How To Protect A Wireless Lan From A Rogue Access Point



Similar documents
Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

Ensuring HIPAA Compliance in Healthcare

Ensuring HIPAA Compliance in Healthcare

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Deploying a Secure Wireless VoIP Solution in Healthcare

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Closing Wireless Loopholes for PCI Compliance and Security

How To Secure Wireless Networks

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Best Practices for Securing Your Enterprise Wireless Network

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Design Guide for Pervasive Wireless Networks

Best Practices for Outdoor Wireless Security

PCI Wireless Compliance with AirTight WIPS

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

WHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance

Industrial Communication. Securing Industrial Wireless

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

The following chart provides the breakdown of exam as to the weight of each section of the exam.

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Wi-Fi in Healthcare:

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Understanding WiFi Security Vulnerabilities and Solutions. Dr. Hemant Chaskar Director of Technology AirTight Networks

WHITE PAPER. Ensuring Compliance with DoD Wireless Policies

Chapter 2 Wireless Networking Basics

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

The next generation of knowledge and expertise Wireless Security Basics

HIPAA Compliance and Wireless Networks

Link Layer and Network Layer Security for Wireless Networks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

Security in Wireless Local Area Network

Developing Network Security Strategies

Top 10 Security Checklist for SOHO Wireless LANs

Chapter 2 Configuring Your Wireless Network and Security Settings

United States Trustee Program s Wireless LAN Security Checklist

Top 10 Security Checklist for SOHO Wireless LANs

WIRELESS NETWORK SECURITY

WIRELESS NETWORKING SECURITY

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

chap18.wireless Network Security

MUNICIPAL WIRELESS NETWORK

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

White Paper. Understanding the Layers of Wireless LAN Security & Management

Security Awareness. Wireless Network Security

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

CS 356 Lecture 29 Wireless Security. Spring 2013

Wireless Network Standard and Guidelines

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Technical Brief. Wireless Intrusion Protection

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

Wireless Intrusion Detection Systems (WIDS)

Network Security Best Practices

How To Secure A Wireless Network With A Wireless Device (Mb8000)

Wireless Technology Seminar

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Information Supplement: PCI DSS Wireless Guidelines

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Wi-Fi, Health Care, and HIPAA

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

Payment Card Industry Self-Assessment Questionnaire

Wireless Security with Cyberoam

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Wireless Security for Mobile Computers

Wi-Fi Client Device Security & HIPAA Compliance

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES. Wireless Networking for Small Businesses. Russell Morgan. East Carolina University

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Observer Analyzer Provides In-Depth Management

WHITE PAPER. Wireless Security: Ensuring Compliance with HIPAA, PCI, GLBA, SOX, DoD & Enterprise Policy

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Wi-Fi Client Device Security and Compliance with PCI DSS

Policy Title: HIPAA Access Control

PCI DSS 3.1 and the Impact on Wi-Fi Security

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

1.1 Demonstrate how to recognize, perform, and prevent the following types of attacks, and discuss their impact on the organization:

Transcription:

: Understanding Security to Ensure Compliance with HIPAA Healthcare is a natural environment for wireless LAN solutions. With a large mobile population of doctors, nurses, physician s assistants and other caregivers, wireless LANs bring the ability to access the latest patient charts, medical records and clinical decision support data at all times, anywhere in the healthcare organization. And as caregivers travel among different facilities, wireless allows for easy connectivity at each site. Early adopters in healthcare recognized these benefits and deployed the first wireless LAN solutions in the late 1990 s. However, with wireless LANs comes a new security risk. Unlike wired networks where physical access is required, wireless LANs transmit signals into the air space, and can extend beyond the physical perimeter of rooms and buildings. The standards which wireless LANs are based on, IEEE 802.11, does not mandate over-the-air security and authentication of users. Unless specifically configured for security, most wireless LAN equipment is an open network, or able to be attached to by any wireless LAN client. This obviously could lead to serious security risks if unauthorized personnel were to gain access to the healthcare network. While security vulnerabilities endanger the integrity of any corporate network, the risks are magnified in healthcare due to HIPAA legislative requirements. HIPPA, or the Healthcare Information Portability and Accountability Act, is a law passed in 1996 by the US government that aims to simplify the processing and distribution of medical information, improve the portability of health insurance, give patients access to medical information and protect patient data that is stored, transmitted or accessed across networks. The HIPAA scope is large and many resources are available to help healthcare organizations with understanding its wide ranging implications. The applicable section for wireless LANs is Security and Electronic Signature Standards - Section 4. Technical Security Mechanisms to Guard Against Unauthorized Data that is Transmitted over a Communications Network. 1 Specifically, this section of the HIPAA guidelines requires: 1 The complete HIPAA standard can be found at http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf AP4-0805 1

