October 23, 2017
Last week, the Department of Homeland Security issued a warning about a widespread vulnerability that exists in nearly all wireless networks. Belgium researchers discovered that wireless networks encrypted using the Wi-Fi Protected Access-2 (WPA2) protocol were susceptible to Key Reinstallation AttaCKs (KRACK). The exploit permits an attacker who is physically within range of a wireless network to gain unencrypted access to information transmitted by devices connected to the network without requiring the attacker to first obtain the network’s password.
WPA2 has been broadly prescribed as the standard for securing wireless networks, and it is the encryption standard recommended by the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health Information Technology (ONC). As a result, WPA2 is widely used to secure wireless networks and the Protected Health Information (PHI) contained on wirelessly-connected devices. Although the full extent of the KRACK fallout remains to be seen, healthcare providers and other Covered Entities and Business Associates should be aware of the vulnerability and take preventative measures to ensure ongoing compliance with HIPAA and other information privacy and security requirements.
How KRACK Works
WPA2 secures information transmitted between devices connected to a wireless network by using a mutual authentication and session key agreement, known as the “4-way handshake.” When a device connects to a wireless network, the four-part authentication procedure generates a fresh encryption key that is used to encrypt and decrypt data transmitted over the wireless connection. An attacker within range of a wireless network can use KRACK to interrupt this authentication process, thereby causing the previous encryption key to be reinstalled. This can permit the attacker to decrypt the data transmitted over the wireless network or to launch “man-in-the-middle” attacks by intercepting and manipulating messages.
What Covered Entities and Business Associates Should Do
Although the vulnerability is widespread, its initial risk may be limited for a few reasons:
Regardless of these limitations, healthcare providers and other Covered Entities and Business Associates should consider the following best practices in response to the KRACK vulnerability announcement:
The long-term impacts of WPA2’s vulnerability to KRACKs are not yet known. Exposure of similar weaknesses in the previous wireless security protocol, Wired Equivalent Privacy (WEP), ultimately spurred the creation of WAP2 and resulted in regulatory agencies deeming continued usage of WEP ineffective for security compliance. Currently, however, no alternatives (other than additional layers of encryption and vigilance) are available. Accordingly, to remain HIPAA compliant, Covered Entities and Business Associates should continue using WPA2 and evaluate whether other reasonable internal security measures should be deployed.
If you have any questions regarding KRACK or your current HIPAA and privacy compliance efforts, Nelson Mullins is ready and able to assist you.
 See eg., NIST, Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps, p. 17 (May 2017); NIST, SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, (February 2007); ONC, Frequently Asked Questions: What is a “secure Wi-Fi network”?, available at: https://www.healthit.gov/providers-professionals/faqs/what-secure-wi-fi-network (accessed October 20, 2017)
 Vanhoef, Key Reinstallation Attacks at pp. 1-2.
 Romain Dillet, Microsoft already published a KRACK fix, Apple and Google are working on it, TechCrunch (October 17, 2017), available at: https://techcrunch.com/2017/10/17/microsoft-already-published-a-krack-fix-apple-and-google-are-working-on-it/
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.