Paper Florencio Cano - Patient data security in a wireless and mobile world
Patient data security in the wireless and mobile world Florencio Cano Gabarda, Pilar González de Prados SEINHE firstname.lastname@example.org email@example.comAbstract— The arrival and explosion in the use of mobile devices Mobile computing started with the use of notebooks(smartphones, tablets) and wireless networks imply a new and personal data assistants. Today, smartphones andparadigm of security for networks, with a lot of new threats. tablet personal computers flood the market. I. INTRODUCTION IDC expects, as we can see in , that vendors will ship Patients and their families, doctors, nurses and all the a total of 472 million smartphones in 2011 and 62.5 millionpeople in a hospital now want access to Internet or need tablets.access to the hospital information systems over the local Mobile devices represent a new set of threats against whichnetwork. networks and personnel are not trained nor prepared. Health personnel can do they work better by using thesenew technologies, but the security implemented last years isusually not enough to allow the use of these technologies in acritical environment where personal and health data, patientdata, is processed and stored. Data is not the only critical asset.Multiple medical devices are now controlled and accessedover the network. Their security now is critical in order to notjeopardize patient security. This is not going to stop here. Thetrend is increasing the interconnection between medicaldevices and networks so security is going to be a hot topic in Fig. 1 Mobile devices threatsthe next years. Now with the “bring your own device (BYOD)” policies For example, poorly managed mobile devices loaded withestablished the facto in hospitals security controls should be sensitive information, such as confidential emails or patientreview and the security plan should be adapted. According to data, can fall into the wrong hands., by 2015 there will be almost 15 billion network-connected The loss of highly sensitive information and the potentialdevices, including smartphones, notebooks, tablets and other associated media scandal is a huge problem in itself, but thesmart machines, more than two for every person on the planet impact might be greater because failing to protect personal In this paper we are going to review birds eye view the data can be construed as a violation of the Spanish personalclassic controls that used to be mandatory in a wired data privacy law called LOPD.environment but now applying the old concepts to the new Desktop systems, servers and devices that exist inside thewireless and mobile environment: perimeter security, network perimeter are under the security controls at the network levelsegmentation, traffic isolation, network equipment security, as antimalware systems and firewalls, but mobile systemsaccess controls and wireless security. With a proper design should protect themselves. Additionally, administrators shouldwith security in mind the risks associated with these implement controls to protect the network and other systemstechnologies can be drastically reduced. from infection from these uncontrolled mobile devices. We are going to see how these controls cover Spanish Perimeter security is very important but in healthcarepersonal data privacy law (LOPD) and what other controls environments where lots of different people need access to thewould be needed. network, internal security is critical. II. PERIMETER SECURITY What is the perimeter? The network perimeter is the III. RISK ASSESSMENTfortified boundary of the network including border The first step in order to identify proper efficient securityrouters, firewalls, intrusion detection systems, software measures to be implemented in a healthcare environmentfrontends, virtual private network devices and should be to perform a risk assessment.demilitarized zones. The perimeter was constituted by A risk assessment allows the organization to identify in an objective and repeatable way the most critical risks to thethe most important assets that should be protected organization information assets.because they used to be the gate to sensitive information.
