Security fears force cancer center to shelve wireless plan

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO63396,00.html

By BOB BREWIN 
August 29, 2001

ASPEN, COL. -- The MD Andersen Cancer Center in Houston last week
abruptly put an 18-month effort to provide wireless LAN access to
11,000 users on its five building campus on hold due to security
concerns.
 
Ernest Teves, research and development director at the facility, said
research has shown "it is so easy to crack" the built-in security of
industry standard 802.11B wireless LANs, the Wired Equivalent Protocol
(WEP). Speaking here at a Delphi Group wireless conference yesterday,
Teves said that as a result of that research -- some of which was
conducted by a student at Rice University, located just five minutes
from the center -- he decided to put the ambitious wireless LAN
project on hold.

Teves said he doesn't believe WEP will meet the stringent security
requirements of the federal Health Insurance Portability and
Accountability Act (HIPAA). He said he has asked Cisco Systems Inc. in
San Jose, which has already performed an extensive site survey of the
MD Andersen campus, to help beef up security.

Additional security measures, Teves said, could throttle down real
throughput on the wireless LAN from 7M bit/sec to 4M bit/sec. If
that's true, Teves said, the wireless LAN installation could be
stalled until manufacturers release products that provide 54M bit/sec
raw throughput in the 2.4-GHz frequency band, an industry standard
known as 802.11g.

John Pescatore, an analyst at Gartner Inc. in Stamford, Conn., said
security concerns about wireless LANs and WEP are justified because of
the vulnerability of the over-the-air interface.

"Our basic advice to clients is to treat wireless like the Internet,
not like a LAN. Encrypt the data you send over it. Firewall your
connection to it. Essentially, run a [virtual private network] or
[Secure Sockets Layer] over all connections over WLANs until
second-generation standards are stable," which will probably be in the
first quarter of 2003, he said.

C. Brian Grimm, a spokesman for the Wireless Ethernet Compatibility
Alliance (WECA) in Mountain View, Calif., said that since HIPAA
requires end-to-end security, running a VPN would satisfy any concerns
a health care provider would have about WEP.

Phil Belanger, marketing director for WECA, said the industry group
also recommends additional security measures, such as a VPN.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.