Unwinding wireless security Does wireless networking have a way to go before it is HIPAA compliant?


	Enter your search termsSubmit search formWeb ChiroEco.com

Issue 10 - August 2003

Unwinding wireless security
Does wireless networking have a way to go before it is HIPAA compliant?
By Rick Lehtinen and D. Henry Leavitt

I went to my doctor early this summer for a checkup. When he was finished with his exam, he started clicking a stylus against a Compaq iPaq. I noticed a radio pack and an antenna on the back of his unit, so I asked “What are you doing about security for that thing?”

His answer was startling: “Security?” This MD’s ignorance unfortunately represents the state of the knowledge of many healthcare practitioners today. Wireless is the new toy. But with wireless comes a responsibility for intense patient-record security, courtesy of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA created strong requirements for those who keep and transmit private patient records. A cavalier attitude such as my MD demonstrated can have big consequences. The penalties for violating patients’ rights under HIPAA can run from $100 per person (per incident) for careless disclosure to $250,000 and 10 years in prison for intentional disclosure of healthcare information penalties.

Clearly, decisions about the deployment of wireless technologies must take into account the implications of HIPAA security rules, which were issued in final form in February 2003. Any electronic transmission of protected health information (PHI) comes under HIPAA auspices, and the watchwords are privacy and security. Practitioners must be sure that electronic communications are encrypted, and that electronic devices are secure — that is, protected from loss, theft or unauthorized use. That is where today’s wireless, for all its convenience, may present problems.

Problems with wireless computing
Standards for wireless communications systems such as the handheld my doctor used are put forth by industry organizations such as the Institute of Electrical and Electronics Engineers (IEEE). The IEEE 802.11 family of equipment operates in the unlicensed portions of the 2.4 GHz and 5 GHz radio bands, and the system is nicknamed Wireless Fidelity or Wi-Fi.

Wi-Fi comes complete with a security algorithm called Wired Equivalent Privacy (WEP). Unfortunately, WEP can be decoded fairly easily by a skilled hacker. This makes Wi-Fi unsecure and exposes the practitioner to possible HIPAA violations.

A case of network vulnerability

I didn’t think anyone would operate a wireless network without protecting it with at least WEP, but I found out that isn’t the case. One of my “techie” friends sat on a hillside overlooking town and counted the number of networks he could attack with his laptop and a wireless adapter. It was more than a dozen.

Another friend actually logged onto the network of one of his neighbors, created a “share” on his neighbor’s printer and then printed out a page saying,

“I hacked into your wireless network. Call me to fix this security problem.”The neighbor called.

This is the type of situation that many doctors face. Are you protected?
— Rick Lehtinen

Recent changes in the Wi-Fi standards are good things for practitioners looking to implement wireless local area networks (WLANS) in their offices. The first really practical Wi-Fi standard — IEEE 802.11b — arrived a few years ago. This system operates on the 2.4 GHz band, and allows communications speeds of up to 11 Megabits per second (Mbps).

Most wired networks in offices operate at 10 Mbps, so 802.11b is as fast as the existing equipment. However, when security encryption (even an inadequate version such as WEP) is added, throughput speed slows considerably.

A newer wireless standard is IEEE 802.11a (yes, the suffix letters are out of sequence). This version of Wi-Fi operates in the 5 GHz band and has a superior transmission system that can move data much faster — up to 54 Mbps under optimal conditions. Even with security added, these units are fast. The drawback of this system: The 5 GHz frequency has a shorter range and the gear costs a little bit more.

What is …?
Here are a few definitions that may help you muddle through HIPAA security compliancy issues:

Secure. Secure hardware means that devices are protected from loss, theft or unauthorized use. Secure software means that a hacker or attacker cannot break into it and steal data.

Encryption. A method of protecting information by scrambling codes.

Local area network. This is a group of computers that are linked to communicate with each other and share information and resources, such as printers. A LAN can be “wired” — linked literally by wire — or wireless.

Security protocols. These are software and hardware computer systems that protect devices from information theft. The most common security protocol in older wireless networks is WEP (Wired Equivalent Privacy). WPA (Wi-Fi Protected Access, similar to Microsoft’s Simple Secure Network, SSN) is a newer security protocol and is less vulnerable to hacking. TKIP (Temporal Key Integrity Protocol) and AES (Advanced Encryption Standard) are protocols that will provide the most secure wireless networking environment and will be available in about one year.

In June 2003, wireless Nirvana may have been approached. The 802.11g standard was finally ratified. This standard puts the superior 802.11a transmission scheme onto the friendlier 802.11b frequencies. The result: Even after security processing is applied, the channel is as fast or faster than most wired networks. And a wireless network can be easily extended to include a wireless component (such as a handheld) while taking advantage of some of your existing equipment.

But how to solve the security issues associated with weak WEP? For now, there is WPA, which stands for Wi-Fi Protected Access. This is technology similar to what Microsoft calls Simple Secure Networking (SSN), built into the Windows XP operating system.

Installation is not complicated but will require a software upgrade and possibly a fee. Installation would best be left to an experienced technician. If you have a complete Cisco installation, you could also use a technology called LEAP. Both are strong encryption systems.

Hold Your Money?
If you do not yet have a wireless networking system, you might want to consider postponing your purchase a little longer. Coming soon is the 802.11i standard, which is designed to provide excellent wireless security.

What should you ask a consultant?

If you already have a wireless network in your practice, to assure HIPAA compliance, find out how secure you are now. This may require having a consultant do a thorough wireless survey, to find out how far your transmissions extend.

When you hire a wireless networking consultant, ask:

1“Does my transmitted information go beyond my office walls?” Wireless networking thieves have become common enough to create serious security concerns. And although many thieves may only want to take advantage of your wireless network, some may want to capture data about your patients. If information goes beyond your practice walls, a hacker can get into it and you may even be breaking HIPAA rules.

2 “Do I need to use directional antennae to improve HIPAA security?” Directional antennae can help curb information leakage. Your audit will tell you if antennae will help.

3 “Is my system security enabled?” If your system has WEP security, find out if you can upgrade it now — to WPA standards, and later to higher standards.

4 “What is the most cost-effective upgrade path to move my wireless network into the 802.11g and 802.11i standards systems?” Your consultant should be able to advise you on these software/hardware requirements.

If you are considering purchasing a wireless networking system now and do not want to wait for the most secure protocols (due in about one year), ask the questions listed above. Don’t be tempted to install an inexpensive do-it-yourself system from a local electronics store — unless you are comfortable it meets all HIPAA requirements.

This upcoming standard defines new encryption key protocols such as Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES). This is as strong an encryption scheme as can be found anywhere. Unfortunately, this new system will probably require new hardware and won’t be available for about a year.

A wireless office offers convenience and ease, but waiting for the new protocols may be a good decision, if you do not yet have wireless networking. The best reason to wait is because WEP (the most commonly used protocol) is too easy to hack. If a person parked in front of your building can eavesdrop electronically, confidential patient records are not protected health information.

Another reason to wait is to see if there is a need to purchase new equipment to accommodate the 802.11i security standard.

This is not to say that you should avoid wireless altogether. Current wireless can be used to transmit information that does not fall under HIPAA protection. And manufacturers have made certain that it is usually easy to add a wireless element to your existing office local area network.

However, for now, unless you address the security issue by avoiding the WEP included with most hardware, make sure that you do not use wireless to make any electronic transactions involving PHI.

Rick Lehtinen is a computer security consultant to the ChiroCode Institute.

D. Henry Leavitt is president/CEO of ChiroCode Institute, www.chirocode.com or 602-944-9877.

How are we doing?