HIPAA Standards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security Sections a 1 b c 1 d e 1 Implementation Specifications = Required, = Addressable Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Mechanism to authenticate Electronic Protected Health Information Integrity Controls Encryption Recommendations for Wireless LAN Capabilities to Meet HIPAA Standards To meet HIPAA guidelines, the Meru Wireless LAN System delivers the following security features: WPA Encryption and Authentication WEP-based security has been proven to be easily cracked and therefore is insufficient to meet today s enterprise security requirements. It also doesn t provide for authentication between the client and the network. To solve this problem, the Wi-Fi Alliance created WPA, an industry standard for strong over-the-air encryption (TKIP) coupled with mutual authentication between the client and the network based on IEEE 802.1x. The Meru Wireless LAN System is Wi-Fi Alliance Certified TM for WPA. In addition, Meru also allows creation of Access Control Lists based on MAC addresses to provide an additional layer of security. Proven Interoperability with a WPA-compliant RADIUS Server RADIUS servers such as Cisco ACS, Funk Software Odyssey and Meetinghouse AEGIS provide the backend authorization capabilities for users trying to access the wireless network. RADIUS servers provide mutual authentication to defeat rogue servers. When used with EAP-PEAP or EAP-TTLS, a secure channel is established through which the end user s identify and password-based credentials are passed during authentication. This provides security against dictionary attacks while leveraging AP4-0805 2 AP4-0805 <2> Copyright 2005 Meru Networks

standard user name and password infrastructure. Authentication and dynamic per-session keys can be generated at any interval to encrypt the wireless connection, minimizing the weaknesses of WEP and protecting against man-in-the-middle or hijacking-session attacks. RADIUS servers also should support RADIUS Accounting which provides IT managers with an audit trail for network access. Information regarding the date, time and credentials is stored at log-in and log-out. Multiple unsuccessful log-in attempts may also be logged. The Meru Wireless LAN System is fully compatible with a wide range of popular RADIUS servers. Support for Multiple VLANs with Independent Security Settings Many different types of users may need to access the healthcare wireless LAN network. Doctors, nurses and other caregivers need access to patient records, charts and test results. Other staff such as dieticians and medical billing staff don t need access to sensitive patient data. Virtual LANS (VLANS) allow each authorized wireless LAN user to gain access to only the network resources they need to see. In addition, healthcare institutions often use barcode scanners for inventory, supply or patient tracking. These types of devices often do not support today s more advanced WPA security, but the less secure WEP encryption. They too can be segregated on a specific VLAN which only allows access to the specific database or application they are associated with. This, along with frequent encryption key changes and MAC address control lists, mitigates potential security risks. The Meru Wireless LAN System supports up to 64 independent VLANs (based on SSID) with different security settings per access point. Each SSID can be mapped to a specific VLAN port, providing enhanced security by restricting network resources based on user type and application. Addressing Security Management, Configuration and Incident Reporting Procedures Beyond protecting the wireless LAN itself against vulnerabilities by using WPA for strong encryption and authentication, the HIPAA standard also requires that certain administrative and procedural controls be in place to protect the security and integrity of the data. Because wireless has become so ubiquitous, new risks to the institution are inherent due to wireless client mis-association, ad hoc networks and mis-configured access points. In this area, the HIPAA standard requires that: HIPAA Standards Security Management Security Incident Procedures Sections 164.308(a) (1) 164.308 (a)(6) Implementation Specifications = Required, = Addressable Risk Analysis Risk Management Response and Reporting AP4-0805 3 AP4-0805 <3> Copyright 2005 Meru Networks

