Originally Published MEM Spring 2005

WIRELESS

Connectivity options for new and legacy equipment include a choice of wireless technologies with HIPAA compatibility.

Harold Yin, Shahin Hatamian, and John Halloran

Promoting the general use of electronic health records (EHRs) has been an information technology (IT) focus and healthcare industry objective for close to 20 years. However, regulations, a lack of standards, privacy issues, and some providers' aversion to implementing new technology have so far hampered full deployment of EHR systems. These obstacles notwithstanding, enthusiasm surrounding EHR systems has been increasing in recent years. Factors contributing to this include greater use of the Internet as the communication medium for medical data and the proliferation of mobile handheld devices.

Lately, most IT managers, software developers, and system integrators have focused on how best to connect caregivers and patients with timely and critical information stored in various central data repositories. An area that has been much overlooked, however, is the initial process of gathering information such as vital statistics from a hospital bedside monitor or test results from laboratory equipment and then integrating the acquired data into those databases. That remains, for the most part, a manual process. One key problem with connecting this equipment to the hospital's IT network has been the lack of a direct network interface for medical devices. Another significant issue in this regard has been the absence of standard communication protocols within industry.

The problem of standard absence is being addressed by several standards-developing organizations (SDOs) such as Health Level 7 (HL7).¹ Several SDOs accredited by the American National Standards Institute operate in the healthcare arena. Most of them produce standards for a particular healthcare domain, such as pharmacy, medical devices, imaging, or insurance transactions. For example, HL7's domain is clinical and administrative data.

To fulfill the need for physical network interfaces on medical devices, wireless connectivity options are now available for applications including bedside monitoring, laboratory automation, and mobile medicine. Of the several wireless technology choices, 802.11x standards–based protocols appear to offer distinct advantages for medical applications as this article discusses. Solutions for connecting both legacy medical devices and new equipment are becoming more obtainable.

Emerging Areas of Wireless Connectivity

Several important healthcare applications already leverage device connectivity to achieve cost savings and enhance the quality of delivered care.

Patient Bedside Monitoring. Medical devices on a network that monitor patient vital signs at the bedside have begun demonstrating the benefits of connectivity.

Traditionally, medical monitoring equipment has consisted largely of stand-alone devices that display information locally via printout or screen. Obtaining and recording physiology information for patients has commonly been a labor- and paper-intensive process involving frequent nurse visits to the bedside to observe key monitor data and transcribe them as paper records, with the potential for human error that entails.

But centralized data-collection systems, along with networking infrastructure, have become more prevalent. So, the possibility of having patient information taken automatically, directly from a medical device, and carried by a network into a linked database has become a reality. This technology eliminates errors in data collection. It allows patients to be remotely monitored in real time from a nursing station or by a physician. Alarm conditions can be preset to ensure rapid response.

Wireless technologies have made the capital investments necessary for implementing such applications more cost-effective. Without the need for cabling, it is easier to connect medical monitoring devices to the network. Also, new wireless security solutions have been introduced that meet Health Insurance Portability and Accountability Act (HIPAA) privacy standards.

Laboratory Automation. A second connectivity application that has emerged over the past several years is lab instrument automation. Today, many hospitals and other healthcare facilities operate multiple laboratories equipped with devices used to perform numerous patient tests in hematology and other areas. Many of these instruments were stand-alone units historically, with an operator performing tests and then recording results manually. Perhaps the test apparatus would be connected to a dedicated computer, often a personal computer, that would provide the network connection for sharing data.

The ability to connect laboratory instruments to a common network, and to automate the collection of test results and their transfer into a single common database application with linkages to other healthcare applications, brings enormous benefits. First, the need to have expensive terminals or computers at each instrument station can be minimized, even eliminated. Second, because lab results can be called up more quickly and from remote locations, patients can receive better care. Third, potential sources of human error are reduced. And finally, administrative processes are simpler and more efficient as a result of the easy integration of lab results into patient records.

Mobile Medicine. Wireless connectivity is also realizing its potential in mobile medicine. Medical care often must be administered in the field by practitioners such as emergency medical technicians and nurses. Additionally, even within healthcare facilities, one medical instrument or device can be used for more than one patient when it is made portable. A common way to do this is to place the instruments on a cart that can be wheeled from one patient to another.

Many medical devices used in mobile scenarios are small and, for true portability, sometimes battery operated. Connecting these devices to a network for the purposes of data collection and information transmission can be highly beneficial. And since mobility makes cabling cumbersome, if not impossible, wireless technologies fit these applications perfectly.

