Setting Up Wi-Fi in a Medical Center: Security
Published on February 4, 2016
Setting up a Wi-Fi network in a hospital can be difficult. However, when the right steps are taken IT managers can bypass a lot of headaches and ensure a more reliable and secure network for wireless medical devices. Check out part 4 of the Setting Up Wi-Fi in a Medical Center series, Security.
WPA2
When transmitting data as sensitive as that found in hospitals, security must be strong. The suggested level of security is Wi-Fi Protected Access II with Advanced Encryption Standard (WPA2-AES). There is no situation in a hospital where Temporary Key Integrity Protocol (TKIP) is acceptable. It is especially vulnerable to Man-in-the-Middle (MITM) attacks and eavesdroppers using brute force to crack the key.
In addition to WPA2-AES, a hospital IT manager should incorporate Extensible Authentication Protocol (EAP) authentication with certificates. This requires the user to provide credentials before gaining access to the network.
Guest Access and Staff Devices
VLANs are not just used to separate traffic for improved data throughput; they also go hand-in-hand with security. When guests access the hospital network they must be on a separate VLAN away from life-critical devices or sensitive information. At the very minimum, the IT manager should require a guest user to sign a Terms of Use agreement and records of who is using the network should be kept. Having guests on a separate VLAN keeps them isolated and unable to access the data flowing on other, more important VLANs throughout the hospital network.
Also, the Bring Your Own Device (BYOD) trend is on the rise in hospitals. If the IT manager chooses to allow BYOD, then the personal devices of staff members should go on another separate VLAN. This allows staff members to check patient records while on the network but also maintains separation from the life-critical devices and records that don’t pertain to their work.
Compliance with HIPAA
In the United States, HIPAA requires that medical information must be encrypted by some method but does not define a specific method. Access control must be put into place so that a user must provide credentials to gain access to particular networks.
The Roles of FIPS and WAPI
IT managers also must ensure they are adhering to any required standards when implementing a Wi-Fi structure in a hospital. For example, Federal Information Processing Standards (FIPS) are created by the United States government and specify the security that can be used for passing information. FIPS identifies the type of encryption, credentials, or authentication required and also requires that the program performing the authentication is using proper encryption. FIPS is required for use in the VA hospitals in the US.
Another standard to keep in mind is WPLAN Authentication and Privacy Infrastructure (WAPI). WAPI is a national standard in China required on any devices with Global System for Mobile Communications (GSM). As long as there is no GSM radio in a medical device, WAPI is not required.
Be sure to check out parts 1-3 of this series:
Keep an eye out for part 5, testing, and don't forget to subscribe!