Patient data security in the wireless and mobile world

Florencio Cano Gabarda, Pilar González de Prados SEINHE

fcano@seinhe.com pgonzalez@seinhe.com

Abstract— The arrival and explosion in the use of mobile devices (smartphones, tablets) and wireless networks imply a new paradigm of security for networks, with a lot of new threats.

I. INTRODUCTION Patients and their families, doctors, nurses and all the

people in a hospital now want access to Internet or need access to the hospital information systems over the local network.

Health personnel can do they work better by using these new technologies, but the security implemented last years is usually not enough to allow the use of these technologies in a critical environment where personal and health data, patient data, is processed and stored. Data is not the only critical asset. Multiple medical devices are now controlled and accessed over the network. Their security now is critical in order to not jeopardize patient security. This is not going to stop here. The trend is increasing the interconnection between medical devices and networks so security is going to be a hot topic in the next years.

Now with the “bring your own device (BYOD)” policies established the facto in hospitals security controls should be review and the security plan should be adapted. According to [1], by 2015 there will be almost 15 billion network-connected devices, including smartphones, notebooks, tablets and other smart machines, more than two for every person on the planet

In this paper we are going to review bird's eye view the classic controls that used to be mandatory in a wired environment but now applying the old concepts to the new wireless and mobile environment: perimeter security, network segmentation, traffic isolation, network equipment security, access controls and wireless security. With a proper design with security in mind the risks associated with these technologies can be drastically reduced.

We are going to see how these controls cover Spanish personal data privacy law (LOPD) and what other controls would be needed.

II. PERIMETER SECURITY What is the perimeter? The network perimeter is the

fortified boundary of the network including border routers, firewalls, intrusion detection systems, software frontends, virtual private network devices and demilitarized zones. The perimeter was constituted by the most important assets that should be protected because they used to be the gate to sensitive information.

Mobile computing started with the use of notebooks and personal data assistants. Today, smartphones and tablet personal computers flood the market.

IDC expects, as we can see in [2], that vendors will ship a total of 472 million smartphones in 2011 and 62.5 million tablets.

Mobile devices represent a new set of threats against which networks and personnel are not trained nor prepared.

Fig. 1 Mobile devices threats

For example, poorly managed mobile devices loaded with

sensitive information, such as confidential emails or patient data, can fall into the wrong hands.

The loss of highly sensitive information and the potential associated media scandal is a huge problem in itself, but the impact might be greater because failing to protect personal data can be construed as a violation of the Spanish personal data privacy law called LOPD.

Desktop systems, servers and devices that exist inside the perimeter are under the security controls at the network level as antimalware systems and firewalls, but mobile systems should protect themselves. Additionally, administrators should implement controls to protect the network and other systems from infection from these uncontrolled mobile devices.

Perimeter security is very important but in healthcare environments where lots of different people need access to the network, internal security is critical.

III. RISK ASSESSMENT The first step in order to identify proper efficient security

measures to be implemented in a healthcare environment should be to perform a risk assessment.

A risk assessment allows the organization to identify in an objective and repeatable way the most critical risks to the organization information assets.

There exist lots of different risk assessment methodologies and approximations. One that is widely used in Spain is called Magerit. It is widely used due to its recommended use in public administrations [3].

With this methodology, first the information assets that are important in the organization are identified. Then is evaluated how important each asset is and how much confidentiality, integrity and availability is needed.

Then, threats over each asset are identified and the probability that each threat occurs over the asset is evaluated.

The next step is to identify vulnerabilities in each asset that can be exploited by an identified threat to impact the asset.

With all this values a risk level is calculated that allows the organization to sort the risk by criticality and allows implementing the most important security measures first.

The methodology could be a lot more complex but the important fact is that in order to choose the right security measures it is important to have a plan based on a previous analysis of the risks.

IV. SECURITY MEASURES Actual healthcare organizations that share the

characteristics of having sensitive data as patient information and having lots of mobile devices connected to their networks should implement what usually is called defense in depth [4]. Defense in depth is the approximation to security that defends that multiple layers of security should be implemented just in case one layer of security fails.

Security in wireless environments with mobile devices that need to be connected to them should implement security measures basically at three levels:

Security policies End-point security measures Network security measures

Security in these three levels is reviewed in this paper.

