Last week, the Department of Homeland Security issued a warning about a widespread vulnerability that exists in nearly all wireless networks.[1] Belgium researchers discovered that wireless networks encrypted using the Wi-Fi Protected Access-2 (WPA2) protocol were susceptible to Key Reinstallation AttaCKs (KRACK).[2] The exploit permits an attacker who is physically within range of a wireless network to gain unencrypted access to information transmitted by devices connected to the network without requiring the attacker to first obtain the network’s password.

WPA2 has been broadly prescribed as the standard for securing wireless networks, and it is the encryption standard recommended by the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health Information Technology (ONC).[3] As a result, WPA2 is widely used to secure wireless networks and the Protected Health Information (PHI) contained on wirelessly-connected devices. Although the full extent of the KRACK fallout remains to be seen, healthcare providers and other Covered Entities and Business Associates should be aware of the vulnerability and take preventative measures to ensure ongoing compliance with HIPAA and other information privacy and security requirements.

How KRACK Works

WPA2 secures information transmitted between devices connected to a wireless network by using a mutual authentication and session key agreement, known as the “4-way handshake.”[4] When a device connects to a wireless network, the four-part authentication procedure generates a fresh encryption key that is used to encrypt and decrypt data transmitted over the wireless connection. An attacker within range of a wireless network can use KRACK to interrupt this authentication process, thereby causing the previous encryption key to be reinstalled. This can permit the attacker to decrypt the data transmitted over the wireless network or to launch “man-in-the-middle” attacks by intercepting and manipulating messages.[5]

What Covered Entities and Business Associates Should Do

Although the vulnerability is widespread, its initial risk may be limited for a few reasons:

  1. Carrying out this attack requires an attacker to be physically present within range of the target Wi-Fi network, rather than operating remotely. Local attacks, such as KRACK, are more likely to target government agencies and larger healthcare providers or insurers, as most sophisticated hackers are unlikely to spend the time and effort traveling to smaller providers who maintain fewer records.
  2. Major hardware and software vendors are quickly addressing the vulnerability through updates to operating systems. Specifically, Microsoft and Apple have already deployed updates that patch the KRACK vulnerability.[6] Google has promised to release a patch for Android devices in the coming weeks.[7]
  3. Additional encryption layers are not compromised by KRACK, so information that is transmitted through Virtual Private Networks (VPNs) or through secure websites that use HTTPS (instead of HTTP) remains encrypted. In such cases, attackers using KRACK can only see such data in its encrypted form.

Regardless of these limitations, healthcare providers and other Covered Entities and Business Associates should consider the following best practices in response to the KRACK vulnerability announcement:

  1. As required under HIPAA, Covered Entities and Business Associates should conduct a risk analysis (although many remain slow to undertake this step). A review of the current risk analysis should be undertaken to determine whether additional security measures should be implemented, such as using a VPN to further encrypt data transmitted over wireless networks. This precaution may be particularly important for larger providers and those using medical equipment or devices containing PHI that are connected to wireless networks (since updates to such devices may be released slowly, if at all, and more difficult to install).
  2. All Covered Entities and Business Associates should ensure that their operating systems are updated and that a process for routinely checking and applying updates is in place. Medical devices and equipment that transmit PHI through wireless networks should be identified and, where feasible, additional security measures should be implemented to protect the data they contain.
  3. Covered Entities and Business Associates should take this opportunity to reeducate workforce members on policies addressing wireless network (private and public) and mobile device usage, and those who maintain a BYOD (Bring Your Own Device) policy should take steps to confirm that such devices are updated and remain secure.

The long-term impacts of WPA2’s vulnerability to KRACKs are not yet known. Exposure of similar weaknesses in the previous wireless security protocol, Wired Equivalent Privacy (WEP), ultimately spurred the creation of WAP2 and resulted in regulatory agencies deeming continued usage of WEP ineffective for security compliance. Currently, however, no alternatives (other than additional layers of encryption and vigilance) are available. Accordingly, to remain HIPAA compliant, Covered Entities and Business Associates should continue using WPA2 and evaluate whether other reasonable internal security measures should be deployed.