lte re d .
R ad io F re q uen cy ( R F): a lte rn atin g c u rre n t ( A C) h av in g c h ara cte ris tic s s u ch t h at, i f t h e c u rre n t i s i n put t o a n a n te n na, a n
ele ctr o m ag netic ( E M ) f ie ld i s g en era te d s u ita b le f o r w ir e le ss b ro ad castin g a n d/o r c o m munic atio ns.
R ADIU S: S hort f o r R em ote A uth en tic atio n D ia l- In U se r S erv ic e, a n a u th en tic atio n a n d a cco untin g s y ste m .
Secu re S ock ets L ayer ( S SL ): a s e cu rity p ro to co l t o e n ab le w eb site s t o s e cu re ly c o m munic ate s e n sitiv e i n fo rm atio n i n a n
e n cry pte d f o rm at.
S erv ic e S et I d en tif ie r ( S SID ): is t h e n etw ork n am e t h at i d en tif ie s a p artic u la r W i- F i a ccess p oin t o r r o ute r.
T em pora l K ey I n te g rit y P ro to co l ( T K IP ): is a s e cu rity p ro to co l f o r W PA . T K IP p ro vid es p er- p ack et k ey m ix in g, a
m essa g e i n te g rity c h eck a n d a r e -k ey in g m ech an is m .
Vir tu al P riv ate N etw ork ( V PN ): 1 ) a n e n cry pte d t u nnel t h ro ughout t h e I n te rn et t h at e n ab le s s e cu re t r a n sm is sio n o f d ata ;
2 ) a n etw ork t h at u se s a p ublic t e le co m munic atio n i n fr a str u ctu re , s u ch a s t h e I n te rn et, t o p ro vid e r e m ote o ff ic es o r i n div id ual
u se rs w ith s e cu re a ccess t o t h eir o rg an iz atio n's n etw ork . A V PN e n su re s p riv acy t h ro ugh s e c u rity p ro ced ure s a n d t u nnelin g
p ro to co ls . D ata i s e n cry pte d a t t h e s e n din g e n d a n d d ecry pte d a t t h e r e ceiv in g e n d.
V oic e O ver I n te rn et P ro to co l ( V oIP ): a p ro to co l f o r t r a n sm ittin g v oic e c o m munic atio ns o ver t h e I n te rn et.
W ir e d E quiv ale n t P riv acy ( W EP): A f o rm o f e n cry ptio n u se d t o a u th en tic ate t h e s e n der a n d r e ceiv er o f m essa g es o ver
n etw ork s, p artic u la rly w hen t h e I n te rn et i s i n volv ed i n t h e d ata t r a n sm is sio n; s h ould p ro vid e a u th en tic atio n ( b oth s e n der a n d
re cip ie n t a re k now n t o e ach o th er), d ata s e cu rity ( s a fe f ro m i n te rc ep tio n), a n d d ata n onre p udia tio n ( d ata t h at w ere s e n t h av e
arriv ed u nch an ged )
W ir e le ss F id elit y ( W i- F i) : a t e rm f o r c erta in t y pes o f W LA Ns. W i- F i c a n a p ply t o p ro ducts t h at u se a n y 8 02.1 1 s ta n dard .
W i- F i h as g ain ed a ccep ta n ce i n m an y b usin esse s, a g en cie s, s c h ools , a n d h om es a s a n a lte rn ativ e t o a w ir e d n etw ork . M an y
air p orts , h ote ls , a n d f a st- fo od f a cilitie s o ff e r p ublic a ccess t o W i- F i n etw ork s.
W ir e le ss L oca l A re a N etw ork ( W LA N): 1 ) a w ir e le ss l o cal a re a n etw ork t h at u se s r a d io w av es a s t h e c arrie r ; 2 ) a l o cal
are a n etw ork ( L A N) t h at u se rs a ccess t h ro ug h a w ir e le ss c o nnectio n. 8 02.1 1 s ta n dard s s p ecif y W LA N t e c h nolo gie s.
W i- F i P ro te cte d A ccess ( W PA ): a s e cu rity p ro to co l d esig ned t o i m pro ve t h e a u th en tic atio n a n d e n cry ptio n f e atu re s o f
W ir e d E quiv ale n t P riv acy ( W EP). W PA p ro vid es s tr o nger e n cry ptio n t h an W EP t h ro ugh t h e u se o f T em pora l K ey I n te g rity
P ro to co l ( T K IP ).
N ote s
1. A HIM A. P ock et G lo ssa ry o f H ealth I n fo rm atio n M an ag em en t a n d T ech nolo gy, t h ir d e d itio n. C hic ag o, I L : A HIM A
2012, 3 56.