For devices placed on mobile carts, a wireless connection enables data to be transmitted easily. Similarly, small handheld devices can also transmit critical data to portable computers so that the results of patient tests or monitoring can be integrated and analyzed quickly.

In either case, patient care is improved, while administrative costs associated with data collection can be expected to be lower through simplification.

Selecting the Right Technology

Fifteen years ago, the wireless industry was embroiled in a battle of the digital cellular standards. Code-division multiple access (CDMA), time-division multiple access (TDMA), and the global system for mobile communications (GSM) all achieved virtually the same results through different radio technologies. At the end of their struggle, there were no winners among either vendors or consumers.

The lessons of that time have not been lost on the industry players today as the focus shifts from wide-area networks (WANs) to local-area networks (LANs) and personal-area networks (PANs). While the characteristics of the various wireless networking technologies overlap somewhat, each was designed with different particular applications in mind (see Table I).

Wireless LAN (WLAN) technology has been the most popular wireless technology mainly because it is scalable, has a longer range than other options (usually 150–200 ft in a typical healthcare environment), and is compatible with standard networking applications. WLAN technology was fragmented early on and matured into two competing standards. HomeRF and 802.11 were both based on spread-spectrum technology on the unlicensed 2.4-GHz frequency and originally had a throughput of about 2 megabits per second (Mbps).

Both standards answered demands for high data-throughput levels, but 802.11, developed by the Institute of Electrical and Electronics Engineers (IEEE), eventually won out because it was backed by the large networking vendors and by Wi-Fi (another name for the 802.11b standard), which ensured interoperability between products.² The 802.11b standard quickly gained momentum in home and enterprise applications because of its faster data rate of 11 Mbps.

During the same period, IEEE and the high-technology industry have been improving various aspects of the technology, including increasing the data rates even more, to 54 Mbps, and adding more security capabilities. The 802.11g standard offers backward-compatibility with 802.11b, as it operates on the same frequency band of 2.4 GHz. But 802.11a, the other 54-Mbps standard now available, operates in the 5-GHz band. Products based on this standard are thus unable to interoperate with 2.4-GHz-band devices; however, they offer the advantage of not interfering with them.

A pioneer in short-range connectivity, Bluetooth wireless technology was designed to accommodate PAN applications. It covers a distance of 10 m typically and operates in the 2.4-GHz unlicensed band at a speed of 1 Mbps. Typical uses for Bluetooth continue to involve short-distance point-to-point connectivity, such as voice and personal printing applications.

ZigBee is a new standard that is currently in the early adoption stage, designed for very-low-power and low-bandwidth applications, such as a network of sensors. It is based on the IEEE 802.15.4 mesh network topology. Each node in the network can act as an end point, a network administrator node (that is, the main access point), or a bridge over which other nodes can communicate to the network administrator node. ZigBee can cover areas up to a 100-m radius and offer speeds to around 100 Kbps, but these capabilities are mutually exclusive. In other words, the data rate drops as the coverage area grows larger. ZigBee can operate in three different frequency bands—2.4 GHz globally, 950 MHz in the Americas, and 868 MHz in Europe—and is suitable principally for applications such as building automation, lighting, and home security.

Ultrawideband (UWB), as implied by its name, operates on wideband channels as wide as 1 GHz or more, with center frequencies in the range of 3.1–10.6 GHz. Because the transmission signals are spread over a wide channel bandwidth, UWB is much less susceptible to interference while operating at very high speeds than are other technologies. The operating range is around 10 m. Transmission speed can go as high as 480 Mbps, equivalent to a USB 2.0 high-speed universal serial bus connection. Indeed, the first applications for UWB will involve computer peripheral and multimedia connectivity.

Unfortunately, UWB ratification and deployment has been hampered for several years by a division among the industry players over which multiple-access methods should be used. A group led by Intel and Texas Instruments believes that multiband orthogonal frequency-division multiplexing should be used, while another camp led by Motorola (through its Freescale spin-off) is touting direct-sequence CDMA. A few products using both techniques are now in their demonstration stages. They are slated for market release sometime in 2005.

HIPAA-Compliant Security Solutions

One of the key concerns regarding wireless standards has been the matter of security. This is especially the case with the medical applications, which require not only a high degree of reliability but also compliance with privacy requirements such as the HIPAA mandate.³ The 802.11x standards can answer these concerns satisfactorily through a variety of security protocols.

