In transmitting and storing critical patient data, wireless devices are integral to the response time (and often the resulting quality of care) offered by our healthcare systems. However, thanks largely in part to government acts like the Health Insurance Portability and Accountability Act (HIPAA) (1) and Health Information Technology for Economic and Clinical Health (HITECH) Act (2) have increasingly been prodding healthcare providers to adopt more and more technology in order to fully comply with their respective requirements.
For example, wireless networks transport a ton of patient medical data. However, to be in compliance with HIPAA, for example, that traffic must be encrypted, (3) and in modern-day terms that means implementing Wi-Fi Protected Access (WPA2) encryption which has supplanted Wired Equivalent Privacy (or WEP) encryption that has proven to be susceptible to hacking. However, when regulation permeates healthcare settings, security often becomes an afterthought.
Consider: wireless is overwhelmingly how devices are connected in healthcare delivery. This includes everything from Wi-Fi enabled insulin pumps and glucose monitors and patient tracking RFID (Radio Frequency Identification) tags to Electronic Health Records (EHR) and payment systems — all core to healthcare delivery but typically distributed across many different hospitals often with very limited IT security staff.
Per its accepted definition (4), Protected Health Information (PHI) generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care. And it’s PHI that hospitals risk whenever they transmit it over a wireless network.
The best evidence clearly demonstrates that hackers are doing their best to overcome whatever security measures healthcare organizations put in place to prevent patient data from escaping through their walls.
For example, a report published by IDC Health Insights (5) reveals that all nearly 100 healthcare IT executives surveyed in its study had experienced a cyber attack in the past year, with 40% of those reporting being attacked more than 10 times and a quarter of those attacks were described as successful. One in four of the attacks impacted normal business operations.
A separate IDC report (6) found that healthcare organizations “are at a greater risk of a cyber attack than ever before, in part because electronic health information is more widely available today, than in the nearly 20 years since HIPAA passed in 1996.”
None of this is, of course, unexpected. Traditionally, hospitals have committed fewer capital dollars to infrastructure or IT resources. This includes security technologies and services. As a result, they move to the top of the hacker’s food chain faster than other industries because they’re simply more vulnerable to successful cyber attacks. PHI is also highly attractive to cyber thieves who can use it to commit medical fraud or place it for sale on the black market. The possibilities, unfortunately, are infinite when it comes to threats that place a patient’s PHI at risk.
In most if not all medical practices today mobile devices are ubiquitous. These include providers, nurses, administrators and others who, armed with everything from smartphones and tablets to laptops and other devices, deliver patient care.
With so many hospitals relying on wireless devices, the security vulnerabilities are myriad. These include patients’ families (and other visitors’) ability to access Wi-Fi on their personal devices; the aforementioned Internet connected (IoT) medical devices; and personal devices owned by hospital staff (e.g., BYOD or Bring-Your-Own-Device) that should only be allowed to access patient data on a hospital’s network in limited situations and, of course, only when they’re properly encrypted to prevent unauthorized access. (7) As a result, the threat from mobile devices rapidly metastasizes throughout the institution.
While we’ve only scratched the surface of the implications for securing wireless networks in healthcare institutions, it’s clear that government type regulations like HIPAA and HITECH, which provide guidance on handling Protected Health Information (PHI) must be taken into account when designing and maintaining compliant wireless networks.
There are also monetary implications. For example, fines can be severe (8) for non-compliance to HIPAA (ranging from a minimum fine of $100 per violation to as much as $50,000 per violation in the case of the harshest one), never mind a precipitous loss of reputation and, ultimately, a smaller pool of patients that choose to seek healthcare services from them.
Watch Wireless Security expert Larry Pesce dive deep into
Larry Pesce is the Director of Research at InGuardians leading up research efforts, concentrating especially on IoT. His history with hardware hacking began with the family TV when he was a kid, rebuilding it after it caught on fire. Both times.
His core specialties include hardware and wireless hacking, architectural review, and traditional pentesting, often in the financial, energy and healthcare industries.
Larry holds GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking.