iOS changes will address HIPAA risk

In the meantime, MAC address broadcasts are still a threat to privacy
By Evan Schuman
10:13 AM

There are many other database interactions, such as security cameras in the mall, hospital and parking lots. This allows a face and clothing to be associated with that MAC address. In a parking lot, it allows for license plates to be so associated. Some retail vendors have started aggressively using facial recognition software, both to identify shoplifters who have been banned from a store as well as to attach names and purchase histories to a shopper who just pays with cash.

Hospitals officially do not have the same business incentives for such an identification program, but a rogue employee or a cyberthief could use the MAC address in a similarly intrusive manner.

With the new randomization that Apple is launching, such potential risks evaporate.

"This is one of the better things Apple is doing with the upcoming version iOS 8," said Daniel Wood, a security penetration tester who specializes in Apple mobile devices. "It will prevent, to an extent, the tracking of users when they are walking in range of wireless access points.

"When you have Wi-Fi turned on with your iPhone/iPad, it is constantly polling the network airwaves for access and broadcasting the device identifier," he added. "As of now, when your phone broadcasts looking for an access point, anyone sniffing would see Daniel's iPhone as a device looking for access."

Another security penetration tester, Godfrey Nolan, said this move will likely impact the people who are most trying to track consumers.

"Moving MAC addresses would stop the marketing people tracking you like they do on the web," said Nolan. "It's also going to make the NSA's job a bit harder."

This kind of randomization will also make healthcare IT's job a bit harder, but only in the beginning. The problem will impact healthcare networks that use MAC addresses for authentication, to allow an initial connection before requiring password or PIN authentication.

"The doctor won't automatically connect if the MAC address is randomized. He will have to sign himself in," said Jeff Mongelli, CEO of Acentec, which sells medical security systems. "The staff that rely on the wireless network aren't going to be happy about it. They are going to have to go through that network logon each time. In a world where doctors complain about how many times they have to click on software, the doctors are going to gripe."

In reality, though, hospital IT staffs will more likely simply switch to a different authentication system for staff, perhaps using tokens or a cookie on the mobile device, said Mongelli.

"Those networks that are relying on MAC will be forced to rely on something else, like an encrypted key, which will be a little more difficult to pick off," he said. "That would be a good thing, from an improving security perspective. From an IT guy's perspective, that's a lot of work. They'll have to reconfigure their firewalls. I think you could make the argument that this will add security, making mobile devices more secure. It will make trying to track people that much more difficult."

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.