Femtocells in healthcare: Look at HIPAA risks before you leap

Backfilling 3G smartphone traffic to your Wi-Fi in weak-signal zones with femtocells is enticing. It should be secured against HIPAA risks, though.

It's not uncommon to hear hospital employees complain about the poor signal reception of personal and work-issued

mobile devices in some areas within a hospital. IT can supplement its users with Wi-Fi hotspots, but this does not resolve all the voice and data needs for every smart device. Some organizations implement 3G repeaters or access points to extend the coverage of cell phone towers and provide access in areas that were otherwise considered blind spots.

Another type of network extender, called a femtocell (think "mini cell tower"), backfills 3G traffic via an Internet connection to the cellular provider's servers. These gadgets connect to any Internet-enabled private or public network and provide wireless signals to cell phones without requiring any authentication or configuration of the smartphone. Smartphones typically connect to them at 15 feet, and stay connected within a 40-foot radius.

Femtocells are supported by three out of the four U.S. cellular carriers and are popular with rural consumers and small businesses where 3G signals are weak. Their growth potential is in businesses; however, regardless of location, many organizations across the globe are driving a significant increase in femtocell adoption.

For more on healthcare femtocell implementation

Enterprise-grade Wi-Fi coverage employs DAS, femtocell and FMC

Wi-Fi-cellular tutorial offers the nuts and bolts of mashing up 3G and Wi-Fi

Femtocells can detect employee comings and goings

Find out why smartphones have become a network management burden

Small physician offices and medical groups might be tempted to implement a series of femtocells to solve signal problems in their buildings, but there are security risks involved that might lead to data breaches reportable under HIPAA. To avoid HIPAA risks, care must be taken to ensure femtocells are properly maintained, traffic is controlled and monitored, and their firmware is regularly updated.

Black Hat's dramatic femtocell hack

Femtocell devices show tremendous value for smartphone users in both residential and business environments because they enable seamless coverage in blind spots and offer increased data speed. They're cost-effective and easy to set up, but they also represent a substantial security risk. During the recent Black Hat 2013 information security gathering, it was clear the vulnerabilities associated with the devices could potentially become IT's worst nightmare.

During a demonstration at the conference, researchers from security consulting firm iSEC Partners exploited a femtocell vulnerability that enabled them to perform tasks on Verizon smartphones, allowing them to automatically attach themselves to the femtocell antenna without the victims' knowledge. The tasks performed included the following:

  • Recorded full conversations of calls made by any device that was attached to the antenna.
  • Revealed all the text associated with the phone's Web traffic, including passwords, URLs and data exchanged.
  • Revealed all Short Message Service text messages exchanged.
  • Revealed images shared or sent via the smartphone.

Advice for healthcare femtocell applications

The iSEC Partners demonstration showed the danger femtocells can pose for users. Verizon patched the particular femtocell vulnerability shown at Black Hat, but ethical hackers at iSEC suggested that other femtocells may possess similar vulnerabilities that could be exploited in the future, jeopardizing the privacy and security of all smartphone users in range.

Healthcare-deployed femtocells should be monitored by data security staff who can maintain close watch on vendor security patches and ensure their firmware stays up to date. In most cases, these devices are capable of receiving automatic updates. Most femtocells also have whitelist filters that can block access to non-employees.

Rogue femtocells are a far larger concern. These could either be brought in by an intruder or come from a hospital-owned device that is tampered with by an intruder. These devices can be attached anywhere and could turn into a HIPAA disaster if they compromise hospital user and patient information. Before a healthcare provider deploys femtocells, employees using smartphones should have the ability to detect all the femtocells being used within the area, and they should ensure users connect only to the approved femtocell, and not one that is compromised.

Reda Chouffani is vice president of development with Biz Technology Solutions Inc., which provides software design, development and deployment services for the health care industry. Let us know what you think about the story; email editor@searchhealthit.com or contact @SearchHealthIT on Twitter.

This was first published in August 2013

Dig deeper on Wired and wireless networking for health care

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.