Paper Florencio Cano - Patient data security in a wireless and mobile world
1. Patient data security in the wireless and mobile
world
Florencio Cano Gabarda, Pilar González de Prados
SEINHE
fcano@seinhe.com
pgonzalez@seinhe.com
Abstract— The arrival and explosion in the use of mobile devices Mobile computing started with the use of notebooks
(smartphones, tablets) and wireless networks imply a new and personal data assistants. Today, smartphones and
paradigm of security for networks, with a lot of new threats.
tablet personal computers flood the market.
I. INTRODUCTION IDC expects, as we can see in [2], that vendors will ship
Patients and their families, doctors, nurses and all the a total of 472 million smartphones in 2011 and 62.5 million
people in a hospital now want access to Internet or need tablets.
access to the hospital information systems over the local Mobile devices represent a new set of threats against which
network. networks and personnel are not trained nor prepared.
Health personnel can do they work better by using these
new technologies, but the security implemented last years is
usually not enough to allow the use of these technologies in a
critical environment where personal and health data, patient
data, is processed and stored. Data is not the only critical asset.
Multiple medical devices are now controlled and accessed
over the network. Their security now is critical in order to not
jeopardize patient security. This is not going to stop here. The
trend is increasing the interconnection between medical
devices and networks so security is going to be a hot topic in Fig. 1 Mobile devices threats
the next years.
Now with the “bring your own device (BYOD)” policies For example, poorly managed mobile devices loaded with
established the facto in hospitals security controls should be sensitive information, such as confidential emails or patient
review and the security plan should be adapted. According to data, can fall into the wrong hands.
[1], by 2015 there will be almost 15 billion network-connected The loss of highly sensitive information and the potential
devices, including smartphones, notebooks, tablets and other associated media scandal is a huge problem in itself, but the
smart machines, more than two for every person on the planet impact might be greater because failing to protect personal
In this paper we are going to review bird's eye view the data can be construed as a violation of the Spanish personal
classic controls that used to be mandatory in a wired data privacy law called LOPD.
environment but now applying the old concepts to the new Desktop systems, servers and devices that exist inside the
wireless and mobile environment: perimeter security, network perimeter are under the security controls at the network level
segmentation, traffic isolation, network equipment security, as antimalware systems and firewalls, but mobile systems
access controls and wireless security. With a proper design should protect themselves. Additionally, administrators should
with security in mind the risks associated with these implement controls to protect the network and other systems
technologies can be drastically reduced. from infection from these uncontrolled mobile devices.
We are going to see how these controls cover Spanish Perimeter security is very important but in healthcare
personal data privacy law (LOPD) and what other controls environments where lots of different people need access to the
would be needed. network, internal security is critical.
II. PERIMETER SECURITY
What is the perimeter? The network perimeter is the III. RISK ASSESSMENT
fortified boundary of the network including border The first step in order to identify proper efficient security
routers, firewalls, intrusion detection systems, software measures to be implemented in a healthcare environment
frontends, virtual private network devices and should be to perform a risk assessment.
demilitarized zones. The perimeter was constituted by A risk assessment allows the organization to identify in an
objective and repeatable way the most critical risks to the
the most important assets that should be protected organization information assets.
because they used to be the gate to sensitive information.
2. There exist lots of different risk assessment methodologies connect to the network. It is important to implement
and approximations. One that is widely used in Spain is called continual monitoring over the connected devices after
Magerit. It is widely used due to its recommended use in authentication, because these devices can be attacked or
public administrations [3]. infected after it.
With this methodology, first the information assets that are Personal devices: The organization can ban the use of
important in the organization are identified. Then is evaluated personal devices but this policy seems a very old and not
how important each asset is and how much confidentiality, real approximation to security in this mobile world. Another
integrity and availability is needed. option is to allow these devices to connect to a limited
Then, threats over each asset are identified and the access network from where they have access to Internet and
probability that each threat occurs over the asset is evaluated. non-critical resources.
The next step is to identify vulnerabilities in each asset that All the other devices: Lots of visitors will try to
can be exploited by an identified threat to impact the asset. connect their devices to the network, wirelessly or not. Each
With all this values a risk level is calculated that allows the organization should decide if they are going to allow a
organization to sort the risk by criticality and allows limited access connection or if they are going to completely
implementing the most important security measures first. refuse the connection.