V. SECURITY POLICIES If the company has not decided what should be protected, it

is impossible to implement security measures that allow the organization to work as expected.

First of all, the organization should define who needs to access what information systems, when, how and why. This information is also expected to be documented in the security document requested by the Spanish personal data privacy law (LOPD).

After this definition, security measures needed should be much clearer.

Related to mobile devices we can differentiate between these kinds of devices:

Corporative devices: These are the devices that are assigned to organization personnel. From these devices internal personnel should have access to almost all the information systems. It should be required authentication and authorization in order to allow one of these devices to

connect to the network. It is important to implement continual monitoring over the connected devices after authentication, because these devices can be attacked or infected after it. Personal devices: The organization can ban the use of personal devices but this policy seems a very old and not real approximation to security in this mobile world. Another option is to allow these devices to connect to a limited access network from where they have access to Internet and non-critical resources. All the other devices: Lots of visitors will try to connect their devices to the network, wirelessly or not. Each organization should decide if they are going to allow a limited access connection or if they are going to completely refuse the connection. The security measures over the mobile devices shouldn’t be

chosen only depending on the user. It is possible to establish policies based on some security attributes verified in the devices before allowing access to the network. This is called network access control.

VI. END-POINT SECURITY MEASURES Almost all the people like iGadgets and Droids. However,

the control that system and network administrators used to have over the systems that were connected to the network has disappeared.

In systems and devices that are owned by the organization, security can be enforced depending on the company security policies. For example, vulnerability updates, antivirus, security measures against mobile code, etc. However, usually, the organization has not control over mobile devices owned by users.

Network Access Control (NAC) solutions have two main objectives: 1. Allow access of devices classified as trusted 2. Identify malicious actions performed by any mobile

device and segregate if from the network The second point is very important but sometimes ignored.

Any mobile device could be compromised after authentication. We should implement security measures in order to monitor all the interactions of the mobile device with the network. The connection of any device depends on the evaluation of a series of security attributes that are continuously evaluated in each mobile device. This is called risk-based authentication.

NAC solutions use two strategies when determining what to do with a malicious device. These strategies are scan/block and scan/quarantine.

The scan/block approximation dictates that when a security device is classified as high risk the connection is cut. Probably the user is informed about the connection termination and about what he or she should do to recover access rights.

The scan/quarantine approximation allows the high risks devices to connect to Internet or some local resources in order to fix the security problems on the device, but access to

critical resources are not allowed till this corrections are implemented.

VII. NETWORK SECURITY MEASURES When business requirements dictates that unknown users

using unknown devices should be able to connect to our internal network the risks to information security are very important and real and security measures should be applied.

A. WIRELESS SECURITY Thanks to smartphones, tablets and all the mobile devices,

doctors and medical personnel could have ubiquitous access to patient data and to the patients themselves. Wireless networking allows that devices to be nearer to the point of care than old devices with wired connections.

VII.A.1 CLASSIFICATION Wireless Wide Area Networks (WWAN): Allow the connection of mobile devices to Internet. The most famous WWAN technology is called 3G and is used mainly by smartphones and tablets. Wireless Metropolitan Area Networks (WMAN): They cover an area larger than a WLAN and have similar characteristics. Wireless Local Area Networks (WLAN): They have similar characteristics that local area networks but they allow mobile devices to connect to them without wires. Personal Area Networks (PAN): Allow devices such as keyboards and printers to connect to the systems without wires.

Fig. 2 Wireless technologies classification

This is one classification but there exist lots of different

classifications depending on different wireless technologies attributes. In this paper we have put the focus on WLANs because they are the networks most widely used in local environment as hospitals.

VII.A.2 WLAN SECURITY VULNERABILITIES WLAN technologies share almost all the vulnerabilities of

LAN networks. Additionally, WLAN technologies have their own set of threats. These threats are usually related to the fact that the wireless information communicates through the air where it is difficult to be controlled. Any malicious attacker with enough power can try to connect to a WLAN or could try to sniff the connection or interrupt it.

Wireless technologies have been the target of legitimate researchers and crackers that were trying to access sensitive information in protected WLANs.

