printer friendly version view pdf of article [1696k]

WIRELESS SECURITY STANDARDS

Reproduced with permission from BNA's Electronic Commerce & Law Report, Vol. 8, No. 20, pp. 507-512 (May 21, 2003). Copyright 2003 by The Bureau of National Affairs, Inc. (800-372-1033)

To take advantage of the cost savings and convenience that portable devices offer, many hospitals and other health care entities have equipped doctors, nurses and other staff with wireless-enabled laptops, personal digital assistants and other wireless devices. Unfortunately, the network security features used in the most common wireless network products, those based on 802.11b standards, do not meet HIPAA's stringent security requirements.

No Rest for the Wary

By Randy Gainer, Michael van Eckhardt, and Rebecca L. Williams
[May 2003]

This article analyzes recent developments in wireless technologies as they affect the health care industry. It is not legal advice, and is not intended, nor should it be used, as a substitute for legal advice.

With the April 14 Health Insurance Portability and Accountability Act privacy compliance deadline behind us, some of us may be thinking, at least subconsciously, that we can take just a bit of a break on data security and confidentiality issues. Although the final HIPAA security rules call for technical safeguards including access control, data integrity, authentication, audit controls and encryption, we will not have to comply with those requirements until April 2005. So we can take a breather, right? Sadly, the answer is "no."

The push of technology is inexorable. After taking a well-deserved breather, you likely returned to pages of e-mail messages wanting long lists of new things. Likely to be very high on the request list is wireless networking, also known as "WiFi."¹

There is much encouragement from the big players in technology and telecommunications. Intel's recent announcement about its Centrino mobile chipset included a strong emphasis on the 802.11 wireless local area network (WLAN) standard for enterprises.

And the formation of Cometa by Intel Corp., International Business Machines Corp., and AT&T Corp., among others, will drive the deployment of public hot spots throughout the United States-hot spots that will be available for use by health care professionals who are traveling or who just want Internet access while they are out for a cup of coffee.

Almost every day in the health care press, we read about new, potential and actual, practical uses for wireless devices in health care administration, practice management, and clinical care. Wireless networks are being deployed to allow physicians and nurses to access patient records from central databases while on rounds, to add observations to the databases, and to check on medications.² One hospital CIO estimated such systems help reduce costly medical errors by 50 percent.³ Some providers are expanding wireless operations into administrative tasks such as patient check-out and billing.⁴

Indeed, most facilities are already using at least some forms of wireless information technology. In the recent annual HIMMS survey of CIOs, 72 percent of all respondents reported that their facilities were using some form of wireless information system.⁵ The Gartner Group recently estimated that approximately one-third of U.S. hospitals have WLANs installed in at least one department. And the demand for wireless networks is growing. According to the HIMSS survey, "wireless networks continue to be the technology that most respondents said their facilities would like to implement in the next two years."

The growing presence of wireless networks in health care information management presents tremendous challenges to health care IT managers. One of the fundamental axioms of IT is that there is a tradeoff between access and security: easier access translates to greater security risks.⁶ True to this axiom, the ease of access that wireless networks offer is matched by the security challenges those networks present.

To plan appropriately for wireless network design and deployment, hospitals and other health care entities need to become familiar with HIPAA requirements. We will attempt in this article to briefly outline some recent developments in wireless network security and summarize some of the applicable HIPAA security requirements. We also will identify a couple of specific uses of wireless technology that are likely to pose special challenges to covered health care entities, their IT managers and other executives.

HIPAA Statutory Requirements

HIPAA security requirements pertinent to WLANs are stated in the HIPAA statute,⁷ in the privacy rules for which compliance is now required (except for small health plans),⁸ and in the security rules⁹ that most covered entities must comply with by April 21, 2005 (which small health plans must comply with by April 21, 2006). Under the HIPAA statute:¹⁰

[A covered entity] who maintains or transmits health information¹¹ shall maintain reasonable and appropriate administrative, technical, and physical safeguards-

(A) To ensure the integrity of confidentiality of the information;

(B) To protect against reasonably anticipated-

(i) Threats or hazards to the security or integrity of the information; and

(ii) Unauthorized uses or disclosures of the information; and

(C) Otherwise to ensure compliance with this part by the officers and employees of such person.

