Wireless Networks: With Some Strings Attached

The HIPAA security rule gives you some flexibility on how you interpret and implement reasonable controls to protect the data. However, there is another side to the wireless HIPAA question, and that would be protecting the data at rest on the wireless device. Our organization considers wireless technology a business and productivity enhancement, as well as a significant exposure. To this end, Baylor has integrated additional controls to help ensure the secure transmission and authorized access to the wireless infrastructure.

A: Absolutely. Two words: war chalking. It’s also possible that someone could create a denial-of-service attack by disrupting your WLAN…but then, someone would probably notice that. In the past two years, we have seen an increase of media awareness with retail and corporate wireless networks that were left open. The key threat or exploit of a WLAN is access to resources and information. Competitors may have access to data or better yet, someone may use your network to make a phone call. I remember reading about a team on the West Coast that bought an IP telephone service, registered the number as an East Coast number and placed calls to its security teams using open WLANs across the state. The scary part of the story was that the security teams had no idea as to where the calls were coming from (most of the time, it was from a car).

A: Our organization has integrated several pilots and production wireless capabilities with multilayered security controls. For example, BlackBerry devices require a password to unlock them, strong encryption, and have a feature that allows us to remotely destroy the data if they are lost or stolen. Our Voicera deployment runs wireless voice over IP on a virtual LAN. And the WLAN has several additional security protocols running on top of the standard device capabilities. Apart from the standard forms and agreements, our team communicates and educates security awareness to the user; as these devices are distributed, the deployment team reviews the user’s responsibilities and accountability.

A: No, we do not allow nonowned wireless devices to authenticate to our network. At times, we have allowed contractors to physically connect to a trusted network segment after their systems have been certified or reviewed by our field support team, and after we verify that the systems meet our security standards. If a system does not meet our standards, temporary licenses are issued to install our standard security software. In all cases, a confidentiality agreement and a “Rules of Behavior” must be signed. Furthermore, there is an employee who is accountable for the actions of the contractors.