iOS changes will address HIPAA risk
June 16, 2014 in Medical Technology
Imagine if almost everyone walking into your hospital – patients, doctors, visitors, salespeople – was carrying an active homing beacon, which broadcast, unencrypted, their presence and repeatedly updated exact location to anyone who chose to listen.
[See also: Where will HIT security be in 3 years?]
That’s where things stand today, courtesy of the mobile MAC address signal (it stands for media access control), a unique ID coming from every smartphone, tablet and wearable device.
But not for long, given upcoming changes to how Apple products will handle MAC address broadcasts – a move almost certain to be copied by Google’s Android.
Apple’s iOS 8 change, focusing initially on how MAC addressing interacts with Wi-Fi scans, will shift to using “randomly, locally administered” MAC addresses. The result, according to Apple: “The MAC address used for Wi-Fi scans may not always be the device’s real – universal – address.” (That description is on page 18 of an Apple PDF, available here.)
As a practical matter, using this kind of a randomized bogus address approach will make tracking people via mobile devices impossible or, at best, impractical, depending on the level of randomization used and how often – if ever – the true MAC address is broadcast.
It will still be months before Apple releases this new version of its mobile OS publicly (it’s now solely with developers), weeks and maybe months before most consumers will upgrade and longer still before others – especially Google’s Android – mimic the move.
That means that, for now, this security privacy risk is still a very real threat.
The risk is twofold. First, there is the potential for a renegade member of the hospital’s staff to track people. Second, there exists the possibility that hospital visitors could wirelessly track other hospital visitors.
With the first scenario, this is not as much of a concern for tracking doctors and other hospital staff, as they could just as easily be tracked the instant they log into the hospital’s local area network, so the MAC address broadcast is not necessary. With visiting cyberthieves or stalkers, anyone with a mobile device is a potentially tracked victim.