Covered entities include health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with health claims, enrollment and disenrollment in health plans, eligibility for health plans, health care payments and remittance advice, health care premium payments, first reports of injury, health claim status, and referral certification and authorization.¹²

Statutory penalties for violating the HIPAA statute range from $100 per person per incident for run of the mill improper disclosures of medical information to $250,000 and 10 years in prison for intentional violations.¹³ Statutory penalties may be the least of a covered entity's worries, however, if lax security allows health information to be stolen. When thieves broke into the offices of Department of Defense contractor TriWest Healthcare Alliance and stole hard drives with medical information of 562,000 Army personnel,¹⁴ within weeks a class-action lawsuit was filed against TriWest on behalf of the individuals whose data were stolen.¹⁵ Similar class-action claims against health care entities that fail to take adequate safeguards to ensure the security of WLANs could result in multi-million dollar judgments.

The requirement that covered entities "ensure" the integrity and confidentiality of medical information against any reasonably anticipated threat or hazard creates a very high legal and practical standard.¹⁶ Congress chose to require those who handle health information to essentially guarantee that reasonable security policies are followed.¹⁷ As the Department of Health and Human Services stated in its analysis of comments regarding the HIPAA security rules, "we believe the Congress' intent in the use of the word `ensure' in section 1173(d) of the Act was to set an exceptionally high goal for the protection of electronic protected health information."¹⁸ The additional attention that both government and private sector entities have focused on information security following the attacks of Sept. 11, 2001, and following well-publicized incidents of identity thefts made possible by the theft of electronic consumer data,¹⁹ have raised the bar even higher regarding what is reasonable and appropriate to protect confidential information of all kinds.

HIPAA Regulatory Requirements

The HIPAA privacy rules were issued in final form in October 2002. They became effective April 14. The "mini-security rule" in the privacy rules states:

Standard: Safeguards: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

Implementation Specification: Safeguards.

(i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or recorded use or disclosure.²⁰

This "mini-security rule" applies to protected health information that is both electronic and non-electronic. Any court asked to determine the meaning of "appropriate safeguards" in the mini-security rule may well refer to the principles and requirements of the security rules to determine what safeguards an entity should have implemented.

The new final security rules apply to protected health information in electronic form only. The rules were substantially revised from the draft rules published by HHS in August 1998.²¹ The core principles of the security rules require covered entities to:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the security rules].

(4) Ensure compliance with the [security rules] by its workforce.²²

As described above, references to "ensure" and "any" in the rules make the security standards of care a challenge to meet. The rules also offer flexibility:

(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in [the security rules].

(2) In deciding which security measures to use, a covered entity must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity.

(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.²³

While these general rules allow covered entities to take a flexible approach, flexibility does not mean laxity. For example, although a covered entity should consider the costs of security measures,²⁴ the size, complexity and capabilities of the entity must also be considered,²⁵ which means that large entities may be given no leeway for failing to deploy expensive security technology.

The more detailed standards of the security rules are grouped under three headings: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.²⁶ Additionally, the security rules identify safeguards that are "required" and those that are "addressable." If HHS views the safeguard as essential, it is labeled "required." "Addressable" does not mean, however, that an entity need not consider the safeguard. Rather, it means that HHS believes that there may be many ways to implement the safeguard. An entity will have to justify any decision to do nothing regarding a safeguard described as "addressable" in the rules.

Security Rules Affect Implementation

Several of the security safeguards are particularly pertinent to WLANs. Among the physical safeguards required, covered entities must implement policies and procedures to safeguard equipment from unauthorized physical access, tampering and theft.²⁷ Although this is an "addressable" requirement, covered entities must take into account the "probability and criticality of potential risks." This suggests that special attention should be paid to the danger inherent in the theft of a wireless device that may provide a thief unauthorized access to protected health information.²⁸ WLAN security features must make it difficult for a thief to access protected health information by using a laptop or PDA stolen from an authorized user. At a minimum, users must authenticate themselves using passwords before they use portable devices, the portable device must be authenticated to a server before access is granted to the WLAN,²⁹ and the cryptographic keys used by portable devices to access the WLAN must be frequently changed. Ideally, if an authorized user loses a portable device that has protected health information on it or if a thief steals such a device, a network administrator should be able to remotely destroy the information. Until such remote destruction of data moves from "Mission Impossible" fiction to become commercially available on laptops and PDAs,³⁰ IT administrators and privacy officers need to plan how they will minimize access to protected health information on lost and stolen portable wireless devices.

