Problem: Security – Solution: Secure Socket Layer Encryption

There are 47 patient treatment rooms in the new emergency department of the Beth Israel Deaconess Medical Center in Boston, but there are only three laptops used for patient registration. That is not, however, a problem; it’s a plan.

The three laptops move easily from bed to bed, using a wireless LAN to connect to the network, saving the hospital money and helping to knock a half hour off the time it takes for most patients to check in.

In many businesses, using a wireless LAN is a no-brainer; but in a hospital, it is a major accomplishment. That’s because the wireless LAN standard 802.11b, which dictates the parameters for speed of data, access points and other technical specifications, is famous for its security holes, and hospitals are famous for their need for security. In fact, all U.S. hospitals are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that strictly protects the privacy and confidentiality of patient records.

The technology people at CareGroup Healthcare System, which manages that hospital and five others, were well aware of the security risks when they set out to deploy laptops in Beth Israel Deaconess’s ER. They had done their homework and studied reports, such as the recent warning from Stamford, Conn.-based Gartner that by the end of 2001, 30 percent of enterprises would have serious security exposures stemming directly from wireless LAN deployments.

“WEP [wired equivalent privacy], the standard security protocol for 802.11b, is not very secure,” admits John Halamka, CIO of CareGroup. “So we do three things to make it safe. First of all, we do use WEP, but we do encryption via HTTPs [adding a secure socket with an additional layer of encryption to each address], and then we register the unique address of every network card in the wireless receiver so that if you are walking by this building you can’t intercept our transmissions.”

Phillip Redman, research director at Gartner, agrees that secure socket layer encryption should do the trick. “With Web-based technology, secure socket layer encryption is a very secure way of transferring information,” he says.

At CareGroup, all network users must log in to get on the hospital’s system, and the IS group carefully monitors all traffic to weed out any lurkers.

Because of those measures, Halamka considers his wireless LAN as safe as one can be with the current state of wireless technologies.

Today, when patients are admitted, their information is logged in to a wireless laptop, and a summary of their record is instantly displayed on the ER’s whiteboard, an electronic screen that tracks every patient’s medical status, location, doctor, labs, EKGs and more. The same vital information is also available on all the computers in the ER, where it can help doctors administer the best treatment more quickly and reduce the likelihood of errors based on misinformation.