New protocols offer hope for wireless security

Brian Casey
Jun 5, 2005

ORLANDO, FL - While wireless computing may be a godsend for mobile PC users, it's a major headache for those tasked with maintaining security in sensitive computing environments like a PACS network. Fortunately, new security protocols will soon be arriving on the market that should give system administrators some tools for combating unwanted network intrusions.

That's according to Dr. Paul Chang from the University of Pittsburgh Medical Center. Chang spoke on the topic in a SCAR University session at last week's Society for Computer Applications in Radiology (SCAR) meeting.

Chang acknowledged that wireless computing has advantages in a healthcare environment. Doctors are increasingly eschewing desktop computers in favor of tablet PCs or handheld devices that can be taken to bedside for a more personalized approach to patient care. Wireless can also be more convenient in areas where it's difficult to run cable for a wired network connection.

"It's pretty cool stuff -- we all like it, we all use it," Chang said. "The problem is, we all use it, but we have no idea that the vast majority of hospitals … do not do security correctly."

Chang described the most commonly used radiowave wireless technologies, like 802.11a, 802.11b, and 802.11g. These technologies use wireless access points that are physically connected to a hospital's wired network, then broadcast signals that receivers on mobile devices can use to access the network. Future standards that are coming to the market include 802.11i and 802.11n, which will offer better bandwidth, a larger range, and the opportunity for better security.

Encryption

Data encryption is used to prevent hackers from viewing sensitive data, but older wireless security technologies, such as Wired Equivalent Privacy (WEP), are easily cracked and are little more than a speed bump for a determined hacker. A newer protocol, Wi-Fi Protected Access (WPA), is better but still isn't totally secure, and it takes about an hour to break the Temporal Key Integrity Protocol (TKIP) used as part of WPA, Chang said.

Fortunately, a new generation of WPA, WPA2, is coming as part of the 802.11i standard and will offer "reasonably robust" security, Chang said. WPA2 will drop TKIP in favor of a new protocol, Advanced Encryption Standard (AES), that Chang said is "incredibly secure."

The problem with AES is that it is computationally intensive, which means that the wireless access points currently in use probably won't have the horsepower to support AES. PACS and IT administrators should begin shifting from wireless access points to wireless switches, which are powerful enough to support AES.

PACS and IT administrators should also ensure that their policies are compliant with WPA so they can take advantage of WPA2 when it becomes available, as WPA2 will be backwards compatible with WPA.

Authentication

One of the biggest oversights in hospital wireless security is the lack of mutual authentication using an external authentication server, Chang said. The problem is that hackers can "spoof" a network connection to get mobile PC users to input sensitive data when they think they're connecting to the network.

The external authentication server is an external master database using a standard like Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial-In User Service (RADIUS) that contains the user name and password for each person who is permitted access to the network.

"I'm amazed at how many people don't understand this," Chang said. "Really sophisticated people, they know how to secure wired or cable, traditional networks, but they turn on WPA authentication and think they're okay, but no. You have to have an external authentication server."

The problem is that there are multiple standards for the Extensible Authentication Protocol (EAP) used in external authentication servers. Network administrators must choose one flavor of EAP for all their mobile devices, and this sometimes forces users to install a new wireless card in computers if the wireless device's existing card doesn't support the EAP that the rest of the facility is using.

Chang also discussed message integrity, or the act of ensuring that network data can't be tampered with. WPA2 will address this issue by including a patch to its Message Integrity Code (MIC) that will be more reliable and address a flaw discovered last month.

As in past presentations, Chang offered other practical suggestions for wireless security:

  • Place your wireless access points in the middle of your service area to make it more difficult for hackers outside the hospital to access your network.
  • Don't put any important services or clients on the wireless network.
  • Consider using a virtual private network (VPN) when using a wireless connection.
  • Install a wireless intrusion detection system to detect attacks quickly.
  • While WEP isn't good enough for hospital security, it's better than nothing for home users.
  • Use static Internet Protocol (IP) addresses rather than Dynamic Host Configuration Protocol (DHCP).
  • Don't broadcast your wireless network's Extended Service Set Identifier (ESSID).
  • Consider using only Media Access Control (MAC) addressing.

Finally, Chang recommended that healthcare facilities not just rely on buying new technology to keep their data secure. Facilities should implement a comprehensive wireless strategy that takes into account user behavior and workflow models to use wireless safely.

"If you do that right, your security should be pretty reasonable," Chang said.

By Brian Casey
AuntMinnie.com staff writer
June 6, 2005

Related Reading

Security in the wired or wireless world: users are the weakest link, May 24, 2004

New wireless network options offer benefits, despite security concerns, April 2, 2004

Tablet PC eases image distribution to bedside, March 23, 2004

Security strategies for wireless technology, June 10, 2003

Wireless Internet lines offer speedy alternative for imaging centers, September 3, 2002

Copyright © 2005 AuntMinnie.com

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2005 04 12 16 47 18 706
IS
SNOMED CT: Electronic health records enhance radiology patient safety
Merge
IS
Merge eFilm
Ris
IS
Clinical specialization, connectivity keep RIS vital
Witt
IS
Witt Biomedical
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page