Wireless Data protection and Encryption
The "open air" nature of
wireless radio signals poses challenges for securing wireless computer
networks. Wireless radio signals broadcast through the air and are naturally
easier to intercept. Signals from most wireless LANs pass through exterior walls
and into nearby streets or parking lots. Strong encryption and wireless security
is absolutely necessary to protect patient data.
Compulink requires the following safeguards
for implementing wireless security:
1. Change default administrator passwords
and usernames (if allowed)
At the core of your wireless network
is the access point or router. Hackers can discover the initial default
settings of your device via the Internet. Change the administrator password
immediately after installing the access point or router.
2. Turn on WPA encryption
and implement a VPN
Encryption is a means of protecting
transmitted data from being read by anyone but the intended recipient. WEP is
not a secure protocol and has proven to have many flaws. Only implement wireless
equipment that supports the Wi-Fi Protected Access (WPA) encryption
technology or stronger. Wireless LAN users access the network just as remote
dial-in or Internet users would. Access points and routers without VPN
capabilities are viewed as a security risk. A hacker with an IEEE 802.11b
network interface card who is in the transmission range can connect and access
the wireless network. Place the access point behind the firewall, requiring that
wireless clients authenticate to the VPN or firewall using third-party software
or hardware. Utilizing L2TP VPN tunneling and IPSec encryption and
authentication (please visit Encryption page for more
details) adds another layer of encryption to secure the data. Hackers can
easily penetrate and gain access to the data traversing unsecure access points
but data secured by a firewall and VPN will be harder to decrypt and adds
another layer of protection to protect patient data.
3. Change the default network name
Known as the Service Set Identifier (SSID),
the name of the wireless local area network (WLAN) must be the same for all your
network’s wireless devices for them to communicate with each other.
Manufacturers of access points and routers normally ship their products with the
same SSID set. While knowing just the SSID does not enable anyone to break into
your network, using a default SSID is a sign of a poorly configured network and
is easy prey for hackers. So, when configuring your WLAN, change the default
SSID as soon as possible.
4. Activate address filtering
Every piece of wireless hardware
possesses a unique identifier called a Media Access Control (MAC) address.
Access points and routers keep track of the MAC addresses of all wireless
devices that connect to them. Your device should be configured to allow only MAC
addresses that have been registered with the wireless access point or router.
You can usually locate the MAC address of your network card on the device
itself.
5. Disable SSID broadcast
In wireless networking, the access
point or router typically broadcasts the Service Set Identifier (SSID) over the
air at regular intervals. This feature of Wi-Fi network protocols is intended to
allow clients to dynamically discover and roam between WLANs. After the
implementation of your WLAN, this feature is unnecessary and makes your network
more accessible to hackers.
6. Assign static Internet Protocol
addresses to devices
Potential attackers of your network
can easily obtain valid Internet Protocol (IP) addresses from your network’s
Dynamic Host Configuration Protocol (DHCP). To remedy this, disable DHCP on the
router or access point and set a fixed IP address range.
7. Refrain from using the default IP
subnet
Many routers and access points use
the default IP subnet (e.g. 192.168.1.1 and 192.168.0.1). Change the IP subnet
on your device during initial installation.