Two administrative safeguards that the security rules require³¹ covered entities to implement should prevent covered entities from deploying insecure WLANs. The rules require entities to conduct an assessment of potential risks and vulnerabilities and to implement security measures sufficient to reduce risks and vulnerabilities.³² The latter rule requires regular reviews to determine whether an entity's risk management efforts are adequate.

If a hospital or other covered entity assesses the security risks inherent in transmitting protected health information over wireless networks, it will learn that well-known technical deficiencies in the security features of 802.11b technology³³ make the technology inadequate, unless it is enhanced, to satisfy the technical safeguards described in the security rules. Required technical safeguards that are not met by standard 802.11b wireless network security features include the requirement to implement unique user identification, encryption and decryption, person and entity authentication, and transmission security.³⁴ The main reason that these requirements cannot be satisfied by deploying only 802.11b technology is that the encryption protocol used in 802.11b products, "Wired Equivalent Privacy" (WEP), is fundamentally flawed.

WLANs use radio waves to transmit data. WLAN radio waves extend up to 300 feet beyond the walls of the buildings where access points are deployed.³⁵ That means that hackers, also known as "war drivers" in this context, can scan for radio waves from a WLAN to hijack the radio signals.³⁶ That hackers can access WLAN data will not be a major security risk if the data transmitted across such WLANs are adequately encrypted. Unfortunately, WEP: (1) uses a static cryptographic key rather than keys that are frequently changed; (2) typically uses 40-bit keys rather than more secure, longer key lengths; (3) passes a part of the key string in clear text, which weakens the key; and (4) provides no cryptographic integrity protection.³⁷ Problems with WEP cannot be corrected by using a longer key.³⁸

The deficiencies in WEP have been widely publicized. Recent comments include:

One of the most popular wireless technologies, Wi-Fi (also known as 802.11), already has known serious security flaws. The most prominent involves [WEP] authentication, which is easily broken. WEP uses fixed keys that are easy to attain via commonly available software such as Netstumbler.³⁹

Like most hospital CIOs, [Dr. John] Halamka [Associate Dean of the Harvard Medical School and CIO of CareGroup Health care System] is especially troubled by the shortcomings of the most popular [WLAN] standard's core security component-[WEP]. "It's a nasty and useless protocol," he says. "Anyone can download a program from the Internet and break it in about an hour. So if one person, one time, figures out your encryption key, he'll have access to your whole company forever."⁴⁰

"I don't think WEP is sufficient security because people have managed to hack the protocol and hackers are out there trying to embarrass the medical community," says Jon Bogen [Managing Principal of HealthCIO Inc.].⁴¹

[D]uring 2001, serious, easily exploitable witnesses in WEP were discovered by cryptographers and publicly revealed. Therefore, WEP should not be relied on as the basis [for] complying with the draft HIPAA security standards requirement to encrypt WLAN connections supporting protected health information… .⁴²

Because the deficiencies in WEP are serious and well-known, a covered entity risks being deemed to not be in compliance with the requirements stated in the HIPAA statute, the mini-security rule in the privacy rules, or the security rules, by relying on WEP alone to protect the confidentiality and integrity of data transmitted over wireless networks. The possibility that hackers could compromise protected health information and the criticality of such a compromise suggests that the security offered by WEP must be supplemented by other measures.⁴³

There are several ways that WLANs are being deployed to make them more secure. Microsoft has secured its multi-campus wireless network, which has more than 3600 access points and more than 30,000 "clients" (laptops, pocket PCs, etc.), using technology based on the IEEE's 802.1x specifications.⁴⁴ 802.1x uses Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) to block communications over the WLAN until an authentication server verifies that the portable device (or "client") may access the network.⁴⁵ The EAP authentication session is protected by a TLS tunnel. Microsoft's 802.1x EAP/TLS network authenticates both client devices and individual users using public key certificates managed in-house by the company.⁴⁶ 128-bit WEP keys are used and they are changed for each wireless session or after a set time period. Microsoft engineers chose the 802.1x approach because it provides relatively high security by automated authentication procedures running in the background, which allows users to have secure access without having to master cumbersome log-in steps.⁴⁷ Microsoft plans to upgrade to the 802.11i technology when it is available. 802.11i will use a stronger encryption scheme, Advanced Encryption Standard (AES).⁴⁸

Enterasys Networks of Portsmouth, N.H., deploys 802.1x networks for commercial customers and others who require more security than 802.11b provides.⁴⁹ Like Microsoft, Enterasys provides dynamic exchanges of 128-bit WEP keys to overcome the static-key weakness of WEP. Enterasys will upgrade customers' networks to use the WiFi Protective Access (WPA) protocol when it becomes available, presumably later this year.