The methodology could be a lot more complex but the
important fact is that in order to choose the right security The security measures over the mobile devices shouldn’t be
measures it is important to have a plan based on a previous chosen only depending on the user. It is possible to establish
analysis of the risks. policies based on some security attributes verified in the
devices before allowing access to the network. This is called
network access control.
IV. SECURITY MEASURES
Actual healthcare organizations that share the
characteristics of having sensitive data as patient information VI. END-POINT SECURITY MEASURES
and having lots of mobile devices connected to their networks Almost all the people like iGadgets and Droids. However,
should implement what usually is called defense in depth [4]. the control that system and network administrators used to
Defense in depth is the approximation to security that defends have over the systems that were connected to the network has
that multiple layers of security should be implemented just in disappeared.
case one layer of security fails. In systems and devices that are owned by the organization,
Security in wireless environments with mobile devices that security can be enforced depending on the company security
need to be connected to them should implement security policies. For example, vulnerability updates, antivirus,
measures basically at three levels: security measures against mobile code, etc. However, usually,
Security policies the organization has not control over mobile devices owned
End-point security measures by users.
Network security measures Network Access Control (NAC) solutions have two main
Security in these three levels is reviewed in this paper. objectives:
1. Allow access of devices classified as trusted
2. Identify malicious actions performed by any mobile
V. SECURITY POLICIES device and segregate if from the network
If the company has not decided what should be protected, it The second point is very important but sometimes ignored.
is impossible to implement security measures that allow the Any mobile device could be compromised after authentication.
organization to work as expected. We should implement security measures in order to monitor
First of all, the organization should define who needs to all the interactions of the mobile device with the network. The
access what information systems, when, how and why. This connection of any device depends on the evaluation of a series
information is also expected to be documented in the security of security attributes that are continuously evaluated in each
document requested by the Spanish personal data privacy law mobile device. This is called risk-based authentication.
(LOPD). NAC solutions use two strategies when determining what
After this definition, security measures needed should be to do with a malicious device. These strategies are scan/block
much clearer. and scan/quarantine.
Related to mobile devices we can differentiate between The scan/block approximation dictates that when a security
these kinds of devices: device is classified as high risk the connection is cut. Probably
the user is informed about the connection termination and
Corporative devices: These are the devices that are about what he or she should do to recover access rights.
assigned to organization personnel. From these devices The scan/quarantine approximation allows the high risks
internal personnel should have access to almost all the devices to connect to Internet or some local resources in order
information systems. It should be required authentication to fix the security problems on the device, but access to
and authorization in order to allow one of these devices to
3. critical resources are not allowed till this corrections are VII.A.2 WLAN SECURITY VULNERABILITIES
implemented. WLAN technologies share almost all the vulnerabilities of
LAN networks. Additionally, WLAN technologies have their
own set of threats. These threats are usually related to the fact
VII. NETWORK SECURITY MEASURES
that the wireless information communicates through the air
When business requirements dictates that unknown users where it is difficult to be controlled. Any malicious attacker
using unknown devices should be able to connect to our with enough power can try to connect to a WLAN or could try
internal network the risks to information security are very to sniff the connection or interrupt it.
important and real and security measures should be applied. Wireless technologies have been the target of legitimate
researchers and crackers that were trying to access sensitive
information in protected WLANs.
A. WIRELESS SECURITY For example, in September 2002, a group of users started a
Thanks to smartphones, tablets and all the mobile devices, movement to gather as much information as possible of open
doctors and medical personnel could have ubiquitous access to WLANs in Europe and America. They posted the coordinates
patient data and to the patients themselves. Wireless of these networks in a public web after the research.
networking allows that devices to be nearer to the point of The security research over these technologies has favored
care than old devices with wired connections. the apparition of tools that allow to avoid some security
measures implemented in commons WLAN protocols.
For example, there exist tools for the identification of
VII.A.1 CLASSIFICATION access points (Netstumbler, Wellenreiter, THC-RUT), tools in
Wireless Wide Area Networks (WWAN): Allow the order to capture network identifiers and MAC addresses
connection of mobile devices to Internet. The most famous (Kismet), tools to capture data traffic (Ethereal) and tools to
WWAN technology is called 3G and is used mainly by recover the security password independently of the
smartphones and tablets. complexity of it (WEPCrack, AirSnort).
