A survey of Wi-Fi networks around NHS Trust hospitals in the UK has found that fewer than one in five secure data connections using encryption.
Worse still, over half have not changed the manufacturer’s default access point settings, potentially making them easy targets for hackers.
According to consultancy Orthus, which chose 40 Trusts at random, 68 percent allowed open an unfettered Internet access, 93 percent of which were available at a distance of 50 metres from the hospital entrance, which means that someone sniffing traffic could access unencrypted data from a car park.
Fifty-three percent of the access points were still on the manufacturer’s default settings (i.e. using a vendor’s published AP password and username); only 18 percent were using encryption, leaving 82 percent with no encryption at all.
Fourteen percent applied no encryption but did block full Internet access, a move that could mean these access points were set up to service local-only connections.
The lack of encryption is the headline issue because it means that anyone using Internet tools could monitor sensitive traffic, observers noted. In some cases the lack of security might be explained by hospitals offering Wi-Fi to the public but even then such connections still pose a risk.
One likely expanation for the hospital setup could be that computers inside the hospital lack support for encryption standards such as WPA and WPA2, which forces IT to use WEP or nothing at all.
The report's authors criticised the decisions around WiFi taken by most trusts. They concluded: “Network administrators clearly have not come to understand the liability associated with allowing Internet access to unauthorised users."