WPA was promulgated by the WiFi Alliance to improve the encryption protocol used in WEP.⁵⁰ WPA uses a Temporal Key Integrity Protocol (TKIP) to rapidly replace cryptographic keys and includes Message Integrity Check (MIC) to prevent data forgery.⁵¹ Unfortunately, one must replace or upgrade WEP-based Access Point firmware and client device operating system drivers to use WPA or, though the network will still work, it will do so by "down-shifting" to using WEP.⁵²

Another method vendors are using to protect data transmitted over 802.11 networks is to encrypt the transmitted data with a more robust cryptographic tool before the data are encrypted by WEP, then decrypting the data when they are received after transmission. This approach is often described as creating a Virtual Private Network (VPN) "tunnel" to protect the transmitted data.⁵³ The cryptographic tools used in WLAN VPNs include Internet Protocol Security (IPSec). Use of a VPN prevents someone from accessing the transmitted data in clear text even if a WEP key is deciphered. Some potential drawbacks of using a VPN to enhance WLAN security may include, however, the need to install additional gateway hardware, problems with dropped service if a wireless "client" roams between access points, and costs to deploy VPN-enabled "clients."⁵⁴

In addition to the need to supplement the security offered by WEP, there are other issues that are likely to crop up in a number of different health care settings. As you can see from the summary of the security rules that you've just read, the issues discussed here barely scratch the surface of the security challenges that wireless networks will present to health care entities.

Rogue Access Points

The lure of wireless networking is strong, which sometimes leads to undue security risks. For example, many physicians are technically very knowledgeable and have been eager to implement some of their knowledge of wireless systems. Some have even gone so far as to install their own wireless access points in their facility without the knowledge or cooperation of the facility's administration or IT department.⁵⁵

These "rogue" wireless access pose a significant security risk and network management challenge. Such rogue access points need to be identified prior to implementation of any system-wide wireless network. In part, this is to avoid obvious interference problems.

But these rogue hot spots also pose a security challenge as well. The rogue spot may offer convenient access, but it is unlikely that the rogue operator is providing anything more than WEP for security, if that. The rogue hot spot may offer an easy way for an intruder to gain access to protected health information throughout the entity's wireless network.

Remote Wireless Access Points

Some hospital systems and other facilities allow medical staff and workforce members to obtain remote access to certain data, which might include protected health information, on the facility's system. This can allow, for example, physicians to review charts or other patient information while at home or on the road. The convenience and productivity gains are obvious.

The convenience and low cost of wireless networks is leading many to use wireless networks at home for remote access. Use of a home wireless network to access a health care entity's information system poses significant security risks, however. The dispersion of signal from a home wireless access point adds to the already complex task of managing the security of a data network-as noted above, signals from wireless access points can travel for 300 feet or more outside the walls of the building in which the access point is located.

Any decision to allow remote access to health care data should take into account the possibility that some users may use wireless networks and should take appropriate security precautions to protect information traveling across wireless networks. Although a VPN can be inconvenient and costly to implement on a health care campus itself, deployment of a VPN may be advisable if users of the system are to obtain access to the system from outside the campus.

Decisions made now about wireless networking in a health care environment need to weigh the HIPAA security rules that will go into effect in 2005, as well as the currently effective privacy rules. Failure to take these rules into account when designing and implementing a wireless network could result in costly network changes down the line, along with increased risks of HIPAA violations.

Should You Wait?

Covered health care entities need to consider whether they should postpone deploying an initial WLAN or upgrading an insecure, WEP-based WLAN until planned changes in wireless network standards are adopted and have been implemented in commercial products. The IEEE has announced that it plans to adopt 802.11g specifications this summer⁵⁶ and it is working on the specifications for 802.11i.⁵⁷ 802.11g networks will allow for data to be delivered at faster speeds (54 mbs versus 11 mbs over 802.11b networks).⁵⁸ Some 802.11g products that have been released before the standard has been finalized, however, have had inadequate security features⁵⁹ and some 802.11g products have proven not to be compatible with 802.11b equipment.⁶⁰ Presumably 802.11g products developed after the 802.11g standard is released will not suffer from interoperability problems. 802.11g networks will also be more secure than 802.11b networks if they are deployed using WPA rather than WEP.

