WLAN Network usage standard (12002-EN)

About this standard
This standard is created to be used in healthcare organizations for wireless routers, computers, laptops, VoIP and information system.

It was translated into english using Google translation services !

Une version française est disponible à: Norme sur les réseaux sans fils

Introduction

Scope

This standard applies in the context of using wireless networks (WiFi) between the stakeholders of an institution's health system. Its use implies that:

  • The availability of local telecommunications services shall be provided as required of the holder of information assets.
  • The health community must take account of electromagnetic interference with biomedical equipment that may affect their functioning and cause of medical errors due to erroneous data (integrity).
  • It is not intended to provide communication services to beneficiaries of the health network (eg internet).
  • The possibilities of wireless will be accomplished if full confidence in the information security transited develops and if the privacy and the right to respect for privacy are guaranteed.

It is important to move towards the future to ensure the profitability and sustainability of investments made in the field of secure management of information:

  • The standard focuses on the 802.11 standard
  • Integrated solutions designed for a larger scale in collaboration with those responsible for security of information assets
  • Part of a unified and coherent vision of information management.

The principles and rules of the aspects of governance, architecture and security associated with the standard are specified here.

Simulation

The content of this document is the result of a series of workshops, that were held at the University of Sherbrooke, in the context of the health informatics standards program. The workshops are designed to simulate an international standards committee, where many countries participate in the adoption of a consensus-based standard.

Contributors

  • Marc-André Léger, Président du comité de normalisation
  • Hélène Blouin, Secrétaire du comité de normalisation
  • Elmehdi Aït Nouri, Chef de délégation des USA
  • Richard Beaupré, Chef de délégation du Danemark
  • Ali Dufour, Chef de délégation du Canada
  • Julie Gagnon, Chef de délégation de la Belgique
  • Adel Ghlamallah, Chef de la délégation de l’Argentine
  • France Lauzier, Délégué de la Belgique, Éditeur de la norme
  • Laurent Séguin, Chef de délégation du la France

Guidelines

The standard prescribes the establishment of a committee of local governance to define roles and responsibilities of actors, actions and the repertoire of alternative procedures for security of information assets.
The Committee shall be responsible for determining and documenting with justification (s) all exceptions such as to violate the present framework.
In addition, the Committee shall be responsible for the following:

  • Awareness and Training: a training plan specific to the administration and governance of the WiFi network must be developed.
  • Agencies must conduct checks and audits, periodically and as needed to ensure compliance with the measures, practices and procedures relating to security of information assets.
  • Agencies must produce periodic assessments on threats and measures in place and those planned.
  • Threats countries must not be identified and put in place new security measures must then be planned.

Management mechanisms of the following must be provided:

  • incidents / accidents;
  • levels of climbing;
  • operational framework;
  • contingency plan;
  • access and use policies;
  • security component;
  • component architecture.
  • Establishment of rules for calculating inherent in assigning a criticality rating to categorize the quality of network service.
  • Architecture

Guidelines

The WiFi network should ensure coverage of health facilities by installing the required number of antennas and access points.
The power and signal quality must be maintained throughout the institution to ensure the same quality regardless of the location of equipment and computers.
The bandwidth of the wireless network must be dictated by several factors such as the types of applications (eg imaging applications versus prescribers), school needs, costs, reliability. These criteria must be defined in the principles of governance of each institution.
Ensure reliability by using redundancy. It depends on the criticality of the application (see governance).

Rules

The WiFi network of health facilities mentioned in this standard should allow access of the following devices: computers, smart phones (PDA, iPhone), the tablets and all medical devices that have WiFi capability.
To connect the equipment mentioned in the preceding paragraph to WiFi networks of health, they should at least be compatible with the 802.11 standard. It is preferable that these devices comply with IEC 60601-1-2.
Transparency and roaming (roaming): The mechanism that determines when it is time for a roaming is not supported by the IEEE 802.11 standard, but it is left to the vendor application. The concern associated with roaming remains the risk of information loss, which goes against the philosophy of this standard for the integrity of medical data. To this end, this standard suggests not to use roaming.

Security

Guidelines

Access points, antennas and other components of the wireless network of the institution must be located within the site, not visible and secure physical way.
Establish procedures for integrity of the transmission of health information of patients (3DES, MD5) under the principles of governance
AAA protocol for access
Enable the Security Service of the institution to exercise tight control of all parameters that influence the security environment of the establishment
Provide access control infrastructure of the institution based on the identification (person, IP address, identification server, workstation or process) and authorization (access privileges, filtering communications allowed configurations of systems and software)
Possible to trace the origin, time, nature and conduct of security events, whether the administration of security, systems administration or application usage
Facilitate monitoring of safety by optimizing access points and automation of detection
Enable business continuity in the establishment of adverse events by providing high system availability and contributing to the early resumption of functions and business processes
Enable the institution to detect and prove beyond any doubt fraud and errors, whether from internal or external, as well as build the necessary legal proof.