HIPAA, enacted by Congress in 1996, includes regulations for ensuring the privacy and security of patient-related information. It states that a covered healthcare-providing entity must have in place administrative, technical, and physical safeguards adequate to protect the privacy of electronic and nonelectronic health information deemed worthy of protection. HIPAA does not specify a particular technology or method that healthcare organizations must use to ensure the security of patient information, only that data should be encrypted and that access to network resources should be password protected. Further, it makes no mention of extra precautions that should be taken to secure data that are accessed or transferred via the wireless networks and mobile hardware that healthcare professionals are using more and more.

HIPAA's concerns for the security of data sent across the network can be addressed in a variety of ways. In all cases where a password is to be entered, dictionary words should be avoided; a password that is a combination of letters and numbers is recommended wherever possible. Options for achieving data security are the following:

• Network protocol security. Each network protocol has built-in security features for printing and for network communication, which users can reference in the documentation of their operating system.
• Access control. This function allows system managers to create a list of Internet protocol (IP) addresses with authorization to access the server. All other transmission control protocol (TCP)/IP addresses will be blocked from getting data from or sending data to the server.
• Enable/disable of network protocols. These allow the organization to disable network protocols it is not using so that the server cannot be accessed any longer by those protocols.
• Enable/disable of TCP/IP applications. This function lets the network administrator disable TCP/IP applications not being used, such as hypertext transfer protocol (HTTP), simple network management protocol (SNMP), or file transfer protocol (FTP).
• Read password. The administrator may set a password allowing access for the purpose of seeing the status and other settings of the server via remote console, SNMP, HTTP, and other protocols.
• Write password. The administrator may set a password allowing access to configuration settings of the server via remote console, SNMP, HTTP, and other protocols.
• SNMP set community names. The community name is used by a network management application during SNMP set and get operations.

In addition, the device server can have a number of wireless security features.

Security is by far the chief concern of network administrators deploying wireless networks. This is understandable, considering that wireless connectivity extends network access to any place inside an office building within range of a wireless access point—up to 90 m for a standard 802.11b or 802.11g access point. But it also reaches through and beyond the building's exterior walls, inviting access from outside the facility.

Because of HIPAA, wireless security has become even more crucial in medical applications. The Internet-based information center HIPAAdvisory and the interoperability-certifying Wi-Fi Alliance have recognized that the standard 802.11 security features are not secure enough.^4,5 This includes the service set identifier (SSID) and wired equivalent privacy (WEP) as well as open-system and shared-key authentication. These measures were intended only to protect the wireless link between the client machines and the data, and they are susceptible to attack by means of freely available software. The HIPAAdvisory and Wi-Fi Alliance have recommended using 802.1x and Wi-Fi protected access (WPA) or WPA2 to secure wireless networks.

Another important factor to take into account when implementing wireless security is that all devices, including patient monitors and laboratory equipment, must be compatible with the methods used in the enterprise environment for securing such wireless network clients as personal digital assistants and personal computers, because they will communicate as WLAN clients themselves.

Wireless LAN Security Methods

Security measures for WLANs are worth describing in some detail and examining comparatively.

Service Set Identifier. The SSID is a unique identifier that acts as a password to differentiate one WLAN from another. Thus, all access points and all devices attempting to connect to a specific WLAN must use the same SSID. Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. An SSID is also referred to as a network name, because it is essentially a name that identifies a wireless network.

Basic Authentication. Open-system authentication is a very basic form of authentication that consists of a simple authentication request containing the station ID and a response conveying success or failure. Upon success, the requesting and responding stations are considered to be mutually authenticated.

In shared-key authentication, both stations taking part in the authentication process have the same key. The first and fourth frames of shared-key authentication are similar to those found in open-system authentication. The difference appears in the second and third frames, where the authenticating station receives a packet from a transmitting station, encrypts it using the shared key, and sends it back to verify the key matches.

Wired Equivalent Privacy. WEP is a security protocol for WLANs designed to offer the same level of security as that of a wired LAN. WEP aims to provide security by encrypting data so that it is protected as it is transmitted from one end point to another.

In January 2001, however, researchers at the University of California at Berkeley independently released a paper describing problems with WEP.⁶ Since then, utilities that allow WEP key hacking have been made available free on the Internet. This has caused companies to map wireless implementation strategies that include a robust security component. Even still, the largest problem with security on WLANs remains, which is that many implemented systems do not have WEP turned on.

