VANCOUVER - No matter how many layers of digital security are employed by a conscientious RIS/PACS manager on their system, given enough resources, a determined intruder can still hack a protected network. More often than not, this is accomplished through the unwitting accomplice of the network users.
In a pair of presentations at the Society for Computer Applications in Radiology on Saturday, informatics experts Drs. Paul Chang and Thomas Warfel of the department of radiology at the University of Pittsburgh Medical Center in Pittsburgh discussed security issues in both wired and wireless networks.
"We are at the cusp of strong security options for wireless networking that may work in the near future," said Chang, who presented an overview of security for wireless technologies.
Two areas that must be addressed by healthcare informatics managers deploying wireless systems in their institutions are authentication and encryption.
"The question you have to ask yourself when considering the installation of wireless networking is, How good is the authentication and how good is the encryption?" he said.
The three flavors of wireless network protocols -- 802.11b, 802.11a, and 802.11g -- have different strengths and capabilities when it comes to securing network data. The most ubiquitous wireless protocol, 802.11b, has the weakest level of security, Wired Equivalent Privacy (WEP).
"It used to take about an hour or so to crack a net that was protected by WEP. With currently available script attack tools, that's been reduced to about 5 minutes at the hands of a moderately skilled script kiddy," Chang said.
The 802.11a and 802.11g protocols offer Wi-Fi Protected Access (WPA), Extensible Authentication Protocol (EAP), and Temporal Key Integrity Protocol (TKIP) security measures. The EAP is a good security measure; however, its implementation has become vendor-specific, with approximately seven different flavors of EAP currently available, according to Chang.
As such, once an administrator has settled on a particular EAP implementation for their facility, all users will need to be equipped with wireless cards that have drivers specific to the selected EAP variant, regardless of the native-wireless capabilities of their devices. Regardless of the vendor solution chosen, all wireless authentication needs to be bi-directional to prevent the spoofing of the access point as well as the wireless network user, Chang said.
Encryption using TKIP, which changes keys every 10,000 network packets, is good but is not yet enterprise strength. This protocol will be giving way to a stronger encryption algorithm schema, the IEEE 802.11i Long Term Solution Counter-Mode-CBC-MAC Protocol (CCMP), which addresses all known WEP faults and uses the 256-bit Advanced Encryption System (AES) in the near future, according to Chang.
A word for the wireless
Chang offered eight practical suggestions for those deploying wireless network security. First, if an institution is broadcasting using the 802.11b protocol it needs to at least make an attempt at security, by turning on WEP with 128-bit encryption.
"It's not much, but it's better than nothing," he said.
Consider using only static IP addresses for wireless clients, and don’t use Dynamic Host Configuration Protocol (DHCP), as this will make it more difficult for hackers to spoof a valid user, Chang said.
A more robust security schema will employ Media Access Control (MAC) address access for its wireless users, making it extremely difficult for an intruder to use an unknown device to hack the system, he offered.
An area where users can unknowingly provide an open door to the network is by leaving the access point Extended Service Set Identifier (ESSID) on its default setting. By doing so, any other mobile device that also has a default ESSID setting can gain access, Chang said.
Placing wireless access points in the middle of the coverage area may reduce signal leakage at the perimeter of the area, minimizing interference and improving security, he said. Important servers or clients should not be placed on a wireless LAN, and firewall protection should be employed for all systems accessible by wireless users.
Virtual private network (VPN) technology utilized inside a firewall will encapsulate the wireless network to its authorized users, creating a "nested" security schema of multiple layers. Administrators will also want to consider installing a wireless ID intrusion detection system to monitor for hacking attempts on their network, he said.
The wired world
Dr. Thomas Warfel believes a combination of security technology and ongoing user education provides the best defense against intruders. The hard-wired network may not be as easy to break into as is the wireless one; however, there are plenty of people trying, and there are simple steps that can be taken to foil all but the most determined of hackers.
Warfel recommends that strong authentication be used, combining both password and a physical token or a biometric element. For those administrators embracing biometric technology as an unbreakable authenticator, he advised caution.
"The bad news about biometrics is that the signal is captured, digitized, and then transmitted by the computer. As such, that data can be intercepted and decoded, allowing an attacker to use it. With a token, if it's captured or broken by a hacker, it can be easily replaced. Unfortunately, with a hacked biometric, a fingerprint, voiceprint, or retina scan can't be replaced," he noted.
All network-attached devices, such as modalities and workstations, that share the same operating system (OS) need to have patches applied promptly when the OS vendor releases them.
"For example, when Microsoft publishes a patch for a known exploit of its OS, there's a concurrent increase in the number of attacks based on that exploit until distribution of the fix has become widespread. So, the sooner you can apply security patches, the better," Warfel said.
Social engineering, compromising a user to release network access information, is one of the most effective forms of intrusion attack, according to Warfel. Schemes run the gamut from impersonating help-desk personnel and calling users to request their passwords to slipping tools into e-mails that are activated upon opening. Most users have been educated not to give out their password or open suspicious mail or attachments from unknown senders, but all it takes is the lapse of one person to open the system to the outside, he said.
Another variant on a user attack that Warfel described is reverse social engineering. In these instances, a hacker will induce the user to call by shutting down part of a system, such as a network printer, and placing a note with a phone number to call on the device. When the user phones, they will often give up their user ID and password to assist in fixing the problem.
"The combination of human monitoring of system events, a helpline with competent assistance, and education on social-engineering techniques for all computer users --especially people such as clerks and secretaries whose jobs are to help people -- may help reduce the incidence of system compromise and facilitate recovery once compromise has occurred," he said.
By Jonathan S. Batchelor
AuntMinnie.com staff writer
May 24, 2004
Related Reading
New wireless network options offer benefits, despite security concerns, April 2, 2004
Tablet PC eases image distribution to bedside, March 23, 2004
Security strategies for wireless technology, June 10, 2003
Filmless ED can open the door for enterprise-wide PACS, May 9, 2003
Wireless Internet lines offer speedy alternative for imaging centers, September 3, 2002
Copyright © 2004 AuntMinnie.com