Wireless networks based on the planned 802.11i standard should be still more secure. Such networks will allow users to use stronger AES encryption instead of WEP or WPA. Unfortunately, AES currently requires a dedicated encryption/decryption chip in wireless network access points.⁶¹ Some writers suggest that IT administrators may want to wait for 802.11i equipment before they deploy or upgrade their WLANs to avoid having to upgrade more than once, although they acknowledge that such equipment may not be available for a year or more.⁶²

When covered entities' administrators decide whether to deploy or upgrade a WLAN, they should be sure to document the risk analysis that was the basis for their decision. In conducting that risk analysis, covered entities should carefully consider the position of the Department of Defense, which restricted the use of wireless devices in September 2002 because of "the exploitable vulnerabilities inherent in current wireless products and technologies and the interdependencies of Defense and Pentagon networks …."⁶³

Whether you decide to enhance your 802.11b WLAN or wait for 802.11g or 802.11i products, HIPAA does not offer covered entities a "safe harbor" for compliance with its security rules. As technology changes constantly, those rules require covered entity managers and their lawyers to constantly evaluate the impact of those changes on the security of their networks.

For further information, please contact:

Randy Gainer, Seattle, (206) 628-7660, randygainer@dwt.com
Rebecca L. Williams, Seattle, (206) 628-7769, beckywilliams@dwt.com

Copyright©2003 by The Bureau of National Affairs, Inc., Washington D.C.

FOOTNOTES

1 "WiFi" is short for "Wireless Fidelity," a term promulgated by the WiFi Alliance. See http://www.weca.net/OpenSection/index.asp.

2 Heather Green, WiFi Means Business, Business Week, April 28, 2003, 86, 91.

3 Id., citing statements by John D. Halamka, CIO of CareGroup Hospitals Inc.

4 Wireless health driven by HIPAA, Info World, April 5, 2002.

5 The Healthcare Information and Management Systems Society (HIMSS) survey of CIOs reported that 76 percent of CIOs said that their facilities wanted to adopt wireless technology (up from 54 percent in 2002 and 50 percent in 2001). For more Information about HIMMS and the survey, see http://www.himss.org/2003survey/ASP/healthcarecio_home.asp.

6 When asked about what would be the important technologies in 2005, 55 percent of vendors in the HIMSS survey said that wireless information appliances would play a large role, followed by 51 percent who said data security technology. Health care information technology vendors say that data security is the most important technology for their clients, according to the survey. Forty-nine percent of vendors said data security technology is top priority for their clients, the survey found.

7 Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, codified at 42 U.S.C. §1320d.

8 45 C.F.R. parts 160 and 164 (2003).

9 Volume 68 Federal Register No. 34, 8334 8381 (Feb. 20, 2003).

10 42 U.S.C. §1320d-2(d)(2).

11 "Health information," as that term is used in 42 U.S.C. §1320d-2(d)(2), is defined by §1320d(4) to mean information in any form that is created or received by a health care provider, plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, that relates to the physical or mental health of an individual, the condition of an individual, the provision of health care to an individual, or any payment for the provision of health care to an individual.

12 42 U.S.C. §1320d-1(a)(3) refers to transactions identified in §1320d-2(a)(1). The above described transactions are those listed in the latter subsection.

13 42 U.S.C. §1320d-6(b).

14 David Ho, Ex-Hacker Warns of Dangers of Cybercrime, Orlando Sentinel, A7, April 4, 2003.

15 Dennis Wagner, Lawsuit Accuses Triwest Health Care of Negligence, The Arizona Republic, B5, Jan. 30, 2003.

16 See Richard D. Marks, Implementing HIPAA, 5 Electronic Commerce & Law Report, No. 18, 468, 472 (2000).

17 Id.

18 Volume 68 Federal Register No. 34, 8334, 8346 (Feb. 20, 2003).

19 See, e.g., Busboy Busted For Cyberfraud, New York Post, March 20, 2001 (describing hacker's use of computers in public library with Internet access to commit credit card fraud against 200 wealthy Americans).

