Security fears nix cancer center wireless plan
- 30 August, 2001 08:21
The MD Andersen Cancer Center in Houston last week abruptly put an 18-month effort to provide wireless LAN access to 11,000 users on its five building campus on hold due to security concerns.
Ernest Teves, research and development director at the facility, said research has shown "it is so easy to crack" the built-in security of industry standard 802.11B wireless LANs, the Wired Equivalent Protocol (WEP). Speaking here at a Delphi Group wireless conference yesterday, Teves said that as a result of that research -- some of which was conducted by a student at Rice University, located just five minutes from the center -- he decided to put the ambitious wireless LAN project on hold.
Teves said he doesn't believe WEP will meet the stringent security requirements of the federal Health Insurance Portability and Accountability Act (HIPAA). He said he has asked Cisco Systems Inc. in San Jose, which has already performed an extensive site survey of the MD Andersen campus, to help beef up security.
Additional security measures, Teves said, could throttle down real throughput on the wireless LAN from 7M bit/sec to 4M bit/sec. If that's true, Teves said, the wireless LAN installation could be stalled until manufacturers release products that provide 54M bit/sec raw throughput in the 2.4-GHz frequency band, an industry standard known as 802.11g.
John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said security concerns about wireless LANs and WEP are justified because of the vulnerability of the over-the-air interface.
"Our basic advice to clients is to treat wireless like the Internet, not like a LAN. Encrypt the data you send over it. Firewall your connection to it. Essentially, run a [virtual private network] or [Secure Sockets Layer] over all connections over WLANs until second-generation standards are stable," which will probably be in the first quarter of 2003, he said.
C. Brian Grimm, a spokesman for the Wireless Ethernet Compatibility Alliance (WECA) in Mountain View, Calif., said that since HIPAA requires end-to-end security, running a VPN would satisfy any concerns a health care provider would have about WEP.
Phil Belanger, marketing director for WECA, said the industry group also recommends additional security measures, such as a VPN.