Although the pending HIPAA legislation has not yet tackled the issue of wireless LANs, it is prudent to consider what impact may be forthcoming. Due to the unique architectural issues that make them vulnerable to attack, wireless LANs have become the most vulnerable point of intrusion in the entire infrastructure. Especially in densely populated urban settings or in college campus environments where hackers are likely to reside, wireless security must be one of the highest security priorities.

Healthcare data is extremely valuable to a malicious hacker.

It contains all of the demographic information necessary to steal a person's identity - name, address, date of birth, social security number and more. It also contains sensitive information that can be harmful if released to the public. The department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS - formerly HCFA) drafted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to provide security guidelines for the handling and exchange of this valuable and sensitive patient data.

Although some components of the HIPAA regulations are in effect, the security rules are still in draft form. Nonetheless, many CIOs have begun to prepare for the potential impact that would occur when the HIPAA rules for security (specifically, Security and Electronic Signature) are completed. The current draft outlines administrative and physical safeguards, technical security services and mechanisms and electronic signature standards for healthcare information that travels over "open" networks. Because wireless networks transmit information through the airwaves, it should be assumed that wireless security would fall under the Security Mechanisms requirements:

"Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communications points."

Motorola helps healthcare organizations address the requirements described in section 142.308 of the HIPAA draft standard as it relates to wireless LANs by:

Security Management and Certification
Motorola AirDefense continually monitors the airwaves throughout the enterprise for internal security violations including rogue access points and stations, ad hoc networks, improper configurations and accidental associations. AirDefense provides a continuous review of security policy and vulnerability assessment.

Security Configuration Management
AirDefense monitors access points to provide real-time equipment inventory and verify that additions or changes to the network do not violate configuration policy.

Incident Reporting Procedures
AirDefense immediately detects intruders and alerts security managers of malicious acts, such as NetStumbler scans, spoofed MAC addresses, and “man-in-the-middle” hacking attempts. The alarm can be routed to an email address, pager, or cell phone. Response to the event is logged to track the timeliness and outcome of the event resolution.

AirDefense provides the tools a healthcare organization needs to ensure that the wireless network is secure from unauthorized rogue access points or ad hoc networks, configuration errors or malicious attempts to gain access by exploiting weaknesses in wireless LAN security. AirDefense provides constant enforcement of security policies and immediate notification of violations, along with the information needed to address issues in a timely and effective manner.