Rules

Users must have a unique identifier.
Applications connecting to the network must have measures for automatic disconnection after a period of inactivity.
The certificates for cryptographic exchange must be changed to X months (X being established by the governance committee).
The passwords for user accounts using the network must be changed every X days. (X being established by the Governance Committee)
Each user authentication must be strong, that is to say used a username, a password and a physical medium such as a magnetic card or biometric reader.
Using a list control access based on MAC addresses (MAC filtering)
The portable devices should ensure that clinical information is volatile and leaves no impression of reminiscence.
The portable devices should ensure that clinical information is volatile and leaves no impression of reminiscence.

Glossary

MAC Address: MAC (Media Access Control address) is a physical identifier stored in a network adapter or network interface similar and used to assign a globally unique address at the link layer (layer 2 of OSI model). It is the lower part thereof (sub-layer media access - Media Access Control) which takes care of inserting and treat these addresses in frames transmitted.

Governance: Governance of information technology (IT governance) is a mechanism to regulate and optimize the management of information systems organization.

Roaming and Roaming: As defined by the standards relating to GSM or CDMA Standards (ETSI, 3GPP, 3GPP2) mobile networks, roaming - roaming or French - describes the ability to be able to call or be called whatever location.

AAA protocol: In computer security, AAA is a protocol that performs three functions: authentication, authorization, and traceability (in English: Authentication, Authorization, Accounting / Auditing).

WiFi: The (or) Wi-Fi technology to wirelessly connect multiple devices (PC, router, Internet box …) within a computer network. This technology is governed by the standards group IEEE 802.11 (ISO / IEC 8802-11).

WLAN: A wireless network is a network computer or digital which connects different positions or between systems using radio waves. It may be associated with a telecommunications network to make interconnections between nodes.

References

[1] Wireless Standards, The 802.11 family explained By Bradley Mitchell, http://compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm
[2] Introduction To WiFi Standards 802.11, http://www.governmentsecurity.org/forum/index.php?showtopic=11352
[3] Architecture réseau WIFI, http://guide-WiFi.blogspot.com/2004/01/architecture-reseau-WiFi.html
[4] La sécurité WIFI, http://guide-WiFi.blogspot.com/2004/01/la-securite-WiFi.html
[5] L’architecture de télécommunication du RTSS, http://msssa4.msss.gouv.qc.ca/extranet/ri.nsf/49dd266bd183416e852566e2005c98b6/
[6] b69c486d17f56b108525703e0070d687?OpenDocument
[7] Wireless Options in the Medical Environment, medicaldevice-network.com, 2009, http://www.medicaldevice-network.com/projects/wireless-options/
[8] Radio-Frequency Wireless Technology in Medical Devices, Draft Guidance for Industry and FDA Staff, 2007, http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/
[9] GuidanceDocuments/ucm077272.pdf
[10] David A. Case, Deploying WLAN in a Hospital Setting: Understanding the Issues, http://www.ce-mag.com/archive/06/ARG/case.htm
[11] Evaluating Compliance with FCC Guidelines for Human Exposure to Radiofrequency Electromagnetic Fields, http://www.dicom.unican.es/espanol/Radiaciones-docs/FCC2c.pdf
[12] Standard IEC 60601-1-1-X, MEDICAL ELECTRICAL EQUIPMENT, General Safety, http://www.601help.com/Other_601_Standards/other_601_standards.html
[13] Denial of Service Vulnerability in IEEE 802.11 Wireless Devices, http://www.auscert.org.au/4091
[14] IEEE Standard for Information technology- Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements, IEEE Std 802.11i-2004, http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?tp=&isnumber=29229&arnumber=1318903&punumber=9214
[15] IEEE Standard for Information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std 802.11-2007, http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?tp=&isnumber=4248377&arnumber=4248378&punumber=4248376
[16] Nortel’s Network Security Architecture: New dimensions in network security, Matt Broda, Nortel Technical Journal, Issue 3, http://www.nortel.com/corporate/news/collateral/ntj3_architecture_02.pdf
[17] Computer and Network Security in Higher Education, Chapter 6 Security Architecture, Jack Suess, 2003, http://net.educause.edu/ir/library/pdf/pub7008j.pdf
[18] Wireless Security, http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1271675,00.html
[19] Recommandations La sécurisation des réseaux sans fil, http://www.ssi.gouv.fr/archive/fr/actualites/Rec_WIFI.pdf
[20] “Adresse MAC”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/Adresse_MAC
[21] “Gouvernance”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/Gouvernance#Gouvernance_du_syst.C3.A8me_d.27information
[22] “Itinérance ouRoaming”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/Itin%C3%A9rance_(t%C3%A9l%C3%A9phonie)
[23] “Protocole AAA”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/Protocole_AAA
[24] “WiFi”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/Wi-Fi
[25] “WLAN”, Wikipedia, 2009, http://fr.wikipedia.org/wiki/WLAN

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial 3.0 License