For example, in September 2002, a group of users started a movement to gather as much information as possible of open WLANs in Europe and America. They posted the coordinates of these networks in a public web after the research.

The security research over these technologies has favored the apparition of tools that allow to avoid some security measures implemented in commons WLAN protocols.

For example, there exist tools for the identification of access points (Netstumbler, Wellenreiter, THC-RUT), tools in order to capture network identifiers and MAC addresses (Kismet), tools to capture data traffic (Ethereal) and tools to recover the security password independently of the complexity of it (WEPCrack, AirSnort).

VII.A.3 WLAN SECURITY MEASURES First of all it is necessary to protect the information over the

wireless network with an appropriate encryption algorithm. WEP can be cracked in less than 30 minutes no matter the complexity of the password. We can use WPA2 that nowadays the only viable attack is a brute force attack.

Default passwords are a recurring vulnerability that attackers will try to exploit. Change the default passwords of all the organization network devices (routers and Wi-Fi connections) and make it a combination of digits, characters and symbols. If there exist a business need to have an access without password or with an easy one, remember to restrict and segregate this network from the critical assets.

Change the default System ID (SSID) when possible. This string identifies the organization wireless connections. Knowing the SSID is not a critical vulnerability but it is useful information for hackers.

You can also directly hide the connections SSID. The wireless routers can be configured to stop publicly broadcasting their SSIDs. Only users that know the SSID can try to connect to the network. If your organization does not need the SSID to be announced just configure this way your access points.

B. NETWORK SEGMENTATION The most powerful security control to be implemented in

order to protect patient data is a good network design based on segmentation. By segregating networks with different access permissions we are limiting users to access only the systems and data that they are allowed to.

Segmentation is an IT strategic decision that should be considered properly after a risk assessment and after the definition of security policies. We have to identify who needs to access to what information, why and from where. This information will guide the network engineer in designing a network that enforces security.

Too much segmentation will reduce the network efficiency but too less segmentation is negligent.

In healthcare environments, like a hospital, we have critical medical devices that should have, if possible, its own network separated physically from the rest. If that is not possible we should use the appropriate technology to implement the segregation by using firewalls, VLANs, VPNs, etc.

The use of mobile devices mandates to separate the networks in at least these three segments: Corporative network: It is for users that have been authenticated and the devices they use to connect comply with the security policy of the organization for mobile devices. Non-complying authenticated users: Users that have been authenticated in the network but their devices do not comply with the organization security policy. This segment could have access to local resources to allow the user to solve the problems with its device. Guest access: Segment for visitors that only have access to Internet but not to local resources.

VII.B.1 VIRTUAL LOCAL AREA NETWORKS A VLAN (virtual local area network) is composed of a

group of devices (servers, PCs, etc…) that behave as if they were in the same broadcast domain regardless of their physical location.

A VLAN has the same properties as a LAN but allows you to group network devices even if they were not connected to the same switch.

As a downside, two VLANs on the same wiring have to share bandwidth. Two VLANs of one gigabit respectively, sharing a one gigabit connection can see diminished its performance and can become congested.

As VLAN technology is the main way to segregate networks, it is going to be explained deeply in this paper.

VII.B.1.1 SECURITY Mixing traffic from different groups of work involves new

threats to information security. Therefore, always try to separate the different groups. Classically, this separation has been carried out physically:

Fig. 3 Subnetworks physical separation

However, to separate physically devices means more

network infrastructure and it is not always possible. You can get the same effect by creating a VLAN. A VLAN separates devices according to their MAC address

at level 2 of the OSI model. This produces the same effect as separate devices physically; however, the switch is the responsible for the separation.

Fig. 4 VLAN network segregation

It is therefore a good practice to separate different types of traffic on different VLANs, for example, real-time traffic data, video surveillance, VoIP traffic, SCADA, etc...

VII.B.1.2 VLAN TECHNOLOGIES VLAN technology is defined in the "1998 IEEE 802.1Q

standard" In a protocol level, 4 bytes are added at the end of the

Ethernet header to use VLANs.