There exist lots of different risk assessment methodologies connect to the network. It is important to implementand approximations. One that is widely used in Spain is called continual monitoring over the connected devices afterMagerit. It is widely used due to its recommended use in authentication, because these devices can be attacked orpublic administrations . infected after it. With this methodology, first the information assets that are Personal devices: The organization can ban the use ofimportant in the organization are identified. Then is evaluated personal devices but this policy seems a very old and nothow important each asset is and how much confidentiality, real approximation to security in this mobile world. Anotherintegrity and availability is needed. option is to allow these devices to connect to a limited Then, threats over each asset are identified and the access network from where they have access to Internet andprobability that each threat occurs over the asset is evaluated. non-critical resources. The next step is to identify vulnerabilities in each asset that All the other devices: Lots of visitors will try tocan be exploited by an identified threat to impact the asset. connect their devices to the network, wirelessly or not. Each With all this values a risk level is calculated that allows the organization should decide if they are going to allow aorganization to sort the risk by criticality and allows limited access connection or if they are going to completelyimplementing the most important security measures first. refuse the connection. The methodology could be a lot more complex but theimportant fact is that in order to choose the right security The security measures over the mobile devices shouldn’t bemeasures it is important to have a plan based on a previous chosen only depending on the user. It is possible to establishanalysis of the risks. policies based on some security attributes verified in the devices before allowing access to the network. This is called network access control. IV. SECURITY MEASURES Actual healthcare organizations that share thecharacteristics of having sensitive data as patient information VI. END-POINT SECURITY MEASURESand having lots of mobile devices connected to their networks Almost all the people like iGadgets and Droids. However,should implement what usually is called defense in depth . the control that system and network administrators used toDefense in depth is the approximation to security that defends have over the systems that were connected to the network hasthat multiple layers of security should be implemented just in disappeared.case one layer of security fails. In systems and devices that are owned by the organization, Security in wireless environments with mobile devices that security can be enforced depending on the company securityneed to be connected to them should implement security policies. For example, vulnerability updates, antivirus,measures basically at three levels: security measures against mobile code, etc. However, usually, Security policies the organization has not control over mobile devices owned End-point security measures by users. Network security measures Network Access Control (NAC) solutions have two main Security in these three levels is reviewed in this paper. objectives: 1. Allow access of devices classified as trusted 2. Identify malicious actions performed by any mobile V. SECURITY POLICIES device and segregate if from the network If the company has not decided what should be protected, it The second point is very important but sometimes ignored.is impossible to implement security measures that allow the Any mobile device could be compromised after authentication.organization to work as expected. We should implement security measures in order to monitor First of all, the organization should define who needs to all the interactions of the mobile device with the network. Theaccess what information systems, when, how and why. This connection of any device depends on the evaluation of a seriesinformation is also expected to be documented in the security of security attributes that are continuously evaluated in eachdocument requested by the Spanish personal data privacy law mobile device. This is called risk-based authentication.(LOPD). NAC solutions use two strategies when determining what After this definition, security measures needed should be to do with a malicious device. These strategies are scan/blockmuch clearer. and scan/quarantine. Related to mobile devices we can differentiate between The scan/block approximation dictates that when a securitythese kinds of devices: device is classified as high risk the connection is cut. Probably the user is informed about the connection termination and Corporative devices: These are the devices that are about what he or she should do to recover access rights. assigned to organization personnel. From these devices The scan/quarantine approximation allows the high risks internal personnel should have access to almost all the devices to connect to Internet or some local resources in order information systems. It should be required authentication to fix the security problems on the device, but access to and authorization in order to allow one of these devices to
