medical clinic using wep...

--chris--

I drove my in law to his cardiologist today. While in the parking lot I noticed that the clinics WiFi uses wep for its security.

#1: is this a hippa violation?

#2: should the clinic be notified?

YFZblu

Woof. Can't speak to the HIPPA piece - But I would definitely let them know, especially considering your family has information stored with them.

DevilWAH

Depends what they use the Wifi for.

While not good practice if the are offering free wifi to guests with internet only access then does it really matter, they will have a disclaimer to say while using it they don't guarantee security, you do this even if running the heaviest security to protect your self.

On the other hand if they are transferring medical documents over it as there business wireless then yer I would not be happy with them putting my data over it. May be they have a non broadcasting SSID they use for internal traffic which is why you only see the less secure wep one?

I run all 3 for various networks (some old kit does not support wap and is not security sensitive, and Guest networks are open for the log in stage.

A polity worded email seeking assurance that your data is secure might be a way forward. along the lines of. "I noticed when in your surgery that your wireless used a now legecy and non secure encryption policy (wep), please could you confirm to me that no medial data is transmitted over this network as there is a high risk of it getting compromised" and see what they say.

This allows them to answer the question in full before you start accusing them of breaking hippa or other acts. I am all for doing some fact finding before going in guns blazing to giving people the chance to answer concerns.

SteveFT

A WEP network might as well be open. At least people understand the dangers of an open network and will (hopefully) take precautions. Also, whether it is WEP or open, the average person will not be able to get any data. However, someone with any idea of what they are doing will just as easily crack WEP as pull data from an open network.

WafflesAndRootbeer

You were in the parking lot of what I assume is a medical office complex area so the network might in fact belong to someone else like a cafe, which is not uncommon in medical office areas.

Trifidw

They may be using medical equipment that only supports WEP.

W Stewart

What medical equipment supports wep? As long as you can't access any internal systems from the wifi and it's only for guest use then it's not a big deal.

Trifidw

W Stewart wrote: »

What medical equipment supports wifi let alone only wep?

The high cost of medical equipment usually means its life is stretched out as far as possible and not replaced just because 'a better standard' is released where there is no improvement to healthcare.

I don't think it is hugely plausible using WEP for guest wifi, it would take ages telling people/entering the code.

Mmm...

devils_haircut

Working in a healthcare setting for a MAJOR national healthcare network, you would be surprised at the stuff they get by with, like patient records on thumb drives, ridiculously outdated software, etc. Security doesn't seem to be a factor. I had several machines I recently replaced running a medical imaging program that required all users to have ADMIN RIGHTS in order for the software to work correctly. I checked with my superiors to make sure they weren't kidding....and they weren't.

DevilWAH

W Stewart wrote: »

What medical equipment supports wep? As long as you can't access any internal systems from the wifi and it's only for guest use then it's not a big deal.

loads of equipment supports wifi, and surprisingly a lot only supports wep. If you are paying £50k+ for a bit of kit or system such as a wireless tracking system! then you might stick with it for a long time due to costs involved. We have to run wep for or information screens, no wrap support, yes we could spend £40k to upgrade them but not a strong business case.

Wep/wrap are not uncommon for guest access. Password advertised on the reception desk no different to using a password protected captive portal.

--chris--

Like usual, I learned a few new things from TE.Ill follow DevilWAH's advice, put together a kindly worded non-confrontational email asking for assurance.I know someone mentioned it could be a cafe/cafeterias wifi, its not that kind of clinic. Its a large building, but its 100% offices and patient rooms. Also the AP names were the clinics initials with a number at the end (like ABC1, ABC2, ABC3).Also if medical equipment uses WEP, wouldn't that be a fundamental issue with HIPPA? Its the foundation of what HIPPA is meant to protect, so if its being sent over the weakest form of security possible it seems like that would be a big problem.

veritas_libertas

I'd be careful. Mentioning vulnerabilities can cause you to be under suspicion (they might think you are hacker).