802.1x. There are many security specifications for authenticating wireless networks. The most popular are 802.1x, 802.11i (or WPA2), and WPA. These methods are all recommended by HIPAA because they combine authentication with the encryption function and will dynamically rotate security keys in order to prevent hacking.

The 802.1x specification takes advantage of an existing protocol known as the extensible authentication protocol (EAP). This authentication for WLANs has three main components: the supplicant (or client); the authenticator (usually the access point); and the authentication server (usually a remote authentication dial-in user service [RADIUS]), which requires that a user or device be authenticated against a central authority. EAP supports many authentication methods, including Message Digest 5 (MD5), lightweight extensible authentication protocol (LEAP), transport layer security (TLS), tunneled transport layer security (TTLS), and protected extensible authentication protocol (PEAP), all of which have advantages and disadvantages depending on the network on which each is to be implemented.

802.11i. The 802.11 specification (also WPA2) takes 802.1x as its base and adds several features for wireless networks. The most notable addition is the inclusion of a key distribution framework called the temporal key integrity protocol (TKIP), which should replace the static, manually configured WEP key. Also, 802.11i allows the use of the advanced encryption standard (AES) algorithm. This specification has recently been ratified by IEEE.

Wi-Fi Protected Access. WPA is a subset of 802.11i. It features improved encryption via TKIP, along with 802.1x as the framework for user authentication and encryption key distribution to provide enterprise-grade security for Wi-Fi users. WPA is backed by, and is adopted by, many WLAN manufacturers.

Implementation Options

Wireless connection of medical devices to a network can be accomplished quickly and cost-effectively, thanks to off-the-shelf solutions now on the market.

Regarding medical devices already deployed in the field, wireless networking adapters are available that can be connected readily to the legacy device's communications interface, typically a serial port, converting the data into a protocol that can be transmitted over a wireless—as well as a wired—network. Purchasable software for running on a server or a workstation takes these data and converts them back to the native application message format (HL7 or some other format) so that the wireless connection is seamless and transparent to the user. The adapters can allow legacy devices, which often cost tens of thousands of dollars, to be upgraded for wireless connectivity easily at a fraction of the cost of a replacement unit. Also, these adapters are likely to incorporate all the security features required for HIPAA compliance.

Medical device manufacturers can integrate wireless connectivity into a piece of medical equipment through wireless smart modules that have all the messaging, networking, and security protocols built in. These modules typically have a serial interface that allows them to connect to the medical device internally. By leveraging a module with all the security middleware built in, a device manufacturer does not have to expend the time and resources to develop those communication protocols—nor have the expertise to do so. Existing devices can therefore easily be upgraded with wireless connectivity, allowing the technology to be brought to market quickly and very cost-effectively.

Finally, wireless solutions for portable battery-operated equipment can employ low-power-consumption techniques to conserve battery power. Serial wireless network adapters and modules are available that include power-management features critical to maximizing the uptime of portable or mobile medical devices. Bluetooth wireless technology may be viable for these applications, given its lower power profile and, in most cases, smaller package than 802.11x technologies. Bluetooth can be secured by means of pairing, which uses a key shared between devices in the link and encrypts the data.

Conclusion

Wireless technologies have matured to the point that they provide a viable means for cost-effectively enabling a number of important medical applications while offering the security necessary to meet HIPAA standards. Options now available to healthcare providers, system integrators, and device manufacturers allow them to equip medical devices with wireless connectivity simply and quickly, as well as cost-effectively.

References

• Health Level 7 (HL7), Ann Arbor, MI, [on-line] available from Internet: www.hl7.org/.
• IEEE 802.11, Institute of Electrical and Electronics Engineers, [on-line] available from Internet: grouper.ieee.org/groups/802/11/.
• The Health Insurance Portability and Accountability Act (HIPAA) of 1996.
• "Wireless Networks" [on-line] (June 2, 2003); available from Internet: www.hipaadvisory.com.
• The Wi-Fi Alliance Web site can be found on-line at www.wi-fi.org.
• Nikita Borisov, Ian Goldberg, and David Wagner, "Intercepting Mobile Communications: The Insecurity of 802.11" [on-line] available from Internet: www.isaac.cs.berkeley.edu/isaac/mobicom.pdf.

Harold Yin is executive vice president and general manager at Troy Group Inc. (Santa Ana, CA). He can be reached at hyin@troygroup.com. Shahin Hatamian is director of product management and John Halloran is senior product manager at Troy Group Inc.

Copyright ©2005 Medical Electronics Manufacturing