20 45 C.F.R. §154.530(c) (2003).

21 See DWT Analysis & Comments on HHS's HIPAA Security Rules (February 2003), at http://www.dwt.com/practc/hc_ecom/bulletins/02-03_HIPAASecRules.htm (DWT Analysis).

22 45 C.F.R. §164.306(a).

23 45 C.F.R. §164.306(b).

24 45 C.F.R. §164.306(b)(2)(iii).

25 45 C.F.R. §164.306(b)(2)(i).

26 The safeguards are reviewed and described in the DWT Analysis.

27 45 C.F.R. §164.310(a)(2)(ii).

28 Of course, covered entities must also satisfy the four required physical safeguards stated in Section 164.310.

29 See Marianne Swanson, Security Self-Assessment Guide for Information Technology Systems, National Institute of Standards and Technology, Special Publication 800-26, p. A-43 (2001), and Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, pp. 11, 19, 20, 34 (2001). NIST is a standards-setting organization of the U.S. Department of Commerce. HHS's comments regarding the security rules cite various NIST publications four times. See 68 Federal Register No. 34, 8334, 8346, 8350, 8352, 8355 (Feb. 20, 2003). HHS's repeated reference to NIST publications in the security rule comments suggests that NIST publications provide useful background information to assist in understanding and applying the rules.

30 Remote destruction of data is reportedly available through Good Technology Corporation's Goodlink 1.5 Corporate Messaging System, which provides wireless e-mail services. See Richard V. Dragan, Goodlink Challenges the RIM Blackberry, PC Magazine (March 11, 2003), available at http://www.pcmag.com/article2/0,4149,890802,00.asp. Remote destruction of data on laptops and PDAs may soon be available as well.

31 The "required" and "addressable" safeguards are summarized in Appendix A to subpart C of part 164 of the C.F.R.s. There are 11 required administrative safeguards, four required physical safeguards, and four required technical safeguards. Some of the "addressable" safeguards listed in the Appendix are particularly important for securing WLANs.

32 45 C.F.R. §164.308(a)(1)(ii)(A) and (B).

33 "802.11" refers to a group of specifications developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless local area network technology. "802.11b" is a 1999 extension of the 802.11 specifications.

34 Those requirements are described in 45 C.F.R. §164.312(a)(1), (d), and (e)(1), respectively.

35 Chris O'Farrell, CTO, NETSEC, remarks at RSA Security Conference, April 15, 2003, "Walk-About Wireless Hacking-Are You a Victim?"

36 Id.; see also, Kevin P. Cronin and Ronald N. Weikers, Data Security and Privacy Law: Combating Cyberthreats, §2.14, n.2.30 (West 2003) ("A common problem with wireless networks is the prevalence of loose access points, which can easily be hijacked by a war driving hacker scanning for such opportunities with his own wireless network device.") available at 2003 WL DATASPL §2.14.

37 See Tom Karygiannis and Les Owens, Wireless Network Security, NIST Special Publication 800-48 (Nov. 2002 draft), 3-10. While NIST's Wireless Security publication is still in draft form and may therefore be less compelling than final NIST publications, it may be issued in final form soon. Even in draft form, the publication may provide baseline standards for judges and plaintiffs' lawyers looking for such standards.

38 Id. at 3-11. According to John Biccum, Senior Information Security Analyst, Microsoft Corp., 128-bit WEP keys can be broken with downloadable software tools in less than two hours. Remarks and PowerPoint slides provided at RSA Security Conference, April 15, 2003, "Securing Your Wireless Network with 802.1x." See also Jessie R. Walker, Unsafe at Any Key Size: An Analysis of the WEP Encapsulation, Intel Corporation, Oct. 27, 2000, quoted in HIPAA Security for Wireless Networks, NetMotion Wireless White Paper, Nov. 1, 2002 (at http://www.netmotion.com ) ("[s]ignificant deficiencies in the WEP data encapsulation render its data privacy claims meaningless, regardless of the key size").

39 Christa L. Coleman, Will Wireless Throw Health Care for a Loop? (Jan. 7, 2003) (emphasis added) (at http://mobilebusinessadvisor.com/articles.msf/dp/A08AC69A2BC557E788256C8600621C15).

