Addressing Public Wi-Fi Security Risks

A Strategy for Mitigating Wireless Risks

By , November 30, 2010.
Addressing Public Wi-Fi Security Risks

W

See Also: POS Security Essentials: How to Prevent Payment Card Breaches

hen Southwest Washington Medical Center in Vancouver, Wash., introduced free wireless Internet access for patients and guests, it used a "defense-in-depth" strategy to address security issues, says Christopher Paidhrin, IT security compliance officer.

"Wi-Fi represents a low barrier for a knowledgeable attacker who wants to directly access a local area network," he says. "Wi-Fi can be a launch pad for targeted attacks. And most local network security controls are designed to address on-the-wire activity."

In an interview (transcript below), Paidhrin warns other healthcare organizations that "a poorly configured Wi-Fi security posture is an invitation to attack and abuse."

In describing the hospital's wireless risk management strategy, the security officer:

  • Describes the hospital's use of web proxy filtering to monitor traffic for appropriate use;
  • Explains why the organization gives Wi-Fi users a detailed agreement to set expectations, "which goes a long way toward avoiding conflicts with our patients and visitors;"
  • Outlines how the hospital uses advanced switching and routing equipment to segment public and private traffic over its high-speed fiber cable network backbone;
  • Pinpoints other security technologies that are part of the "defense-in-depth" strategy.

Before joining the 340-bed hospital, Paidhrin worked for many years in IT and business operations in higher education, the private sector and entrepreneurial environments, where he held numerous director-level positions.

HOWARD ANDERSON: First, tell us a bit about your hospital

CHRISTOPHER PAIDHRIN: We have 340 beds and we are licensed to increase that number by at least another 80 in the next year. We have internally about 60 physicians, and we are expecting that to increase to 100 in 2011. We participate in a regional network of providers who are not our employees; that number includes 3,600 medical staff and at least another 600 external physicians. Inside the hospital we have 3,200 employees.

Free Wi-Fi

ANDERSON: We want to talk to you today about the security issues involved in offering Wi-Fi services to patients and visitors. Why did you decide to offer it?

PAIDHRIN: To meet a growing request for free and public access for our patients, visitors and guests. So with a modest infrastructure investment and continuing expense, we decided that the value to our customers, patients, visitors and guests was very high, and it was important to them to remain connected either to their e-mail or to their family and friends while they were visiting us or staying here at Southwest.

Wireless Security Risks

ANDERSON: What did you perceive to be the key security risks involved in offering this service, and how did you go about addressing those?

PAIDHRIN: Wi-Fi represents a low barrier for a knowledgeable attacker who wants to directly access a local network. Whatever the attacker's motivation or objective, the wireless method represents the most exposed access path to any network. So unless you have an unmanaged live data port that you could plug right into your network, the wireless network represents the greatest risk. So when they are using Wi-Fi to attack us, it's like a launch pad for targeted attacks, and most local network security controls are designed to address on-the-wire activity. A poorly configured Wi-Fi security posture is an invitation to attack, so we address this with several barriers and protections between our public and our private wireless network.

Monitoring Wireless Use

ANDERSON: Describe your use of web-proxy filtering, how it works and what it accomplishes.

PAIDHRIN: Southwest uses three systems to filter Internet usage. We use a Microsoft ISA server farm -- Internet security acceleration servers. It's a cluster for two purposes, to firewall and to proxy our public Wi-Fi. More simply, the ISA servers screen packets at the circuit level and application level, and that operates like a firewall. Then it also filters for content and appropriate use, and that is the proxy filtering portion. So we set up rules on these ISA servers to limit the kinds of traffic, where it is coming from and going to, and then monitor levels of use as well, and anything that falls outside of our acceptable standards gets flagged and alerts go out. So we're very pleased with our ability to monitor and secure our public Wi-Fi.

Wireless Use Agreement

ANDERSON: Describe why you wrote a detailed web use agreement for individuals to sign before they use your Wi-Fi network.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Industry News: BAE Systems Launches New Service

Leading this week's industry news roundup, BAE Systems launches a corporate security analysis...

Latest Tweets and Mentions

ARTICLE Industry News: BAE Systems Launches New Service

Leading this week's industry news roundup, BAE Systems launches a corporate security analysis...

The ISMG Network