New protocols offer hope for wireless security

ORLANDO, FL - While wireless computing may be a godsend for mobile PC users, it's a major headache for those tasked with maintaining security in sensitive computing environments like a PACS network. Fortunately, new security protocols will soon be arriving on the market that should give system administrators some tools for combating unwanted network intrusions.

That's according to Dr. Paul Chang from the University of Pittsburgh Medical Center. Chang spoke on the topic in a SCAR University session at last week's Society for Computer Applications in Radiology (SCAR) meeting.

Chang acknowledged that wireless computing has advantages in a healthcare environment. Doctors are increasingly eschewing desktop computers in favor of tablet PCs or handheld devices that can be taken to bedside for a more personalized approach to patient care. Wireless can also be more convenient in areas where it's difficult to run cable for a wired network connection.

"It's pretty cool stuff -- we all like it, we all use it," Chang said. "The problem is, we all use it, but we have no idea that the vast majority of hospitals … do not do security correctly."

Chang described the most commonly used radiowave wireless technologies, like 802.11a, 802.11b, and 802.11g. These technologies use wireless access points that are physically connected to a hospital's wired network, then broadcast signals that receivers on mobile devices can use to access the network. Future standards that are coming to the market include 802.11i and 802.11n, which will offer better bandwidth, a larger range, and the opportunity for better security.


Data encryption is used to prevent hackers from viewing sensitive data, but older wireless security technologies, such as Wired Equivalent Privacy (WEP), are easily cracked and are little more than a speed bump for a determined hacker. A newer protocol, Wi-Fi Protected Access (WPA), is better but still isn't totally secure, and it takes about an hour to break the Temporal Key Integrity Protocol (TKIP) used as part of WPA, Chang said.

Fortunately, a new generation of WPA, WPA2, is coming as part of the 802.11i standard and will offer "reasonably robust" security, Chang said. WPA2 will drop TKIP in favor of a new protocol, Advanced Encryption Standard (AES), that Chang said is "incredibly secure."

The problem with AES is that it is computationally intensive, which means that the wireless access points currently in use probably won't have the horsepower to support AES. PACS and IT administrators should begin shifting from wireless access points to wireless switches, which are powerful enough to support AES.

PACS and IT administrators should also ensure that their policies are compliant with WPA so they can take advantage of WPA2 when it becomes available, as WPA2 will be backwards compatible with WPA.


One of the biggest oversights in hospital wireless security is the lack of mutual authentication using an external authentication server, Chang said. The problem is that hackers can "spoof" a network connection to get mobile PC users to input sensitive data when they think they're connecting to the network.

The external authentication server is an external master database using a standard like Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial-In User Service (RADIUS) that contains the user name and password for each person who is permitted access to the network.

"I'm amazed at how many people don't understand this," Chang said. "Really sophisticated people, they know how to secure wired or cable, traditional networks, but they turn on WPA authentication and think they're okay, but no. You have to have an external authentication server."

The problem is that there are multiple standards for the Extensible Authentication Protocol (EAP) used in external authentication servers. Network administrators must choose one flavor of EAP for all their mobile devices, and this sometimes forces users to install a new wireless card in computers if the wireless device's existing card doesn't support the EAP that the rest of the facility is using.

Chang also discussed message integrity, or the act of ensuring that network data can't be tampered with. WPA2 will address this issue by including a patch to its Message Integrity Code (MIC) that will be more reliable and address a flaw discovered last month.

As in past presentations, Chang offered other practical suggestions for wireless security:

  • Place your wireless access points in the middle of your service area to make it more difficult for hackers outside the hospital to access your network.
  • Don't put any important services or clients on the wireless network.
  • Consider using a virtual private network (VPN) when using a wireless connection.
  • Install a wireless intrusion detection system to detect attacks quickly.
  • While WEP isn't good enough for hospital security, it's better than nothing for home users.
  • Use static Internet Protocol (IP) addresses rather than Dynamic Host Configuration Protocol (DHCP).
  • Don't broadcast your wireless network's Extended Service Set Identifier (ESSID).
  • Consider using only Media Access Control (MAC) addressing.

Finally, Chang recommended that healthcare facilities not just rely on buying new technology to keep their data secure. Facilities should implement a comprehensive wireless strategy that takes into account user behavior and workflow models to use wireless safely.

"If you do that right, your security should be pretty reasonable," Chang said.

By Brian Casey staff writer
June 6, 2005

Related Reading

Security in the wired or wireless world: users are the weakest link, May 24, 2004

New wireless network options offer benefits, despite security concerns, April 2, 2004

Tablet PC eases image distribution to bedside, March 23, 2004

Security strategies for wireless technology, June 10, 2003

Wireless Internet lines offer speedy alternative for imaging centers, September 3, 2002

Copyright © 2005

Page 1 of 603
Next Page