WiFi – Why Not? How an ASC Can Guard Against WiFi Attacks
The introduction of Wi-Fi unchained computing devices from desks, providing the power of software and the internet in a portable format. Among many other scenarios, handheld tablets can be an integral part of patient care by leveraging electronic charting, and doctors in distant locations can examine symptoms and communicate with patients remotely.
If done correctly, Wi-Fi increases access to specialized knowledge and care. However, Wi-Fi created new risks that any ASC would be wise to understand and mitigate where possible. Physical access is no longer required to snoop an organization’s network as Wi-Fi allows prying into a network from the parking lot (if stories are to be believed using a range-extending Pringles can).
We can summarize the risks by understanding the following terminology
These are listed from most likely to least likely:
- Packet Sniffing – Packet sniffing results from the fact that Wi-Fi networks can be attacked/snooped from the physical perimeter of your office or your waiting room.
- Rogue Access Point – Wi-Fi access points added to your network without permission (they can be plugged into an unprotected ethernet port).
- Jamming – Stops your Wi-Fi network from functioning, a denial-of-service attack (DOS)
- Evil Twinning – Creates a Wi-Fi network to look like it belongs to your ASC in an attempt to get your employees to connect to it by mistake and expose sensitive information.
- Man-in-the-Middle (MITM) Wi-Fi Attacks – Can be used by Rogue APs/Evil twins to intercept traffic and steal information like credentials and security tokens that can then be used to steal and sell patient data.
- MAC Spoofing – Copying the network address of an authorized device and impersonating it.
- Warshipping – Most likely for larger organizations, a rogue AP is left inside your ASC, probing for weaknesses in your Wi-Fi network’s defenses.
- Wardriving – Malicious actors look for unprotected Wi-Fi devices to attack broadly.
- Initial Vector (IV) Attack – Malicious actors intercept the message used to encrypt Wi-Fi communication to break the encryption and steal data flowing in and out of the Wi-Fi access point.
Rather than concerning ourselves with the technical details of how these attacks are performed, an ASC should focus on understanding the risk and then taking steps to secure their Wi-Fi network. In addition to providing patient care, protecting your patient data is a legal requirement. Simply put, as we have previously discussed, the costs of a patient data breach can be significant.
What steps can my ASC take to protect my Wi-Fi network?
Only some of these options are easy to implement or available on every Wi-Fi access point. When procuring a new device or configuring an existing one, it is worth asking the vendor about the security capabilities.
- Use wired connections wherever possible (desktop/laptop computers, printers, patient monitors, etc.).
- Have separate Wi-Fi networks for approved and unapproved devices (guest network). Most modern Wi-Fi access points or routers have a guest network capability. It will have a unique SSID and passphrase and isolate guest traffic from the internal network and other devices on the guest network.
- Physically secure your Wi-Fi access points by locking them up so they are not visible except to authorized staff – especially if step 5 has not been performed.
- Assume your Wi-Fi network is vulnerable and ensure all communication utilizes encryption. For example, train employees to connect to websites or services only using HTTPS.
- Change the default admin password for all Wi-Fi access points & devices. These are frequently printed on the Access Point if they come from ISPs (Internet Service Providers) or are freely available online. Ensure the password is long (> 16 characters), complex and random, containing a mixture of lower case, UPPER case, numbers, and symbols. Reputable Password managers can help generate and securely store these passwords.
- Change the default SSID (Wi-Fi Network Name). Broadcasting of this name can be disabled, so you are not telling the neighborhood the name of your network.
- Enable only the strongest Wi-Fi protection protocols. WPA2 or WPA3 are much more secure than older protocols like WEP or WPA.
- Use a long passphrase to authorize access to the internal network, and do not have the passphrase on post-it notes or printed up on a wall for all to see.
- For the internal Wi-Fi network, only allow approved devices to connect. Employees’ personal smartphones are not generally approved for managing patient care. Therefore they should be restricted to a guest network or a cellphone network. It only takes one malicious app (of which there are many in Google Play and the Apple Store) to put your patient records at risk.
- For larger ASC environments, think about leveraging additional security measures. To implement, these may require dedicated IT personnel or MSP (Managed Service Provider).
Though not always convenient, the combination of these steps can help put the minds of ASC staff at ease, so they can concentrate on their primary mission, focusing on the patient.
Don’t miss out on the good stuff – Subscribe to HST’s Blog & Podcast!
Every two weeks we’ll email you our newest blog posts. No fluff – just helpful content delivered right to your inbox.