DevilWAH

--chris-- wrote: »

Also if medical equipment uses WEP, wouldn't that be a fundamental issue with HIPPA? Its the foundation of what HIPPA is meant to protect, so if its being sent over the weakest form of security possible it seems like that would be a big problem.

Again it depends, its not always possible to conform 100%, if you can demonstrate the risk is small and acceptable compared to the cost then you may get it signed off. Like I mentioned with out display screens, they run BBC news feeds, and display instate information for visitors to site. yes there is the security issue they could get hacked, but a hacker would not gain any information that is not publicly available. Security is like any thing else it only needs to meet the requirements specified by the business (which if its adhering to HIPPA means it must meet this to), Question is not is should they be using WEP or not. But has a some one experienced in security reviewed the issues with WEP and signed it of as acceptable and passing criteria.

--chris--

veritas_libertas wrote: »

I'd be careful. Mentioning vulnerabilities can cause you to be under suspicion (they might think you are hacker).

Interesting point. Like that poor kid in Australia?

Like most things, risk/reward. Ill take the chance to get an answer.

@DevilWAH, thanks for clarification. Ill be sure to approach it in that manner.

antielvis

veritas_libertas wrote: »

I'd be careful. Mentioning vulnerabilities can cause you to be under suspicion (they might think you are hacker).

+10.

Now, if you are a professional in the tech field, you might casually mention you noticed they were using WEP. Give them a link or something a layman could read & understand. Then leave it at that. Do hope they'll contact their IT consultant & have it investigated. If they don't, well there is only 1 thing to do. Don't go there.

SteveLord

Or you find out you really don't know anything about their setup, made a big deal about nothing and just look silly. That's if your "concern" doesn't drop off a digital cliff.

I've had a "seasoned security expert" email me out of the blue to question a vendor's web app because it had an executable in the URL. He wrote this really long email about how it was a recipe for disaster. A security colleague thought it was baloney and the developer of the app explained everything/made sense of it.

W Stewart

DevilWAH wrote: »

loads of equipment supports wifi, and surprisingly a lot only supports wep. If you are paying £50k+ for a bit of kit or system such as a wireless tracking system! then you might stick with it for a long time due to costs involved. We have to run wep for or information screens, no wrap support, yes we could spend £40k to upgrade them but not a strong business case.

Wep/wrap are not uncommon for guest access. Password advertised on the reception desk no different to using a password protected captive portal.

Wow, I would think hospitals could at least afford updated technology with the prices they charge for their equipment.

deth1k

W Stewart wrote: »

Wow, I would think hospitals could at least afford updated technology with the prices they charge for their equipment.

Health Care in UK is "free" - i.e comes from your TAX so budgets are tight and very limited.

DevilWAH

W Stewart wrote: »

Wow, I would think hospitals could at least afford updated technology with the prices they charge for their equipment.

You have to think, many of the more advanced devices they might only sell a few 100 of a model. Considering he amount they might have put in developing the solution they have to charge a lot to get there money back. Hospitals want to be at the leading edge so they are not going to purchase last years model just to get a better network connections. For there MRI scanner they want high resolutions and speed, not a faster network connection (unless this has a direct inpact on there work). So if one year I spend £1.2 million on an MRI scanner, then I might keep it for 5-6 years until I can afford another £1.2million for a new flash model. At the same time if the old one still works for 90% of cases then I will not throw it in the bin, but continue to use it till its no longer feasible. A hospital will tell you it would like full IC and Dignostic facilities at every bed, but money will not allow it, however if they have older equipment that still could benefit a patient, there not going to stop using it just because it does not support the latest wireless security.

DevilWAH

deth1k wrote: »

Health Care in UK is "free" - i.e comes from your TAX so budgets are tight and very limited.

to be fair there is also Private care available if you want to pay for it. But where ever when it comes to medical equipment no facility has a never ending budget.

deth1k

DevilWAH wrote: »

to be fair there is also Private care available if you want to pay for it. But where ever when it comes to medical equipment no facility has a never ending budget.

