Hospital Cures WLAN Insecurity

St. Vincent's inoculates 802.11b with tools, user policies to keep critical data secure, confidential.

After a decade of receiving accolades for their cutting-edge use of information technologies, IT managers at St. Vincents Hospital, in Birmingham, Ala., werent about to let concerns over Wi-Fi (802.11b) security dampen their ambitious plans to tie together the institutions five-building campus using a WLAN.

So beginning last year, said Jackie Kennedy, director of health information services at St. Vincents, the hospital deployed user policies, management tools, and authentication and encryption technologies to keep critical data secure and confidential. "We strive to provide the most economical treatment of a patient using technology while giving the best care," Kennedy said. "As a result, security is a very big challenge and always a priority."

The determination of Kennedy and her team is paying off. The hospital recently rolled out a wireless LAN that eventually will allow staff to do everything from registering incoming patients at remote clinics to using wireless optical scanners to copy patient documents so nurses can access them via tablet computers at patient bedsides. With 338 hospital beds, St. Vincents handles more than 18,000 discharges and 120,000 outpatients annually. The decision to deploy a secured WLAN will cut the time hospital staff spends on administrative tasks and dramatically increase the amount of time physicians and other caregivers can spend with patients, Kennedy said.

The sort of attention St. Vincents paid to security is key to the success of enterprise WLAN deployments, experts say. Unfortunately, its also rare. Gartner Inc., in Stamford, Conn., predicted that 30 percent of enterprises last year would suffer serious exposures from deploying WLANs without implementing proper security. And that exposure will only increase as WLANs proliferate in enterprises, Gartner predicts.

St. Vincents started down the WLAN path in 2001 when, with the help of BellSouth Corp., of Atlanta, the hospital completed a comprehensive site survey to determine what kind of network would be best for its campus. After rejecting 802.11a WLAN technology, partly out of concern over potential interference with frequencies used by medical equipment, the hospital chose to deploy an 802.11b network. St. Vincents began the rollout last April, using 167 Aironet 350 wireless access points from Cisco Systems Inc. Although the network is now live, St. Vincents is still piloting applications and capabilities. Today, 30 physicians have access to the network using iPaq Pocket PC devices from Hewlett-Packard Co. As the hospital adds applications, it will eventually enable the use of a variety of devices on the WLAN, including Tablet PCs.

As a health care institution, St. Vincents is required to meet Health Insurance Portability and Accountability Act regulations, which require that all electronic records meet a certain level of security. St. Vincents IT managers began efforts to beef up 802.11b security by examining the default protections built into the products. Kennedy and Eddie Kilgore, a network administrator, went to great lengths to ensure all default settings were changed. As they evaluated the WEP (Wired Equivalent Privacy) encryption protocol used in 802.11b WLANs, they found the protocol insufficient to secure their network.

"While it may have been easier to manage, the ease at which you could break the encryption on WEP just didnt meet our security standards," Kilgore said.

Instead, St. Vincents is using an arsenal of tools and required user procedures to find and lock down WLANs. All users must authenticate via the MAC (media access control) addresses on their NICs to get through the hospitals firewall and gain access to the wireless network. The authentication is handled by a Remote Authentication Dial-In User Service, or RADIUS, server. Once the user is authenticated, he or she must present a user name and password combination to log on to a Checkpoint Systems Inc. virtual private network to access the wireless network.

Hospital IT officials are also scanning for unauthorized WLAN access. During the hardware rollout, a few employees brought wireless access points into the hospital to launch rogue WLANs, Kilgore said. The hospital IT staff found those access points during normally scheduled network monitoring after each access point was reported on the hospitals Domain Name System, or DNS, server.

To ensure that additional rogue wireless access points dont pop up on the WLAN, IT managers deployed Mobile Manager Enterprise from Wavelink Corp., of Kirkland, Wash. Mobile Manager Enterprise is used to manage the configuration and implementation of the access points. It also tells IT managers patrolling the WLAN where rogue wireless access points have been placed. The hospital uses intrusion detection tools from Internet Security Systems Inc., of Atlanta, to alert it to hackers sniffing the network.

To protect patient privacy and to secure data—including hospital records and prescription information—Kennedy and her team prohibit data storage on wireless devices. The hospital also enforces stringent rules that do not allow users to cache IDs and passwords on wireless devices and sets network log-ins on all devices to time out after a certain amount of idling. Users must reauthenticate to get back on the network.

Kennedy and Kilgore are now putting together policies that will standardize management of the WLAN. The policies will be used to enforce which physicians and other caregivers receive connectivity to the WLAN and how they are to connect.

So far, said Kennedy, the steps St. Vincents has taken to make 802.11b technology more secure have paid off. The hospitals WLAN has suffered no breaches. Now, said Kennedy, the WLAN will become the foundation of the final phase of St. Vincents digital hospital initiative, which will include computerized physician order entry, allowing physicians to instantaneously review vital patient information and electronically place orders for care at any time from anyplace on campus.