Fig. 5 VLAN header

These 4 bytes contain three bits to assign the priority to the

package and 12 bits to specify the ID of the VLAN. Quality of Service (QoS), as defined in "IEEE 802.1p

standard," uses these three bits to implement 8 different traffic priorities. Typically, the highest priority is used for security and routing information.

VII.B.1.3 CONFIGURING A VLAN To configure a VLAN, the switch ports that support VLAN

should be configured as edge ports or trunk ports. Edge ports are used for connecting endpoint devices that are connected to a specific VLAN. Trunk ports of each switch are interconnected between them forming a sort of backbone where all the VLAN traffic that these switches manage goes.

When a switch receives an Ethernet packet through an edge

port, if the package has a tag (already belongs to a VLAN), the packet is ruled out. If the package has no tag, the switch tags it putting the ID of the VLAN of that port. The packets are not tagged at the endpoint devices, the switches tags packets according to the port by which they arrive.

Depending on the manufacturer, you can implement other

features related to VLANs, for example, filters on ports.

VII.B.1.4 SECURITY THREATS IN VLANS Although VLANs are used as a security measure, the

protocol was not designed with security in mind. VLAN hopping is a term that groups a set of methods that

are used to send traffic to a VLAN port that normally should not accept such traffic.

In addition, an attacker can bypass the segregation of VLANs if he or she knows the MAC address of the device the hacker wants to send traffic. The target machine's MAC address is introduced through static address entry in the ARP local cache of the attacker device. This would allow the intruder communicating directly with the device although they were in separated VLANs.

Another VLAN hopping method is connecting a device to a

trunk port of a switch and send with it forged traffic using the VLAN ID of a VLAN that should not be accessible for that device. The traffic that goes through a trunk port have not got the VLAN tags altered and it has then potential access to all VLANs. To avoid this attack trunking should be disabled in all those ports that will not use or need it.

In general, VLAN technology provides adequate separation

when the physical environment is reliable. If the environment is not reliable we can make use of other technologies, as private virtual networks.

VII.B.2 FIREWALLS Firewalls are network devices that enforce the access

control of data traffic between different networks. In other words, firewalls enforce the segregation of networks separating different traffic with different risks.

Firewalls allow implementing rules of separation depending on different attributes of the traffic as source, target, etc.

It is necessary to deploy a firewall between networks with different security requirements.

The most important policy to implement when using firewalls is denying all the traffic that is not explicitly allowed.

C. VIRTUAL PRIVATE NETWORKS Virtual private networks add one more level of security in

our corporate environment. A great percentage of common protocols used send information in clear text, what means that anyone connected to the network and proper knowledge can see all the data being communicated. Encrypting data over the network prevents attackers from tapping the network and sniffing the data, and helps healthcare organizations to comply with strict privacy laws.

If the organization is going to use public networks to transfer patient data or any other personal data it is required to encrypt this data. VPNs are a good solution to accomplish this.

D. DATA LOSS PREVENTION Can data loss prevention technologies help our organization

to protect sensitive data from mobile devices? Sure. An authenticated device can download from the internal network sensitive information. It is important to control this transfer of data by monitoring it when possible.

Data loss prevention technologies (DLP) allow network administrators to monitor the transfer, storage and use of defined types of data as patient data. Data could be shown in the screen, it can be printed, it can be stored in USB storage devices or it can be send by email or by many other ways. DLP allows the identification of communications where some data pattern is shown. For example, DLP can alert a system administrator when an email from an internal system is sent to an external system and it has attached more than 10 national ID numbers.

DLP technology can identify any type of data pattern that we define so we can monitor our sensitive data.

Organization data exists in these three different states: Data at Rest: Data stored in storage space as files in the filesystem, databases or any other storage center. Data at the Endpoint: Data that resides in network endpoints as USB devices, external drives, laptops, smartphones, archived tapes or any other highly mobile support device. Data in Motion: When the data is being transferred from the internal network to Internet for example by email, P2P, instant messaging or any other kind of communication. If we want to apply data loss prevention to mobile devices

we have to look in security at the endpoint. The main security measures we find on security at the

endpoint when the endpoint are mobile devices like smartphones and tablets are: Encrypted sandbox where all organization data is stored Antivirus Remote deletion GPS localization

E. INTRUSION DETECTION Intrusion detection functionality is embedded in NAC

solutions as it is necessary to detect malicious activity from already authenticated devices in order to ban them from the network. We are not implementing a good security solution if we only set security measures in the perimeter and not inside the network, after authentication.