I'm aware Those aren't much different to NHS in terms of splashing cash on kit.

Trifidw

deth1k wrote: »

Health Care in UK is "free" - i.e comes from your TAX so budgets are tight and very limited.

Just because it is free for the patient doesn't mean it is free, every tax payer contributes to the NHS and it is very effective for the amount it costs the average person and this is partly a result of maximising the life of equipment. As DevilWAH has said specialist medical equipment has a limited market and as a result the unit cost is very high. And don't forget just like the US system, patients = customers = money and hospitals compete to be the choice for their patients and put in bids to run clinics in the community.

ptilsen

If the device connects to their production network at all, even if not used for sensitive data, I'm pretty sure it's a HIPAA violation and it's definitely a PCI violation (most medical providers do take credit cards) if they use card readers or store card data anywhere on their network. I'm pretty sure it would have to be an isolated network for a specific purpose that didn't expose any of their credentials or systems used for medical or payment card data to not be a violation of HIPAA or PCI, respectively. Admittedly, it has been a while since I've needed to know the details of HIPAA requirements.

ptilsen

Also, while I agree that WEP-only devices can be an issue, I have to say that in my experience, it is very, very rate. If it were 2008, I would think that was probably the reason. Even then, devices not supporting WPA2 were uncommon, but it was still an issue that came up. Now, they're very, very, rare. It would take a very expensive piece of a medical equipment with a long shelf life to justify keeping a WEP network. WPA2 has been around for almost ten years now. Even in that industry, I have to imagine the vast majority of production devices support WPA2.

DevilWAH

ptilsen wrote: »

Also, while I agree that WEP-only devices can be an issue, I have to say that in my experience, it is very, very rate. If it were 2008, I would think that was probably the reason. Even then, devices not supporting WPA2 were uncommon, but it was still an issue that came up. Now, they're very, very, rare. It would take a very expensive piece of a medical equipment with a long shelf life to justify keeping a WEP network. WPA2 has been around for almost ten years now. Even in that industry, I have to imagine the vast majority of production devices support WPA2.

you would be surprised.. I have seen Lab equipment costing £100K's that only support telnet for remote access, and even some that have burnt in back door passwords for support. It has got better in the last 5 years but still 99.9% or development is spent on the function the device is designed for. Security is put on as an afterthought and often by people who have no idea what they are doing. Many companies producing this equipment might only have 10 or 12 employees (garden shed set ups) with not a single security engineer among them. The head quarters of these compineis are nothing like Cisco or Microsoft, just a group of nerds building to order, if the customer is not pushing for security, then they don't bother spending time on it.

Dont get me wrong, these guys are amazing in what they do. But we still have to run Windows 2000 and XP, because of equipment that you simple cant get drivers for that are any more upto date. Indeed some of these devices where built after windows 7 was released but still developed for XP. The same we run Access 2000 and Excel 5, because the software shipped with the devices requires it. we even have 2 X windows 98 in our institute because of the equipment they are connected to!!

datacomboss

Guys, it's HIPAA.:D

It is a possible violation. No excuse using WEP. All of our clinics use WPA2.

What's a HIPAA violation and what is not is sometimes not as clear as you might think. Health and Human Services Office for Civil Rights is responsible for HIPAA rules enforcement, but yet won't publish clear guidelines on what policies and technologies covered entities should have in place. Instead they defer to the NIST, which published 800-66, which leaves some things open for interpretation. Maybe not for seasoned professional, but a lot of these clinics use little mom and pop "IT consultants" that don't know a damn thing. The most frustrating part of my job is convincing a physician that his $500K EMR or $15MM A/R should be on the white box "servers" that his billing system ran on for so long.

TeKniques

The HIPAA security rule does not specify which (or any) wireless security standard that should be used. The rule however, specifically focuses on a set of goals and standards to protect EPHI through confidentiality, integrity, and availability. In other words, the organizations policies and procedures should outline wireless security with proper standards.