Wireless Metropolitan Area Networks (WMAN):
They cover an area larger than a WLAN and have similar
characteristics. VII.A.3 WLAN SECURITY MEASURES
Wireless Local Area Networks (WLAN): They have First of all it is necessary to protect the information over the
similar characteristics that local area networks but they wireless network with an appropriate encryption algorithm.
allow mobile devices to connect to them without wires. WEP can be cracked in less than 30 minutes no matter the
Personal Area Networks (PAN): Allow devices such complexity of the password. We can use WPA2 that
as keyboards and printers to connect to the systems without nowadays the only viable attack is a brute force attack.
wires. Default passwords are a recurring vulnerability that
attackers will try to exploit. Change the default passwords of
all the organization network devices (routers and Wi-Fi
connections) and make it a combination of digits, characters
and symbols. If there exist a business need to have an access
without password or with an easy one, remember to restrict
and segregate this network from the critical assets.
Change the default System ID (SSID) when possible. This
string identifies the organization wireless connections.
Knowing the SSID is not a critical vulnerability but it is useful
information for hackers.
You can also directly hide the connections SSID. The
wireless routers can be configured to stop publicly
broadcasting their SSIDs. Only users that know the SSID can
try to connect to the network. If your organization does not
need the SSID to be announced just configure this way your
access points.
Fig. 2 Wireless technologies classification
B. NETWORK SEGMENTATION
This is one classification but there exist lots of different
classifications depending on different wireless technologies The most powerful security control to be implemented in
attributes. In this paper we have put the focus on WLANs order to protect patient data is a good network design based on
because they are the networks most widely used in local segmentation. By segregating networks with different access
environment as hospitals. permissions we are limiting users to access only the systems
and data that they are allowed to.
4. Segmentation is an IT strategic decision that should be
considered properly after a risk assessment and after the
definition of security policies. We have to identify who needs
to access to what information, why and from where. This
information will guide the network engineer in designing a
network that enforces security.
Too much segmentation will reduce the network efficiency
but too less segmentation is negligent.
In healthcare environments, like a hospital, we have critical
medical devices that should have, if possible, its own network
separated physically from the rest. If that is not possible we
should use the appropriate technology to implement the
segregation by using firewalls, VLANs, VPNs, etc.
The use of mobile devices mandates to separate the
networks in at least these three segments:
Corporative network: It is for users that have been
authenticated and the devices they use to connect comply
with the security policy of the organization for mobile
devices.
Non-complying authenticated users: Users that have
been authenticated in the network but their devices do not Fig. 3 Subnetworks physical separation
comply with the organization security policy. This segment
could have access to local resources to allow the user to However, to separate physically devices means more
solve the problems with its device. network infrastructure and it is not always possible.
Guest access: Segment for visitors that only have
You can get the same effect by creating a VLAN.
access to Internet but not to local resources.
A VLAN separates devices according to their MAC address
VII.B.1 VIRTUAL LOCAL AREA NETWORKS at level 2 of the OSI model. This produces the same effect as
separate devices physically; however, the switch is the
A VLAN (virtual local area network) is composed of a
responsible for the separation.
group of devices (servers, PCs, etc…) that behave as if they
were in the same broadcast domain regardless of their
physical location.
A VLAN has the same properties as a LAN but allows you
to group network devices even if they were not connected to
the same switch.
As a downside, two VLANs on the same wiring have to
share bandwidth. Two VLANs of one gigabit respectively,
sharing a one gigabit connection can see diminished its
performance and can become congested.
As VLAN technology is the main way to segregate
networks, it is going to be explained deeply in this paper.
VII.B.1.1 SECURITY
Mixing traffic from different groups of work involves new
threats to information security. Therefore, always try to
separate the different groups. Classically, this separation has
been carried out physically:
Fig. 4 VLAN network segregation
5. It is therefore a good practice to separate different types of In addition, an attacker can bypass the segregation of
traffic on different VLANs, for example, real-time traffic data, VLANs if he or she knows the MAC address of the device the
video surveillance, VoIP traffic, SCADA, etc... hacker wants to send traffic. The target machine's MAC
address is introduced through static address entry in the ARP
local cache of the attacker device. This would allow the
VII.B.1.2 VLAN TECHNOLOGIES intruder communicating directly with the device although they
VLAN technology is defined in the "1998 IEEE 802.1Q were in separated VLANs.
standard"
Another VLAN hopping method is connecting a device to a
In a protocol level, 4 bytes are added at the end of the trunk port of a switch and send with it forged traffic using the
Ethernet header to use VLANs. VLAN ID of a VLAN that should not be accessible for that
device. The traffic that goes through a trunk port have not got
the VLAN tags altered and it has then potential access to all
VLANs. To avoid this attack trunking should be disabled in
all those ports that will not use or need it.
