Sidewinder on Radio Frequency Identification (RFID)

Radio Frequency Identification (RFID) has had supply-chain professionals salivating for some time – and now healthcare analysts are spotting clever applications for this technology. But what exactly is RFID? And what are its security applications? In the latest of his regular columns, Davey Winder investigates…

Most pundits agree that Radio Frequency Identification (RFID) is an exciting technology for the NHS. They think it has the potential to allow trusts to manage information streams in core business functions; such as asset and patient tracking.

Tim Young, director at Netezza, argues that in the future, trusts’ success “will strongly rely on how quickly and easily they can harness [this] data to make intelligent decisions.” But he also warns that the huge volume of data RFID can create could turn it “into something of a Frankenstein monster.” And, needless to say, there are a few security issues to consider as well. 

RFID in a nutshell

First things first, though. What is RFID? Simply put, it is an asset tracking technology that relies on remotely storing and retrieving data that is held on tags via radio waves. The tags can be attached to or incorporated into products, containers, animals or people and then used to identify them. Think of it as a bar coding with brains.

There are two main types of RFID, and they’re called passive and active. “Active tags are powered and transmit a radio signal to a receiver,” explains Craig Backham, business development manager at Intermec, a company manufacturing RFID equipment. “Passive tags have no power, but utilize the energy from the reader signal. As such, active tags have a much greater reading distance than passive ones; but, conversely, they are more expensive and difficult to maintain.”

What can the NHS do with RFID?

RFID has the potential to increase safety and security in the NHS.

Antti Korhonen, president and CEO of healthcare solutions specialist Ekahau has no doubt that RFID has the potential to increase safety and security in the NHS.

“Personnel serving in high-crime areas can wear personal alarm devices that can be activated when they feel threatened,” he says. “The alarm not only dispatches help, but reports the location of the staffer for immediate assistance. RFID-tagged medication cabinets and carts can also be tracked and monitored to prevent unauthorized dispensing of their contents.”

Patient tracking should not be underestimated, either. As Leon Champken, a mobility solutions specialist at Alfred McAlpine IT Services, says: “In special care baby units, passive tags can be deployed that work with exciters very similar to those in a library - sounding an alarm if a baby is moved past a certain point without authorisation.”

Keeping track of security issues

It is very easy, then, to fall into the trap of seeing RFID as something of a security panacea; but this is not a mistake the savvy IT manager should make. There are plenty of potential potholes to trip you up if you are not careful. Andy Green, CISSP security solutions specialist at Alfred McAlpine, lists all the best practice questions that you should be asking: 

• Can the RFID system be used as an entry point to the network, bypassing more traditional perimeter security?
• Is the radio signal encrypted and, if so, using what algorithm? 
• Are the tags tamper-proof, so that if they are stolen they can’t be reverse engineered and the encryption keys and/or algorithm determined? 
• What is the range of the tag? That will determine who else can pick up the signal.
• Can spurious data be inserted into the data stream to compromise the integrity of the system?

Once the system is tracking assets or patients, where is the data stored? At this point all the traditional database security issues arise, such as access control, authentication, Data Protection Act implications, hard disk encryption, physical security, and so on.

Forget about the security implications and RFID can quickly come to stand for a Really Foolish IT Decision… 

How is the traffic from the readers sent to the database? Can it be eavesdropped via a man-in-the-middle attack?

If the system crashed – for example as the result of a denial of service attack - what would be the implications?

RFID makes some patient data is electronic, making it easier to share. Therefore a security policy needs to be defined and, possibly, a data classification system created, to make sure that only those with the appropriate privilege level can access sensitive data.

Costs and benefits

The IT manager has to carefully balance the advantages and deficits of any new technology. These include the capital cost for both purchase and implementation, the total life cycle cost and staff training. RFID has much to recommend it, especially in the NHS where resource management is a big part of daily life.

But forget about the security implications and RFID can quickly come to stand for a Really Foolish IT Decision… (that’s enough acronyms - Ed)

About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.