critical resources are not allowed till this corrections are VII.A.2 WLAN SECURITY VULNERABILITIESimplemented. WLAN technologies share almost all the vulnerabilities of LAN networks. Additionally, WLAN technologies have their own set of threats. These threats are usually related to the fact VII. NETWORK SECURITY MEASURES that the wireless information communicates through the air When business requirements dictates that unknown users where it is difficult to be controlled. Any malicious attackerusing unknown devices should be able to connect to our with enough power can try to connect to a WLAN or could tryinternal network the risks to information security are very to sniff the connection or interrupt it.important and real and security measures should be applied. Wireless technologies have been the target of legitimate researchers and crackers that were trying to access sensitive information in protected WLANs. A. WIRELESS SECURITY For example, in September 2002, a group of users started a Thanks to smartphones, tablets and all the mobile devices, movement to gather as much information as possible of opendoctors and medical personnel could have ubiquitous access to WLANs in Europe and America. They posted the coordinatespatient data and to the patients themselves. Wireless of these networks in a public web after the research.networking allows that devices to be nearer to the point of The security research over these technologies has favoredcare than old devices with wired connections. the apparition of tools that allow to avoid some security measures implemented in commons WLAN protocols. For example, there exist tools for the identification of VII.A.1 CLASSIFICATION access points (Netstumbler, Wellenreiter, THC-RUT), tools in Wireless Wide Area Networks (WWAN): Allow the order to capture network identifiers and MAC addresses connection of mobile devices to Internet. The most famous (Kismet), tools to capture data traffic (Ethereal) and tools to WWAN technology is called 3G and is used mainly by recover the security password independently of the smartphones and tablets. complexity of it (WEPCrack, AirSnort). Wireless Metropolitan Area Networks (WMAN): They cover an area larger than a WLAN and have similar characteristics. VII.A.3 WLAN SECURITY MEASURES Wireless Local Area Networks (WLAN): They have First of all it is necessary to protect the information over the similar characteristics that local area networks but they wireless network with an appropriate encryption algorithm. allow mobile devices to connect to them without wires. WEP can be cracked in less than 30 minutes no matter the Personal Area Networks (PAN): Allow devices such complexity of the password. We can use WPA2 that as keyboards and printers to connect to the systems without nowadays the only viable attack is a brute force attack. wires. Default passwords are a recurring vulnerability that attackers will try to exploit. Change the default passwords of all the organization network devices (routers and Wi-Fi connections) and make it a combination of digits, characters and symbols. If there exist a business need to have an access without password or with an easy one, remember to restrict and segregate this network from the critical assets. Change the default System ID (SSID) when possible. This string identifies the organization wireless connections. Knowing the SSID is not a critical vulnerability but it is useful information for hackers. You can also directly hide the connections SSID. The wireless routers can be configured to stop publicly broadcasting their SSIDs. Only users that know the SSID can try to connect to the network. If your organization does not need the SSID to be announced just configure this way your access points. Fig. 2 Wireless technologies classification B. NETWORK SEGMENTATION This is one classification but there exist lots of differentclassifications depending on different wireless technologies The most powerful security control to be implemented inattributes. In this paper we have put the focus on WLANs order to protect patient data is a good network design based onbecause they are the networks most widely used in local segmentation. By segregating networks with different accessenvironment as hospitals. permissions we are limiting users to access only the systems and data that they are allowed to.
Segmentation is an IT strategic decision that should beconsidered properly after a risk assessment and after thedefinition of security policies. We have to identify who needsto access to what information, why and from where. Thisinformation will guide the network engineer in designing anetwork that enforces security. Too much segmentation will reduce the network efficiencybut too less segmentation is negligent. In healthcare environments, like a hospital, we have criticalmedical devices that should have, if possible, its own networkseparated physically from the rest. If that is not possible weshould use the appropriate technology to implement thesegregation by using firewalls, VLANs, VPNs, etc. The use of mobile devices mandates to separate thenetworks in at least these three segments: Corporative network: It is for users that have been authenticated and the devices they use to connect comply with the security policy of the organization for mobile devices. Non-complying authenticated users: Users that have been authenticated in the network but their devices do not Fig. 3 Subnetworks physical separation comply with the organization security policy. This segment could have access to local resources to allow the user to However, to separate physically devices means more solve the problems with its device. network infrastructure and it is not always possible. Guest access: Segment for visitors