In general, VLAN technology provides adequate separation
when the physical environment is reliable. If the environment
Fig. 5 VLAN header is not reliable we can make use of other technologies, as
private virtual networks.
These 4 bytes contain three bits to assign the priority to the
package and 12 bits to specify the ID of the VLAN.
VII.B.2 FIREWALLS
Quality of Service (QoS), as defined in "IEEE 802.1p Firewalls are network devices that enforce the access
standard," uses these three bits to implement 8 different traffic control of data traffic between different networks. In other
priorities. Typically, the highest priority is used for security words, firewalls enforce the segregation of networks
and routing information. separating different traffic with different risks.
Firewalls allow implementing rules of separation
depending on different attributes of the traffic as source, target,
VII.B.1.3 CONFIGURING A VLAN etc.
To configure a VLAN, the switch ports that support VLAN It is necessary to deploy a firewall between networks with
should be configured as edge ports or trunk ports. Edge ports different security requirements.
are used for connecting endpoint devices that are connected to The most important policy to implement when using
a specific VLAN. Trunk ports of each switch are firewalls is denying all the traffic that is not explicitly allowed.
interconnected between them forming a sort of backbone
where all the VLAN traffic that these switches manage goes.
C. VIRTUAL PRIVATE NETWORKS
When a switch receives an Ethernet packet through an edge Virtual private networks add one more level of security in
port, if the package has a tag (already belongs to a VLAN), our corporate environment. A great percentage of common
the packet is ruled out. If the package has no tag, the switch protocols used send information in clear text, what means that
tags it putting the ID of the VLAN of that port. The packets anyone connected to the network and proper knowledge can
are not tagged at the endpoint devices, the switches tags see all the data being communicated. Encrypting data over the
packets according to the port by which they arrive. network prevents attackers from tapping the network and
sniffing the data, and helps healthcare organizations to comply
Depending on the manufacturer, you can implement other with strict privacy laws.
features related to VLANs, for example, filters on ports. If the organization is going to use public networks to
transfer patient data or any other personal data it is required to
encrypt this data. VPNs are a good solution to accomplish this.
VII.B.1.4 SECURITY THREATS IN VLANS
Although VLANs are used as a security measure, the
protocol was not designed with security in mind. D. DATA LOSS PREVENTION
Can data loss prevention technologies help our organization
VLAN hopping is a term that groups a set of methods that to protect sensitive data from mobile devices? Sure. An
are used to send traffic to a VLAN port that normally should authenticated device can download from the internal network
not accept such traffic. sensitive information. It is important to control this transfer of
data by monitoring it when possible.
6. Data loss prevention technologies (DLP) allow network VIII. DATA PRIVACY LAWS
administrators to monitor the transfer, storage and use of In Spain, the Organic Law on Personal Data Protection
defined types of data as patient data. Data could be shown in mandates to protect personal data with strict security measures.
the screen, it can be printed, it can be stored in USB storage The use of wireless technology and “bring your own device”
devices or it can be send by email or by many other ways. policies may violate some of these controls if security
DLP allows the identification of communications where some measures are not implemented properly.
data pattern is shown. For example, DLP can alert a system Patient data is defined as high level data and this law
administrator when an email from an internal system is sent to requires the strictest measures for this kind of data.
an external system and it has attached more than 10 national The article 91 of the 1720/2007 Royal Decree that develops
ID numbers. the LOPD law, establishes that users should only have access
DLP technology can identify any type of data pattern that to that information that they are allowed to access. This
we define so we can monitor our sensitive data. requirement is enforcing the segregation of networks that we
Organization data exists in these three different states: have talked about in this paper.
