The Risk of Guest Wireless

Almost every place you go these days the company is offering free wireless internet.  This is very prevalent in retail outlets, for example.  There are numerous marketing benefits to offering this service to clients.  If Macy's wants to know how long my wife spends in dresses vs how long she spends in perfume, they know.  The wireless offer actually is a cheap marketing tool for the organization.  Starbucks has a different agenda in why they offer it, same for Panera and McDonalds.

Healthcare is not amatuer in offering this service.  The purpose is not to gather marketing data or keep clients there longer; rather they are offering it for patients and guest while they are stuck there.  This is a simple low cost offering that makes a small gesture.  However in healthcare, guest wireless can be a dangeous offering if not propoerly configured.  Allow me to explain.

Most guest wireless is either open or secured with a well known password to allow easy access.  Very few restrictions outside of bandwidth control reside on these networks as the intent is to be open and accessible.

The risk comes in with the internal employees using the guest network to bypass the controls of the internal network, that is most likely locked down.  By bypassing the controls of the internal network they can gain access to content that was restricted subjecting themselves to an attack from malware.  Once the device reconnects to the internal network the malware gets in.  Boom.  An attacker has access. 

Another reason is they want to access soemthing for selfish reasons such as access to Facebook or downloading of content. If the content is malicious or the device gets attacked, health records can be one and at risk.

I could list more reasons but the risk is clear.  And so is the solution. Mot of the tests we conduct of guest wireless are missing one key component, a denied access list. A denied access list is a list of devices that are not allowed to connect to it.  This list needs to be populated with any internal device on the network. Apply the list to your guest wireless and you can reduce the risk of an internal device using the guest wireless.  Then you force internal patient information to only be accessible from internal or VPN resources.

This simple tip will plug an often open hole.  There is no silver bullet to security.  Take small steps and increase your security slow and steady.