April 2003 Bulletin

By Ian J. Alexander, MD

The adoption of technology that connects computing devices by wireless local area networks (WLANs) has absolutely exploded in the past 12 months. This phenomenon has come about for a number of reasons. These include drastic reductions in the cost of wireless networking equipment, acceptance of industry standards that enable interoperability of devices from different manufacturers, the advent of multiple-computer homes with a single high-speed access line and, in businesses, the efficiencies realized with truly mobile computing.

However, the convenience of WLANs comes with risk. Wireless networks are more susceptible to unauthorized access than the customary wired network. It is not only prudent–but also mandatory under HIPAA–that you understand the risks and take the simple measures necessary to secure your office’s information system.

WLANs utilize radio signals to transmit data between computing devices, whether a mainframe server computer, a desktop personal computer (PC) or a computer that slips into your pocket. The risk comes in the ability of individuals outside your organization to intercept these radio signals and connect their computer(s) into your network, possibly putting your data, in particular patient information, at risk. These intruders are aided significantly by your failure to take relatively simple countermeasures.

If you are considering a WLAN in your office, you or your information technology (IT) support staff should review the following:

1. Every WLAN system comes with built-in protection called WEP (wired equivalent privacy). Out of the box, this system is disabled and needs to be turned on. Once the WLAN is activated, replace the manufacturer’s default password with one of your own. To gain added protection, frequently change the system’s key (password). The most secure systems have what is called a dynamic key that changes the code automatically every five minutes but these systems are considerably more expensive.
2. Your wireless system– if 802.11–will have a service set identifier (SSID), which makes it easier for the wireless unit to locate the access point (antenna on your network). If the SSID advertisement is turned off it will effectively close the wireless network to hackers. Your technical support person will likely have to help with this.
3. Turn off the dynamic host control protocol (DHCP) on all wireless access points. DHCP automatically hands out an Internet address to a requesting computer regardless of identity. Manually setting up Internet provider (IP) addresses on each wireless device is a safer practice.
4. Move access points away from the periphery of your office space, particularly windows and doors.
5. If your system supports medium access control (MAC), use it. This will effectively block hackers with radios not enabled for your system with the unique MAC.
6. Use good general network security practices with password protection to limit sharing of files and folders with sensitive information.
7. For maximum security, ask your IT professional about setting up a virtual private network (VPN) to pass through your wireless network.

Given the mobile nature of our work as orthopaedic surgeons, trying to document care on desktop PCs–with a keyboard and mouse–significantly detracts from the productivity gains possible with IT. The mobility and ease of use possible with handheld, touch-screen computing devices with wireless connectivity will be a major factor in overcoming the reluctance of orthopaedists to take advantage of information technology in their daily care of patients. Critical in making this transition to increase efficiency will be assurances that the confidentiality of patient information is not being compromised by the use of wireless networks.

Taking simple protective measures to secure WLANs is not rocket science–just common sense. Most instances of unauthorized access to wireless networks are due to the failure of users to take time to enable security mechanisms built into virtually all commercially available products.

Further information on the basic operation of wireless LANs and WLAN security can be found on the Web site of the Wireless LAN Association at www.wlana.org.

Ian J. Alexander, MD, is an orthopaedic surgeon and president of Aristar Inc., a company that specializes in developing medical applications for mobile computing devices that utilize wireless connectivity. He can be reached at (330) 668-2267 or at ija@aristar.com.

Computer Link welcomes suggestions about future topics for the column and questions about the use of computers in orthopaedic practice. Send your suggestions to the Bulletin at AAOS, 6300 N. River Rd., Rosemont, Ill. 60018.