A couple of weeks ago, my nephew had a seizure. He's ok. We did all of the right things and got him the help that he needed. He eventually ended up at a local emergency room. While I was there waiting on the test results to get back, I started to take note of the technology the hospital was using. The biggest observation that I made is that they use Electronic Medical Records (EMR) -- no paper charts. Each observation room had its own computer and there were wireless mobile stations a few feet down the hall. So that led me to ask, "How compliant are they with HIPAA Standards in this wireless environment?"
Yesterday, I was at a local grocery store. I only picked up a handful of items, so I decided to use the self checkout aisle. Unfortunately, my terminal froze on one of the items I was trying to buy. I politely put my hand up to get the attention of the attendant, thinking that she was going to come over and do something to my terminal to get me going again. She didn't come to me. What she did instead was to pull out the stylus on her hand-held wireless computer, made a few taps and voila... I was up and running again. So that led me to ask, "How compliant are they with PCI Standards in this wireless environment?"
Now in two different scenarios, I've asked two questions. Both are the same question and focus on a single technology-wireless networks. The only difference is that I inserted a different standard. One primarily focuses on protecting Electronic Personal Health Information -- HIPAA, and the other primarily focuses on protecting credit card information -- PCI. The installation of a wireless network introduces a new set of issues that have to be addressed in order to be compliant with these standards.
What are some of these issues?
There is no physical medium by which your data is passed. With the data passing through the air, how do you contain access to it?
Traditional means to secure a wired network won't all work on a wireless network.
Attackers can attack a wireless network without having to go through an internet connection or firewall and remain anonymous.
So what are "some" security measures that could be put in place to address these issues and have a secure wireless network?
Make sure your data is encrypted if you handle sensitive information and/or that your wireless connection is encrypted. Even if someone is observing your signal, they won't be able to understand what they're viewing.
Make sure there is a method in place to authenticate each user as well as a method to authenticate the wireless network you're using. This is called mutual authentication.
Use a Virtual Private Network or a VPN whenever possible. If you have a wireless network connected to your wired network, you should be using a VPN.
Implement a Location-Based Wireless Security System. A Location-Based Wireless LAN security system gives you the ability to precisely determine the physical location of all wireless devices, in and around your RF environment. It continues to monitor your environment 24/7 and implements security protection mechanisms in real-time to address issues such as policy violations, rogue devices, vulnerabilities and threats.
Wireless networks are here to stay and should at least have the 4 security measure mentioned above in place. Wireless networks offer mobility, convenience and a relentless connection to the network, and it's something that every business (even those with a "No Wi-Fi Policy") is going to have to address, especially those that are subjected to standards like HIPAA, PCI, SOX, DOD Directive 8100.2 and GLBA, just to name a few.
Tidak ada komentar:
Posting Komentar