2. A HIM A. P ock et G lo ssa ry o f H ealth I n fo rm atio n M an ag em en t a n d T ech nolo gy, t h ir d e d itio n. C hic ag o, I L : A HIM A
2012, 3 59.
1
2
3
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 6/7
3. A HIM A. P ock et G lo ssa ry o f H ealth I n fo rm atio n M an ag em en t a n d T ech nolo gy, t h ir d e d itio n. C hic ag o, I L : A HIM A
2012, 3 59.
Notes
1. R ousse au -V esta , T am era . " T he S ta te o f W ir e le ss N etw ork in g i n H ealth care ." E nte ra sy s S ec u re N etw ork s. F eb ru ary 2 8,
2 013. h ttp ://b lo gs.e n te ra sy s.c o m /th e-s ta te -o f-w ir e le ss-n etw ork in g-in -h ealth care -a -g lo bal- h ealth care -s tu dy/
2. U S G overn m en t A cco unta b ility O ff ic e. " M ed ic al D ev ic es. F D A S hould E xpan d I ts C onsid era tio n o f I n fo rm atio n
S ecu rity f o r C erta in T ypes o f D ev ic es." A ug ust 2 012. h ttp ://w ww.g ao .g ov/a sse ts /6 50/6 47767.p df
3. P C I S ecu rity S ta n dard s C ouncil. " In fo rm atio n S upple m en t: P C I D SS W ir e le ss G uid elin es." A ugust 2 011 .
http s://w ww.p cis e cu rity sta n dard s.o rg /p dfs /P C I_ D SS _v2_W ir e le ss_ G uid elin es.p df
4. U S F ood a n d D ru g A dm in is tr a tio n. " R ad io F re q uen cy W ir e le ss T ech nolo gy i n M ed ic al D ev ic es— Guid an ce f o r
In dustr y a n d F ood a n d D ru g A dm in is tr a tio n S ta ff ." A ugust 1 3, 2 013.
http ://w ww.f d a.g ov/M ed ic alD ev ic es/D ev ic eR eg ula tio nan dG uid an ce/G uid an ceD ocu m en ts /u cm 077210.h tm
5. N atio nal I n stitu te o f S ta n dard s a n d T ech nolo gy. " G uid elin es f o r S ecu rin g W ir e le ss L ocal A re a N etw ork s ( W LA Ns)."
h ttp ://c src .n is t.g ov/p ublic atio ns/n is tp ubs/8 0 0-1 53/s p 800-1 53.p df
Pr epar ed by (2013)
Bria n E van s, C IS SP, C IS M , C IS A , C G EIT
Assisted by (2013)
W illia m M ia o ulis , C IS A , C IS M
Tom W als h , C IS SP
A ck now le d gm en ts ( 2 013)
B eck y B ueg el, R H IA , C H P, C H C
M arlis a C olo so , R H IA , C CS
Ja n e D eS pie g ela ere -W eg ner, M BA , R H IA , C CS, F A HIM A
Kath y D ow nin g, M A, R H IA , C H PS, P M P
Elis a R . G orto n, R H IA , C H PS, M AHSM
L esle y K ad le c, M A, R H IA
K elly M cL en don, R H IA , C H PS
D ia n e R eed , R H IT , C CS-P
A ngela D in h R ose , M HA, R H IA , C H PS, F A HIM A
Pre p are d b y ( O rig in al)
J o hn R ette re r
B ria n W . C asto , B SE E, C ET
A ck now le d gm en ts ( O rig in al)
I a n A le x an der, M D
Beth H jo rt, R H IA , C H P
D eb ora h K ohn, M PH , R H IA , C H E, C PH IM S
M ic h ael M ath ew s, P hD , C CIE , C IS M , C IS S P, M CSE 2K , R H CE, S C N A/S C SA
Dale M ille r, C IS SP, C H P
D on M on, P hD
Harry R hodes, M BA , R H IA , C H PS
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re 5/28/2020 Securing Wireless Technology for Healthcare (2013 update)
https://web.archive.org/web/20170712052151/http://bok.ahima.org/doc?oid=107105#.WWWx9zr7TIU 7/7
Article citation :
AHIMA Practice Brief . "Securing Wireless T echnology for Healthcare (2013 update)" (Updated
November 2013)
Copyright © 2017 by The American Health Information Management Association. All Rights Reserved.
http://bok.ahima.org/doc?oid=107105
Go JUN JUL AUG
12
2016 2017 2018
1 capture
⍰ ❎
f
12 Jul 2017 ▾ About th is c a ptu re