To address these issues, the Meru Wireless LAN System provides the following capabilities: Defense Against Rogue Access Points With the ready availability of inexpensive consumer-grade access points, a new threat has emerged to enterprise security. Employees with a desire to have wireless connectivity, may bring access points into the enterprise and plug them into the corporate network, without any security mechanism enabled. Once behind the firewall, anyone within range of the signal can connect and access the network or do malicious hacking. Proactive rogue access point detection ensures that the enterprise is protected from this threat. The Meru Wireless LAN System proactively searches out rogue access points. Through scanning of all 2.4 and 5 GHz channels, the Meru Wireless LAN System can identify unknown and non-authorized access points, alerting IT administrators. Clients attempting to associate with a rogue access point can be automatically blocked, preventing all access to the Enterprise network unless through an authorized access point. Notification of Configuration Changes Mis-configured access points can lead to unauthorized users accessing the network, or private healthcare information being broadcast in the open for others to eavesdrop. The Meru Wireless LAN System integrated with security partners like AirDefense provides the ability to constantly monitor the access points and ensure that all authorized access point security policies remain in place. If the access point configuration changes, immediate notification is provided to the IT administrator and all client connections to the mis-configured access point are prevented. Prevention of Additional Internal Security Violations Beyond rogue access points, the most common threat to the corporate network security is formation of ad hoc networks, or authorized wireless clients connecting to neighboring wired networks. In both cases, this can leave the healthcare institution open to security violations as confidential healthcare information may be accessed on the client device through these insecure and unauthorized connections. The Meru Wireless LAN System integrated with security partners like AirDefense continually monitors the airwaves throughout the enterprise for internal security violations such as these, and automatically prevents them before confidential information can be transmitted. Incident Reporting Procedures Malicious acts are also a possible occurrence in today s environment. Man-in-the-middle attacks, reconnaissance (i.e. use of NetStumbler) or denial of service attacks are all possible threats to the healthcare network. The Meru Wireless LAN System integrated with security partners like AirDefense immediately detects these threats and prevents them. In addition, all security violations whether malicious or not, are logged and reported to the IT administrator via email, pager or cell phone. Response to these events is also tracked to maintain an audit trail of the timeliness of the resolution. AP4-0805 4 AP4-0805 <4> Copyright 2005 Meru Networks

Summary The Meru Wireless LAN System provides a wide range of security options and controls to ensure healthcare institutions are HIPAA-compliant. A wireless LAN network can be implemented with confidence, allowing the institution to reap the enormous benefits of a converged voice and data wireless LAN. Access Controls (Section a1) Unique User Identification: Username and password through WPA-based IEEE 802.1x authentication. Can be supplemented with MAC Address Access Control Lists for additional control. Encryption and Decryption: TKIP. Dynamic re-keying via WPA-capable RADIUS server. Audit Controls (Section b) Via SNMP through WPA-compliant RADIUS server. Integrity (Section c1) TKIP implements a Message Integrity Check to ensure data has not been compromised. Person or Entity Authentication (Section d) Using WPA with 802.1x authentication, each user must enter a unique user name and password to gain access to the network. Transmission Security Integrity Controls: TKIP implements a Message Integrity Check to ensure data has not been compromised. Encryption: TKIP encryption. Dynamic re-keying via WPA-capable RADIUS server. Security Management (Section 164.308a1) Risk Analysis: Continuous monitoring of air waves for security violations including rogue access points, ad hoc stations, improper configurations, accidental associations. Provides a continuous review of security policy and vulnerability assessment of the wireless LAN. Risk Management: Implementation of a 24 x 7 wireless monitoring system mitigates potential risks due to wireless threats. Incident Reporting Procedures (Section 164.308a6) Immediate detection of intruders with alerts to security managers of type of event, time and event resolution. AP4-0805 5 AP4-0805 <5> Copyright 2005 Meru Networks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information