In my experience most small to medium sized medical clinics that are not owned/operated by a larger parent rarely know what HIPAA really entails. All they basically know is that it deals with patient privacy ... you toss out things like "security rule" or "privacy rule" and you get a deer in the headlights look your way.

--chris--

Well a great thread so far. I didn't expect this much response from the community. I have held off from sending the email because it seems every few days a new response/rational pops up in this thread. Ill keep waiting. I do want to find out what the WEP is used for however, so I will eventually contact them.

@antielvis, the "or don't go there" isn't an option. This is the best doctor/practice for what my in law needs, the best in the state. He used the "local guys" before and it almost killed him (not figuratively), so now he only goes to the best.

@Ptilsen, since I am still learning almost everything that was the assumption I made (that if the WEP is connected in any aspect of the billing/medical side of the network its a problem) but I wasn't sure if that is the case.

The problem with not inquiring about this is that if other people who visit the office knew of the potential risk that exist they would want to know whats going on as well. Just because they don't see the problem doesn't mean they wont want to know. This isn't a crusade, or a "hey I learned this is bad let me tell you why" kind of thing. If I seen a pile of medical record boxes in the front office sitting on the counter visit after visit (not knowing if they are full or empty) I would want to know whats going on with that.

datacomboss

@Tekniques that is my point exactly. Many of the larger clinics and hospitals don't know either. Doctors love making money, but are allergic to spending money.

DevilWAH

datacomboss wrote: »

@Tekniques that is my point exactly. Many of the larger clinics and hospitals don't know either. Doctors love making money, but are allergic to spending money.

I have been looking at job listings in hospitals, and along with the technical roles I get the Surgeon and nurse jobs. I can say that many senior doctors and surgeons of some of the top hospitals make less than senior IT staff. And you see the hours are not the 40 hours advertised for IT jobs but 40 basic with you expected to work 60+.

Personally I would much rather my heart surgeon concentrates on his surgery than spends much time worrying about the hospital network. What I see from this thread is people giving suggestions why they might be using WEP, from my point of legacy equipment, through they don't want to spend the money to upgrade, to they simply don't relies there is an issue as they are doctors not IT security engineers. The fact is there are 1000's reasons why it might be, and what data the particular network protected by WEP actually carries, waht we all agree on is that WEP is not a secure standard and only should be used in exceptional cases where a thorough risk analyses and security audit has been carried out. The only way to confirm any of this is to ask, and the best way to do so is in a polite and straight forward way.

No one is going to end up in trouble if they don't point fingers before knowing the facts, or go in to lengthy detail about how you can crack WEP. The fact is that its almost 100% guaranteed that the first person to read the email will be a non technical person (secretary). So make it some think the average none IT person can make sense of and make it very clear what you are asking.

Dear Sir,

I noticed when I was in your clinic "name goes here" last week that you run your wireless network with logon method that is no longer recommended due to some security issues. Please could you assure me that none of my personal/medial date is even sent over this network or any networks attached to it.

Kind Regards / Thank you for your time/ ....

And leave it up to them to decide how they want to proceed, don't threaten them that they are breaking any HIPPA or PCI, or explain how with a smart phone and a few apps you can bypass it. Or even worse crack it and them tell them you have done it. If they come back and tell you that its a stand alone network with no sensitive data then that's the end of the story. If they come back telling you your data is on that network then that's the time to either request they remove your data, or if you wish you could at that point explain a bit more about your back ground and suggest they could talk to there IT support company about changing to a more secure standard.

As for the HIPPA and PCI, they will get audited frequently for this kind of thing and that should pick it up, but even if not its something to worry about further down the line. The first thing is to request information from a person point of view. "Could my data be comprised by you running WEP on you network?" That is a valid question for a IT or non IT person to ask the clinic, and it clears up all the "it might be this" , or "it might be that" that this thread is filled with. All valid points but the only people who can give an straight answer is the Clinc, and you have the right to ask them a question over a concern you have about them storing your personal data.

Cyberhooligan

are you saying clincs are using equipments manufactured by mostly 5-10 staff-size company?