that only have You can get the same effect by creating a VLAN. access to Internet but not to local resources. A VLAN separates devices according to their MAC address VII.B.1 VIRTUAL LOCAL AREA NETWORKS at level 2 of the OSI model. This produces the same effect as separate devices physically; however, the switch is the A VLAN (virtual local area network) is composed of a responsible for the separation.group of devices (servers, PCs, etc…) that behave as if theywere in the same broadcast domain regardless of theirphysical location. A VLAN has the same properties as a LAN but allows youto group network devices even if they were not connected tothe same switch. As a downside, two VLANs on the same wiring have toshare bandwidth. Two VLANs of one gigabit respectively,sharing a one gigabit connection can see diminished itsperformance and can become congested. As VLAN technology is the main way to segregatenetworks, it is going to be explained deeply in this paper. VII.B.1.1 SECURITY Mixing traffic from different groups of work involves newthreats to information security. Therefore, always try toseparate the different groups. Classically, this separation hasbeen carried out physically: Fig. 4 VLAN network segregation
It is therefore a good practice to separate different types of In addition, an attacker can bypass the segregation oftraffic on different VLANs, for example, real-time traffic data, VLANs if he or she knows the MAC address of the device thevideo surveillance, VoIP traffic, SCADA, etc... hacker wants to send traffic. The target machines MAC address is introduced through static address entry in the ARP local cache of the attacker device. This would allow the VII.B.1.2 VLAN TECHNOLOGIES intruder communicating directly with the device although they VLAN technology is defined in the "1998 IEEE 802.1Q were in separated VLANs.standard" Another VLAN hopping method is connecting a device to a In a protocol level, 4 bytes are added at the end of the trunk port of a switch and send with it forged traffic using theEthernet header to use VLANs. VLAN ID of a VLAN that should not be accessible for that device. The traffic that goes through a trunk port have not got the VLAN tags altered and it has then potential access to all VLANs. To avoid this attack trunking should be disabled in all those ports that will not use or need it. In general, VLAN technology provides adequate separation when the physical environment is reliable. If the environment Fig. 5 VLAN header is not reliable we can make use of other technologies, as private virtual networks. These 4 bytes contain three bits to assign the priority to thepackage and 12 bits to specify the ID of the VLAN. VII.B.2 FIREWALLS Quality of Service (QoS), as defined in "IEEE 802.1p Firewalls are network devices that enforce the accessstandard," uses these three bits to implement 8 different traffic control of data traffic between different networks. In otherpriorities. Typically, the highest priority is used for security words, firewalls enforce the segregation of networksand routing information. separating different traffic with different risks. Firewalls allow implementing rules of separation depending on different attributes of the traffic as source, target, VII.B.1.3 CONFIGURING A VLAN etc. To configure a VLAN, the switch ports that support VLAN It is necessary to deploy a firewall between networks withshould be configured as edge ports or trunk ports. Edge ports different security requirements.are used for connecting endpoint devices that are connected to The most important policy to implement when usinga specific VLAN. Trunk ports of each switch are firewalls is denying all the traffic that is not explicitly allowed.interconnected between them forming a sort of backbonewhere all the VLAN traffic that these switches manage goes. C. VIRTUAL PRIVATE NETWORKS When a switch receives an Ethernet packet through an edge Virtual private networks add one more level of security inport, if the package has a tag (already belongs to a VLAN), our corporate environment. A great percentage of commonthe packet is ruled out. If the package has no tag, the switch protocols used send information in clear text, what means thattags it putting the ID of the VLAN of that port. The packets anyone connected to the network and proper knowledge canare not tagged at the endpoint devices, the switches tags see all the data being communicated. Encrypting data over thepackets according to the port by which they arrive. network prevents attackers from tapping the network and sniffing the data, and helps healthcare organizations to comply Depending on the manufacturer, you can implement other with strict privacy laws.features related to VLANs, for example, filters on ports. If the organization is going to use public networks to transfer patient data or any other personal data it is required to encrypt this data. VPNs are a good solution to accomplish this. VII.B.1.4 SECURITY THREATS IN VLANS Although VLANs are used as a security measure, theprotocol was not designed with security in mind. D. DATA LOSS PREVENTION Can data loss prevention technologies help our organization VLAN hopping is a term that groups a set of methods that to protect sensitive data from mobile devices? Sure. Anare used to send traffic to a VLAN port that normally should authenticated device can download from the internal networknot accept such traffic. sensitive information. It is important to control this transfer of data by monitoring it when possible.
