Sidewinder issues a warning about Wi-Fi
Hospitals and other healthcare facilities can be a challenging environment for wireless deployment. Now there is an added security dimension – Russians armed with graphics cards. Davey Winder says constantly changing threats require constant vigilance.
Forget the next big thing; wireless networking is the current big thing as far as many NHS trusts are concerned. It is forming a core component of their IT strategy, transforming clinical care through the introduction of true mobility for patient services.
Take the Royal Brompton and Harefield NHS Trust, for example. It has just announced the implementation of a wireless local area network (WLAN) to provide “paper-light” access to clinical, managerial and administrative records across its two hospitals, 20 miles apart, by 2010.
Mobile Clinical Assistants
There is little doubt that being able to deliver sensitive data, such as x-ray images, patient monitoring information, pathology results and cardiovascular imaging, between departments and to bedsides with resilience and speed is a great advance for modern healthcare.
“A determined hacker can now enter the super-parallel computing world on a budget.”
Staff equipped with Mobile Clinical Assistants can record medical information directly from a patient wristband and send it to a central database wirelessly, improving efficiency and safety.
Graham Everson, director of IT and telecommunications at Royal Brompton and Harefield says: “Wireless technology perfectly supports the core clinical functions of a hospital, and thus forms the bedrock of our IT strategy. Most importantly, it is an enabler – on top of it, you can build layers of device and functionality to make day to day operations more dynamic and flexible, reducing patient risk in the process.”
Security standards
Of course, security standards must be taken into consideration. Everson stresses that they have been at Royal Brompton and Harefield. “We remain fully compliant with Department of Health security standards,” he says.
However, some IT managers are not as clued up on Wi-Fi security; although potential hackers most certainly are. Take the worrying news that has just broken regarding the Russian “password recovery” specialist ElcomSoft.
It has announced a patent pending technology that, on some accounts, could dump Wi-Fi into the same category as the Betamax video recorder, the cassette tape and the DeLorean DMC-12 “Back to the Future” car – all dead ducks in technology terms.
The Russian Factor
What ElcomSoft has managed to achieve is a method of accelerating the brute force cracking of Wi-Fi encryption methods using a PC with a readily obtainable, although admittedly high end, Nvidia graphics card.
“Wireless security, like all security, is not a design-and-forget issue.”
I am not talking about the “already as good as useless” WEP encryption that can be broken by anyone with a will so to do; but the accepted Wi-Fi security standards known as WPA and WPA2 encryption.
ElcomSoft say that their technique utilises the power of the Nvidia GPU along with the PC CPU to break Wi-Fi encryption up to 100 times faster. The point being that a determined hacker can now enter the super-parallel computing world on a budget.
A PC equipped with a reasonably priced GeForce GTX280 graphics card can process hundreds of billions of fixed-point calculations every second. It is possible to stiff two of these cards into a single PC, each with 1GB of onboard memory, and let these work together to quickly crack those encryption passwords.
Is Wi-Fi a dead duck?
So is Wi-Fi a dead duck? Fortunately, the answer is no; even though many security experts are naturally concerned about the potential impact of the ElcomSoft technology.
The emerging view seems to be that you should follow best practice and not rely simply on Wi-Fi encryption to protect data. Instead, those with Wi-Fi need to be looking at implementing virtual private network (VPN) encryption systems alongside, to truly protect their networks. The use of dedicated wireless security systems to perform continual audits of all traffic and devices, together with network access control technology to prevent unauthorised access, is also recommended.
And all this brings us back to one of our ever-present mantras: wireless security, like all security, is not a design-and-forget issue. By introducing VPN clients into the mix, you can create an extra tunnel of encryption; but ill-intentioned modern highwaymen will always be out there, trying to crack the system. There’s no alternative to constant vigilance.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. In June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.