F. HONEYPOTS A honeypot makes identifying malicious activity very

simple. Any traffic that comes to a honeypot that tries to interact with it is malicious because honeypots are systems that are not deployed to be used by legitimate users. They are false systems, usually with low security measures to draw attention of potential attackers.

Deploying a honeypot in the corporate network segment allows discovering malicious devices that have overcome authentication.

VIII. DATA PRIVACY LAWS In Spain, the Organic Law on Personal Data Protection

mandates to protect personal data with strict security measures. The use of wireless technology and “bring your own device” policies may violate some of these controls if security measures are not implemented properly.

Patient data is defined as high level data and this law requires the strictest measures for this kind of data.

The article 91 of the 1720/2007 Royal Decree that develops the LOPD law, establishes that users should only have access to that information that they are allowed to access. This requirement is enforcing the segregation of networks that we have talked about in this paper.

Another requirement in article 92 says “The extraction of media and documents containing personal data, including those covered and/or attached to an e-mail, outside of the premises under the control of the organization must be authorized by the organization explicitly or they should be duly authorized in the security document”. This requirement asks for the use of data loss prevention mechanisms implemented in networks were mobile devices are connected in order to discover this transfer of data outside the organization.

This article also says “When the documentation is moved from one location to another, the organization shall take the necessary security measures to prevent theft, loss or unauthorized access to information during transport”. Encryption mechanisms and tools are needed to prevent access to patient data if any device that stores it is subtracted. As described previously, endpoint security solutions implement controls as remote deletion and GPS localization that could be used after an incident of this type.

The article 93 says “The organization is responsible for establishing a mechanism for uniquely identifying any user who tries to access the information system and it is responsible of the verification that he/she is authorized”. Any device or system that does not require a unique username and password to access patient data is not allowed by this law. NAC systems should verify this point when allowing mobile devices to connect to the network or resources that store personal identifiable information.

Also in article 93 is said that “When the authentication mechanism is based on the existence of passwords there should exist a procedure for the allocation, distribution and storage to ensure their confidentiality and integrity”. How can the organization assure that the confidentiality and integrity of passwords are assured when using mobile devices not owned by the company? It is needed that each user is authenticated in the network using a username and a password independently of the mobile device that they are using.

These are some LOPD requirements that if not implemented may represent high fines for offenders. Any new technology that affects personal identifiable information, and patient data specially, should be planified with care and with the existing legislation in mind.

IX. CONCLUSIONS We have revised lots of security measures that can be

implemented in order to protect the critical assets, as patient data, on a healthcare environment.

First of all, as required by the Spanish personal data privacy law (LOPD) the organization should have to define roles for the personnel to access patient data. Who, how and why can access what data.

The key to choose the most efficient and effective measures is to perform a risk assessment that will show us which are the most important risks to be controlled.

Then it is important to elaborate a corporate mobile policy that defines how the organization and the personnel should act when accessing organizational information.

Based on risk assessment and in the study of the business necessities, engineers should choose the controls that should be implemented.

This way, the new threats that healthcare organizations face due to this new mobile world will be controlled.

X. REFERENCES [1] Cisco Systems’ annual Visual Networking Index Forecast [2] http://www.idc.com/getdoc.jsp?containerId=prUS22871611 [3] http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE

_PG_CTT_General&langPae=es&iniciativa=184 [4] http://www.informationweek.com/whitepaper/Business_and_Careers/w

p901652?articleID=901652

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

http://mobileenterprise.edgl.com/white-papers/Data-Loss-Prevention-Whitepaper--When-Mobile-Device-Management-Alone-Isn-t-Enough-76435

Managing mobile security: How are we doing? By Alan Goode, Managing Director, Goode Intelligence

http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf http://en.wikipedia.org/wiki/Data_loss_prevention_software http://www.infoworld.com/d/security-central/intrusion-detection-

honeypots-simplify-network-security-165?page=0,0 http://noticias.juridicas.com/base_datos/Admin/rd1720-2007.html