Data loss prevention technologies (DLP) allow network VIII. DATA PRIVACY LAWSadministrators to monitor the transfer, storage and use of In Spain, the Organic Law on Personal Data Protectiondefined types of data as patient data. Data could be shown in mandates to protect personal data with strict security measures.the screen, it can be printed, it can be stored in USB storage The use of wireless technology and “bring your own device”devices or it can be send by email or by many other ways. policies may violate some of these controls if securityDLP allows the identification of communications where some measures are not implemented properly.data pattern is shown. For example, DLP can alert a system Patient data is defined as high level data and this lawadministrator when an email from an internal system is sent to requires the strictest measures for this kind of data.an external system and it has attached more than 10 national The article 91 of the 1720/2007 Royal Decree that developsID numbers. the LOPD law, establishes that users should only have access DLP technology can identify any type of data pattern that to that information that they are allowed to access. Thiswe define so we can monitor our sensitive data. requirement is enforcing the segregation of networks that we Organization data exists in these three different states: have talked about in this paper. Data at Rest: Data stored in storage space as files in Another requirement in article 92 says “The extraction of the filesystem, databases or any other storage center. media and documents containing personal data, including Data at the Endpoint: Data that resides in network those covered and/or attached to an e-mail, outside of the endpoints as USB devices, external drives, laptops, premises under the control of the organization must be smartphones, archived tapes or any other highly mobile authorized by the organization explicitly or they should be support device. duly authorized in the security document”. This requirement Data in Motion: When the data is being transferred asks for the use of data loss prevention mechanisms from the internal network to Internet for example by email, implemented in networks were mobile devices are connected P2P, instant messaging or any other kind of communication. in order to discover this transfer of data outside the If we want to apply data loss prevention to mobile devices organization.we have to look in security at the endpoint. This article also says “When the documentation is moved The main security measures we find on security at the from one location to another, the organization shall take theendpoint when the endpoint are mobile devices like necessary security measures to prevent theft, loss orsmartphones and tablets are: unauthorized access to information during transport”. Encrypted sandbox where all organization data is Encryption mechanisms and tools are needed to prevent stored access to patient data if any device that stores it is subtracted. Antivirus As described previously, endpoint security solutions Remote deletion implement controls as remote deletion and GPS localization GPS localization that could be used after an incident of this type. The article 93 says “The organization is responsible for establishing a mechanism for uniquely identifying any user E. INTRUSION DETECTION who tries to access the information system and it is Intrusion detection functionality is embedded in NAC responsible of the verification that he/she is authorized”. Anysolutions as it is necessary to detect malicious activity from device or system that does not require a unique username andalready authenticated devices in order to ban them from the password to access patient data is not allowed by this law.network. We are not implementing a good security solution if NAC systems should verify this point when allowing mobilewe only set security measures in the perimeter and not inside devices to connect to the network or resources that storethe network, after authentication. personal identifiable information. Also in article 93 is said that “When the authentication mechanism is based on the existence of passwords there F. HONEYPOTS should exist a procedure for the allocation, distribution and A honeypot makes identifying malicious activity very storage to ensure their confidentiality and integrity”. How cansimple. Any traffic that comes to a honeypot that tries to the organization assure that the confidentiality and integrity ofinteract with it is malicious because honeypots are systems passwords are assured when using mobile devices not ownedthat are not deployed to be used by legitimate users. They are by the company? It is needed that each user is authenticated infalse systems, usually with low security measures to draw the network using a username and a password independentlyattention of potential attackers. of the mobile device that they are using. Deploying a honeypot in the corporate network segment These are some LOPD requirements that if notallows discovering malicious devices that have overcome implemented may represent high fines for offenders. Any newauthentication. technology that affects personal identifiable information, and patient data specially, should be planified with care and with the existing legislation in mind.
IX. CONCLUSIONS We have revised lots of security measures that can beimplemented in order to protect the critical assets, as patientdata, on a healthcare environment. First of all, as required by the Spanish personal data privacylaw (LOPD) the organization should have to define roles forthe personnel to access patient data. Who, how and why canaccess what data. The key to choose the most efficient and effective measuresis to perform a risk assessment that will show us which are themost important risks to be controlled. Then it is important to elaborate a corporate mobile policythat defines how the organization and the personnel should actwhen accessing organizational information. Based on risk assessment and in the study of the businessnecessities, engineers should choose the controls that shouldbe implemented. This way, the new threats that healthcare organizations facedue to this new mobile world will be controlled. X. REFERENCES Cisco Systems’ annual Visual Networking Index Forecast http://www.idc.com/getdoc.jsp?containerId=prUS22871611 http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE _PG_CTT_General&langPae=es&iniciativa=184 http://www.informationweek.com/whitepaper/Business_and_Careers/w p901652?articleID=901652 https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guideli nes.pdf http://mobileenterprise.edgl.com/white-papers/Data-Loss-Prevention- Whitepaper--When-Mobile-Device-Management-Alone-Isn-t-Enough- 76435 Managing mobile security: How are we doing? By Alan Goode, Managing Director, Goode Intelligence http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf http://en.wikipedia.org/wiki/Data_loss_prevention_software http://www.infoworld.com/d/security-central/intrusion-detection- honeypots-simplify-network-security-165?page=0,0 http://noticias.juridicas.com/base_datos/Admin/rd1720-2007.html