Wireless Compliance

Locking down wireless LANs (WLANs) is hard enough for network managers, but regulatory compliance makes wireless security a dicey issue for CIOs.

That’s because making enterprise applications and data available to mobile and wireless users is becoming a strategic initiative in an increasing number of enterprises. Such applications range from making e-mail available in real-time via BlackBerry devices to more complex applications like nurses wheeling wireless laptops into patient rooms in hospitals to record healthcare data on the spot.

However, wireless and mobile applications also open up a beehive of security concerns that didn’t occur when using traditional networks. These concerns not only could compromise enterprise data but also threaten compliance with regulations like HIPAA (Health Insurance Portability and Accountablility Act), Sarbanes-Oxley and Gram-Leach-Bliley.

“From a strategic point of view, wireless brings many rewards to an organization,” said Jon Ramsey, vice president of Internet Security Services for SecureWorks, an Atlanta IT security firm. “So a CIO has to understand both the level of reward for wireless and the level of risk and make decisions to mitigate that risk.”

“If CIO’s aren’t worried about wireless security, it will never filter it’s way down,” added Mark Rasch, a senior vice president and chief security counsel for Solutionary, a vendor that provides security consulting and services.

Multiplying Risks

Wireless transmission is inherently less secure than standard wired network transmissions because it involves data flying through the air where it is easier to intercept. As a result, enterprises have been wrestling with WLAN security since the technology first emerged several years ago.

Solid, standardized security solutions, such as equipment that supports the recently-approved 802.11i standard, are just now becoming available. But that doesn’t mean that enterprise wireless networks are uniformly secured.

“We’ve seen cases where a doctor will run to the store and install a wireless router in his office just so he can have wireless access,” said Wayne Haber, also a vice president for SecureWorks. “That opens up the hospital’s entire network.” Haber recalled one case in which somebody walked into a hospital and surreptitiously installed a wireless access point and gained access to the network.

Both cases, of course, threaten protected health information (PHI) as specified by HIPAA. Superficially, these sorts of security breaches might seem like an opportunity to apply best practices, but cases such as these mean that may not be enough.