On our journey to better RFID security, we’ve learned what the major threats are, and the potential effects they can have. To get our organizations to a better place, we need to look at one overarching step we all need to take, the risk assessment and five key processes that will change as part of the results of it. This will result in a good first step of knowing what we have, and using the results of that to drive change in those five areas. This is very important because we need to make sure that we have these core processes in place to support the organizational change that RFID can bring.
The risk assessment is the first and most important key step to take and is something that needs to be ongoing. We need to understand what the issues are, and need to have a prioritized plan to address them. The best way to do so is to assess them using a comprehensive standard security framework such as NIST or HITRUST with quantitative scoring, not just low, medium, or high. Make sure the framework addresses technical, physical and logical controls.
One oft-overlooked aspect is that you can use RFID as a tool to know the entire team participating in the initiative. Letting your stakeholders tell their story and discuss the decisions that led to the way things are as part of the assessment will only help you. You will have more interviews because they will point you to other people to contact. However, you will get the whole picture and be able to understand the business drivers behind the initiative. You are only as good as your relationships.
The underlying driver for this approach is that new and disruptive technologies require a team effort to assess and address security issues. These are issues that have not been dealt with before, and because of that, you need to pre-assess the environment so you don’t accidentally damage the business with an unacceptable risk.
1. Asset management
The first key process is asset management – know what you have. We cannot secure RFID systems until we know what devices we have that can read or write RFID tags. We need to know what devices or systems will store or process this data. It’s important to know their capabilities and be able to log and audit their transactions. We need to know what we have to protect it because unmanaged devices or systems can lead to data corruption or a multitude of other issues.
2. Systems management
The second process is systems management. We need to manage the entire ecosystem supporting the initiatives. Every security framework and standard has this as a base. We need to make sure that we manage these systems to keep them current and as up to date as possible in a supported state. One of the major security issues we have seen is that a lot of data acquisition equipment isn’t kept current or supported. It’s treated like hardware. This means that a lot of equipment sold into this market does not run current software. Unprotected hardware and/or supporting networks can lead to multiple security and integrity issues.
We need to map out the data flows from devices and tags all the way to the ultimate systems of record that will be storing and transacting the collected information. We need to focus on storing the minimum necessary information possible at each step, and not to associate tags directly with patient information in these systems directly. The benefit to this process step is that we can link RFID-based asset tracking to a system of record to more accurately keep inventory locations current not only for inventory, but potentially other assets across the enterprise.
3. Systems design
The third one we will discuss is systems design. Systems handling RFID data need to follow several important objectives. First, they need to segment off data collection traffic from the rest of the network. Much like the approach that many vendors now take with medical devices, this allows us to understand the data flows and inspect them with more stringent rules and tools defining and enforcing the appropriate network paths. Data also needs to be protected at rest and in transit using encryption. You also need to validate and verify data inputs and data collection through auditing and reporting. More importantly, you need to retain data for only as long as you need it and not more.
Design also has to focus on strict enforcement of minimum necessary data on the tags or cards. If they are used for logins, protect the login with a PIN or secondary authentication mechanism, and keep that system separate from the patient data (e.g. a separate directory service). Do not store authentication data with patient records!
If you use these cards for transactional or smartcard logins, you need to have a plan to manage certificates, keep a Certificate Revocation List for terminated staff members or logins, deploy and provision certificates quickly, and be able to manage them efficiently. There are multiple vendors who can do this who can help you.
4. Encryption key management
Encryption key management is overlooked, and if there is a potential compromise, you need to be able to manage and rotate keys at scale. Also, as part of basic information security, we have to be able to ensure the confidentiality, integrity, and availability of data that we create, receive, maintain, or transmit. If the keys used to manage, protect, or identify data sources are not managed correctly, the entire integrity of the system is suspect. If you do not have Encryption Key Management at scale, you will not be able to securely manage large RFID deployments.
For systems design your vendor contracts and statements of work need to answer the question of the division of labor for maintaining the systems, and who will be doing what tasks, with clear delineations of responsibilities and actions. Keeping systems current, updated, and having their risk mitigated to an acceptable level needs to be present in them.
5. Vulnerability management
Vulnerability management, the fourth process, needs to be broken out on its own. The reason being is because of a number of data acquisition devices not supported with security patches or updates, specifically the ones that run Windows CE or older versions of Android. You need to know where to get the patches from, and that you will get them for the lifecycle of the product. Vendors such as Zebra have programs by which you can get them as part of the support agreement and they are guaranteed. This also needs to be part of an operational plan where these devices and systems get patched on at least a monthly basis.
Ransomware has brought one other item to light, which are downtime procedures. The media has been full of stories of affected health systems and hospitals having to resort to them during these attacks. When you base your processes on electronic systems, it’s important to have these so you can continue to operate in case of a computer systems failure. If your hospital is accredited by Joint Commission, then you need to have them.
6. Physical security
Finally, and most importantly, we need to address physical security. With RFID, this becomes very important. Brian Krebs, on the website Krebs on Security, addresses this in a June 18 article, How to Avoid Card Skimmers at the Pump for a similar issue with gas pumps. In this article, he discusses how the San Antonio Police Department has found more than 100 credit card skimming devices in fuel pumps in 2018 so far. In virtually all of the cases, the skimmers were installed in older model fuel pumps that did not have good physical security. Newer pumps with better physical security were not nearly as affected.
For RFID, this is no different. We need to have enclosures around stationary scanning devices to reasonably protect against signal interception. We need to physically lock down and protect readers and other fixed devices. In the case of the gas pumps in San Antonio, a master key can open most of the older pumps, which is a contributing factor to the skimmers being installed. We need to be more vigilant and make sure that we reasonably protect RFID scanning devices at all levels.
This extends to having a good physical security program. You need to have one that protects from outsiders scanning from the outside, and has surveillance, guards, cameras, and environmental design to deter potential interception.
At the end of this, we need to continually assess and address the risks we find, and more importantly, follow up and keep current. These processes discussed will only work if continually executed and monitored, not just done once.
In the final article in this series, we’ll address the six steps to a reasonably secure RFID implementation, and the expected benefits.
Mitchell Parker is Executive Director of Information Security and Compliance for Indiana University Health.