HIPAA Compliance and WirelessHealthcare systems are increasingly adopting wireless for empowering physicians with mobile access to patient data and improving the quality of service to their patients. But with its efficiencies, wireless also introduces significant security vulnerabilities. The Health Information Portability and Accountability Act (HIPAA) defines rules for implementing Protected Health Information (PHI) to ensure network and data security and to protect patient privacy. But none of the HIPAA rules explicitly address wireless security threats and subsequent risks. To help health institutes secure their wireless networks and be HIPAA compliant, here are some guidelines that interpret HIPAA regulations in the context of wireless security. Under each section, wireless vulnerabilities that pose a threat are identified. |
|
HIPAA Section 164.312(a)(1) – Access control
This section advises on having systems in place so that only authorized users are granted access to electronic protected health information (EPHI).
Wireless vulnerabilities that lead to violation of this HIPAA rule
Organizations should avoid wireless malpractices that give a false sense of security, while providing weak access control.
MAC spoofing:
The use of MAC filtering based access control at the access point is unfortunately in common use as an access control mechanism. MAC addresses of authorized users can be easily spoofed and used to obtain unauthorized access.
Disabling SSID broadcast at the AP:
Disabling SSID broadcast does not secure a network as SSID can still be discovered by outsiders by passively sniffing wireless traffic. In fact your authorized wireless clients probing for the hidden SSID can be a victim for a honeypot attack.
WEP authorized APs:
It is well known that the Wired Equivalent Privacy (WEP) encryption is broken. Yet, many enterprises still rely on WEP as an access control method. A WEP key can be cracked in minutes and an unauthorized user with your key can enter your private network.
The following vulnerabilities can occur from using out of the box settings on APs.
Open authorized APs:
Installing authorized APs without any security is a severe violation of WLAN best practices. An open AP compromises the security of the entire network opening it to even inadvertent, unauthorized usage.
Authorized APs with vulnerable SSID:
An authorized AP with a commonly used (e.g., factory-default) SSID is more likely to attract attention from hackers or inadvertently from outsiders with their devices usually probing for these SSIDs.
Other severe vulnerabilities that can compromise your access control are as follows.
Ad-hoc networks:
An authorized client directly connecting to unauthorized clients is a major security threat. Authorized clients in ad-hoc connection mode are likely infected with viral SSIDs and can inadvertently compromise the security of entire network by accepting direct connections. Unauthorized users can enter the network through such connections. Ad hoc connections even between authorized clients should be discouraged as these connections can bypass your security policies (e.g., firewall, content filters).
Misbehaving clients:
Authorized clients that associate with an external or a threat posing AP (e.g., rogue AP) are likely bypassing your security controls (e.g., firewalls and content filters). Such misbehaving clients can lead to reduced productivity, liability for illegal content flowing through network, or leak sensitive data.
Honeypots:
External APs with Authorized SSIDs are called Honeypots or Evil Twins. Honeypots can lure authorized clients into an inadvertent association, which is a major security threat. Clients may unwittingly provide confidential information (e.g., password); the honeypot can launch a man-in-the-middle attack and insert itself into authorized communication or it can scan the client for vulnerabilities.
Rogue APs:
Rogue APs are unauthorized APs that are likely to be connected to your private network in violation of security policies. Outsiders can enter your private network using these Rogue APs as wireless backdoors.
HIPAA Section 164.312(e) – Transmission Security
EPHI transmitted over a wireless network should remain private. This is particularly important for wireless transmission of EPHI due to the inherent shared nature of the wireless medium.
Wireless vulnerabilities that lead to violation of this HIPAA rule
The following vulnerabilities can expose EPHI during transmission over wireless and leak sensitive patient information to outsiders.
Open authorized APs:
Installing authorized APs without any security is a severe violation of WLAN best practices. An open AP compromises the security of the entire network opening it to even inadvertent, unauthorized usage. Unless higher layer security methods such as use of VPN are used, any communication over an open wireless link is in the air up for grabs.
WEP authorized APs:
A WEP key can be broken in minutes and an unauthorized user with your WEP key can eavesdrop on your over-the-air wireless transmission.
HIPAA Section 164.312(c)(1) – Integrity
EPHI should not be improperly modified or destroyed in storage or during transmission.
Wireless vulnerabilities that lead to violation of this HIPAA rule
With no or weak encryption, a malicious unauthorized user can easily inject false traffic over the wireless link and launch man-in-the-middle attacks.
Open authorized APs:
Installing authorized APs without any security is a severe violation of WLAN best practices. An open AP compromises the security of the entire network opening it to even inadvertent, unauthorized usage. a malicious unauthorized user can easily inject false traffic over the wireless link and launch man-in-the-middle attacks.
WEP authorized APs:
A WEP key can be broken in minutes and an unauthorized user with your WEP key can eavesdrop on your over-the-air wireless transmission. A hacker can use the WEP key to inject false data into the network.
MAC spoofing:
By spoofing MAC address of an authorized device, an unauthorized user can compromise the integrity of wireless transmission of EPHI.
Denial-of-Service (DoS) attack:
A denial-of-service (DoS) attack can selectively deny wireless connectivity to specific devices or can disrupt entire Wireless LAN. A WiFi DoS attack usually involves an unauthorized device spoofing itself as authorized and sending management messages (e.g., disassociation, deauthentication) with the fake identity, in turn disconnecting authorized devices or disallowing access to the network.
HIPAA Section 164.312(b) – Audit Controls
Health institutes are advised to have IT and procedural mechanisms in place that examine and record activities related to EPHI access. So in case of a security incident there is an audit trail that can aid forensics.
Be equipped with a proactive wireless vulnerability management (WVM) system that monitors your wireless airspace 24x7 and logs any wireless security incidents.
HIPAA Section 164.308(a)(6) – Response and Reporting
This section requires formal documentation and response procedures to be set up to handle wireless security incidents promptly.
A good WVM solution can also serve as a wireless intrusion prevention system (WIPS) to automatically respond to any wireless security breach or anomalous activity. Make sure your WVM system can automatically generate HIPAA wireless compliance audit reports on demand. Periodic generation and archival of these reports can establish that your organization has a formal documentation and rapid response program to handle incidents related to patient health data leakage through wireless.