40 Alan Joch, Wireless Watchdogs (July 2002) (emphasis added) (at http://www.health care-informatics.com/issues/2002/07_02/wireless.htm).

41 Wireless Security and Management in Health Care Organizations (Dec. 2, 2002) (emphasis added) (at http://www.bluesocket.com).

42 J. Klein, HIPAA and the Encryption of Public Health Information (Aug. 6, 2002) Gardner Inc. (emphasis added) (at http://nedarc.med.utah.edu/HIPAA/108890.pdf).

43 Covered entities should assure that their officials do not rely on ill-advised statements by wireless advocates. See, e.g., Adam Stone, Will HIPAA Allow Wireless? (December 2, 2002) (at http://www.80211-planet.com/columns/article.php/1550241) ("[T]o satisfy HIPAA, one need only `do the good-faith-effort thing ….' `[T]urn on WEP, even if you know that in the big picture it does not do a whole lot of good …. You may not have all the bells and whistles, but HIPAA probably will not require all those.' "). Such statements, made before the final security rules were issued, are wrong.

44 Biccum, supra, note 38. For a description of 802.1x standards, see http://www.ieee802.org/1/pages/802.1x.html.

45 Lisa Phifer, Air Safety, Information Security, April 2003, 48, 58.

46 Biccum, supra note 38.

47 Id.

48 Id.; Phifer, supra note 45 at 61.

49 Conversation with JP Gorsky, Director, Wireless Product Line of Enterasys, April 15, 2003. Davis Wright Tremaine provides legal services for Enterasys.

50 See http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf. WPA uses the same encryption algorithm used in WEP but increases the initialization vector to 48 bits and uses 802.1x server-based authentication features. Steven J. Vaughn-Nichols, Making the WPA Update, 802.11 planet.com (May 5, 2003) (at http://www.80211-plant.com/tutorials/article.php/2201281).

51 Id.; see also Phifer, supra note 45 at 61.

52 Vaughn-Nichols, supra note 50. ("A security chain is only as strong as its weakest link, so if you're trying to mix old WEP hardware with WPA, you're likely to end up with a false sense of security followed by a criminal hacker in your network.")

53 See, e.g., Karygiannis & Owens, supra note 37 at 3-23-3-24; and Phifer, supra note 45 at 61-62. Several commercial vendors apparently deploy VPNs to enhance WLAN security, including Air Network Solutions of Potomac Falls, Va.; Ecutel Inc., of Alexandria, Va.; V-1 Corp. of Germantown, Md.; BlueSocket Inc. of Burlington, Mass.; NetMotion Wireless Inc. of Seattle; and WaveLink of Kirkland, Wash. See generally Joch, supra note 40 at 3-6.

54 Phifer, supra note 45 at 61.

55 A rogue access point is deployed when "[A] user plugs an off-the-shelf access point into a wired network port, thus broadcasting corporate network access to anyone with an 802.11-based device-authorized or unauthorized. This is a common security breach that takes place every day." Michael Maggio, Does Intel's Centrino Portend WLAN Security Concerns? Technology Reports (April 2, 2003) (at http://technologyreports.net/wirelessreport/?articleID=1644).

56 Richard Shim, WiFi Group Gives Time Frame for Approval, CNET News.com (Feb. 25, 2003).

57 Vaughn-Nichols, supra note 50.

58 Joe Wilcox and Richard Shim, Microsoft's Wi-Fi Ups and Downs, CNET News.com (March 28, 2003) (at http://news.com.com/2100-1039-994518.html).

59 Jay Wrolstad, New Battle for WLAN Security, http://www.WirelessNewsFactor.com (May 8, 2003).

60 Vaughn-Nichols, supra note 50; Wilcox and Shim, supra note 57.

61 Vaughn-Nichols, supra note 50; John Leyden, WLAN Security is Still Work in Progress, The Register (Nov. 29, 2002).

62 Vaughn-Nichols, supra note 50.

63 Ellen Messmer, Pentagon prohibits wireless, citing security reasons, NetworkWorldFusion (Sept. 27, 2002), at http://www.nwfusion.com/news/2002/0927pgon.html. The Sept. 25, 2002, Memorandum from the Office of the Secretary of Defense that announced the policy and a copy of the policy itself are available at http://www.defenselink.mil/c3i/org/cio/doc/it-wireless-policy-092502.pdf.

return to Advisory Bulletins main page