Data at Rest: Data stored in storage space as files in Another requirement in article 92 says “The extraction of
the filesystem, databases or any other storage center. media and documents containing personal data, including
Data at the Endpoint: Data that resides in network those covered and/or attached to an e-mail, outside of the
endpoints as USB devices, external drives, laptops, premises under the control of the organization must be
smartphones, archived tapes or any other highly mobile authorized by the organization explicitly or they should be
support device. duly authorized in the security document”. This requirement
Data in Motion: When the data is being transferred asks for the use of data loss prevention mechanisms
from the internal network to Internet for example by email, implemented in networks were mobile devices are connected
P2P, instant messaging or any other kind of communication. in order to discover this transfer of data outside the
If we want to apply data loss prevention to mobile devices organization.
we have to look in security at the endpoint. This article also says “When the documentation is moved
The main security measures we find on security at the from one location to another, the organization shall take the
endpoint when the endpoint are mobile devices like necessary security measures to prevent theft, loss or
smartphones and tablets are: unauthorized access to information during transport”.
Encrypted sandbox where all organization data is Encryption mechanisms and tools are needed to prevent
stored access to patient data if any device that stores it is subtracted.
Antivirus As described previously, endpoint security solutions
Remote deletion implement controls as remote deletion and GPS localization
GPS localization that could be used after an incident of this type.
The article 93 says “The organization is responsible for
establishing a mechanism for uniquely identifying any user
E. INTRUSION DETECTION who tries to access the information system and it is
Intrusion detection functionality is embedded in NAC responsible of the verification that he/she is authorized”. Any
solutions as it is necessary to detect malicious activity from device or system that does not require a unique username and
already authenticated devices in order to ban them from the password to access patient data is not allowed by this law.
network. We are not implementing a good security solution if NAC systems should verify this point when allowing mobile
we only set security measures in the perimeter and not inside devices to connect to the network or resources that store
the network, after authentication. personal identifiable information.
Also in article 93 is said that “When the authentication
mechanism is based on the existence of passwords there
F. HONEYPOTS should exist a procedure for the allocation, distribution and
A honeypot makes identifying malicious activity very storage to ensure their confidentiality and integrity”. How can
simple. Any traffic that comes to a honeypot that tries to the organization assure that the confidentiality and integrity of
interact with it is malicious because honeypots are systems passwords are assured when using mobile devices not owned
that are not deployed to be used by legitimate users. They are by the company? It is needed that each user is authenticated in
false systems, usually with low security measures to draw the network using a username and a password independently
attention of potential attackers. of the mobile device that they are using.
Deploying a honeypot in the corporate network segment These are some LOPD requirements that if not
allows discovering malicious devices that have overcome implemented may represent high fines for offenders. Any new
authentication. technology that affects personal identifiable information, and
patient data specially, should be planified with care and with
the existing legislation in mind.
7. IX. CONCLUSIONS
We have revised lots of security measures that can be
implemented in order to protect the critical assets, as patient
data, on a healthcare environment.
First of all, as required by the Spanish personal data privacy
law (LOPD) the organization should have to define roles for
the personnel to access patient data. Who, how and why can
access what data.
The key to choose the most efficient and effective measures
is to perform a risk assessment that will show us which are the
most important risks to be controlled.
Then it is important to elaborate a corporate mobile policy
that defines how the organization and the personnel should act
when accessing organizational information.
Based on risk assessment and in the study of the business
necessities, engineers should choose the controls that should
be implemented.
This way, the new threats that healthcare organizations face
due to this new mobile world will be controlled.
X. REFERENCES
[1] Cisco Systems’ annual Visual Networking Index Forecast
[2] http://www.idc.com/getdoc.jsp?containerId=prUS22871611
[3] http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE
_PG_CTT_General&langPae=es&iniciativa=184
[4] http://www.informationweek.com/whitepaper/Business_and_Careers/w
p901652?articleID=901652
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guideli
nes.pdf
http://mobileenterprise.edgl.com/white-papers/Data-Loss-Prevention-
Whitepaper--When-Mobile-Device-Management-Alone-Isn-t-Enough-
76435
Managing mobile security: How are we doing? By Alan Goode,
Managing Director, Goode Intelligence
http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
http://en.wikipedia.org/wiki/Data_loss_prevention_software
http://www.infoworld.com/d/security-central/intrusion-detection-
honeypots-simplify-network-security-165?page=0,0
http://noticias.juridicas.com/base_datos/Admin/rd1720-2007.html