What is the impact of security mechanisms on mobility?

What is the impact of security mechanisms on mobility?

The healthcare industry adheres to another layer of security requirements prescribed by laws addressing privacy and a patient’s clinical information (e.g. HIPAA (Health Insurance Portability and Accountability Act, PCI (Payment Card Industry)). Protecting electronic health information is an essential business need for hospital administrators. Fortunately, Wi-Fi has strong encryption and authentication capabilities in the form of WPA2 to assist IT managers in implementing security policies.

The basic security principle in IEEE 802.11 is that each time a client connects to an AP it must complete the authentication process. The two main types of security used are WPA2-Personal and WPA2-Enterprise and each has a different impact on roaming behavior because WPA2-Enterprise requires more steps in the authentication process. When the Enterprise version of Wi-Fi Protected Access® 2 is used, the required authentication when roaming adds time to the authentication or re-authentication process. For mobile devices, this added time may impact real-time streaming client performance. For important clinical applications like telemetry, where mobility is a part of the clinical usage, the use of a fast roaming algorithm such as 802.11r is recommended. As an example, when high quality of service (QoS) applications such as VoIP are used on a properly implemented Wi-Fi network, the combination of WPA2-Enterprise and fast roaming techniques provide a secure and reliable connection. The Wi-Fi Alliance’s Voice-Enterprise certification incorporates these important capabilities and is a key enabler of a high-performing enterprise WLAN.

Video

Frequently Asked Questions

What is mobility in a healthcare setting?

Mobility is used to describe continuous network connectivity, providing the user with anytime, anywhere access to social media, clinical, or business application data. When Wi-Fi® client devices and the hospital network to which they connect properly support mobility, a wireless device can access the network while on the move anywhere in the building and sometimes outside of the building (e.g. walkways between buildings). To properly support mobility in hospitals, adherence to best practices in the design, installation, and management of the Wi-Fi network and devices is essential.

What is a mobile Wi-Fi device, and how is it different from a non-mobile Wi-Fi device?

Mobile devices refer to those used by an end user who moves about the hospital or healthcare facility and requires a persistent connection. Examples are patient-worn telemetry devices that continuously monitor the vital signs of an ambulatory patient, or a smart phone that provides a physician attending to a patient instant access to all of the clinical systems required to provide care.

Why does a Wi-Fi client roam from one AP to another?

There are many reasons why a client will roam from one AP to another, the most common one being when a client moves from the radio frequency (RF) boundary of one AP to another AP. Healthcare environments are often very challenging from an RF planning standpoint, due to their physical structure, with long hallways, isolated patient rooms, and shielded radiology areas. These physical challenges can create abrupt transitions between AP coverage areas and inhibit fast and efficient roaming performance. With the strict performance and availability requirements of medical devices, significant emphasis on establishing a robust and reliable Wi-Fi network is important.

What is off-channel scanning for Wi-Fi client devices?

Off-channel scanning is when a Wi-Fi client device tunes its radio to another channel to look for available APs or scans for APs on a channel to which it is not connected (hence “off-channel”). The client scans the off-channel APs looking for a suitable AP to connect to in case it needs to roam from its current ‘on-channel’ AP.

What is off-channel scanning for Wi-Fi access points (APs)?

An access point (AP) can also perform off-channel scanning. This process is the same as off-channel scanning for Wi-Fi client devices and essentially allows the AP to tune its radio to a different channel for a finite amount of time. Off-channel scanning is typically used as a method to detect sources of interference, rogue or unauthorized ad-hoc Wi-Fi networks. The operation of performing off-channel scanning is highly dependent in terms of manufacturer implementation and configuration of the WLAN.

What is the impact on clients when APs perform off channel scanning?

When an AP is performing an off channel scan, the client devices that are connected to it will not be able to send traffic to the network. This can be disruptive to real time streaming devices that rely on a persistent connection. Care should be taken in the configuration of off-channel scanning.

What are passive and active scanning?

The reason for client scanning is to determine a suitable AP to which the client may need to roam now or in the future. A client can use two scanning methods: active and passive. During an active scan, the client radio transmits a probe request and listens for a probe response from an AP. With a passive scan, the client radio listens on each channel for beacons sent periodically by an AP. A passive scan generally takes more time, since the client must listen and wait for a beacon versus actively probing to find an AP. Another limitation with a passive scan is that if the client does not wait long enough on a channel, then the client may miss an AP beacon.

What is dynamic frequency selection (DFS)?

In many countries, regulatory requirements may limit the number of 5 GHz channels available or place additional restrictions on their use because the spectrum is shared with other technologies and services. For instance, in the US and other countries, some of the Unlicensed National Information Infrastructure (U-NII) bands are used by radar systems. Wi-Fi networks operating in those bands are required to employ a radar detection and avoidance capability. The IEEE 802.11h standard addresses this requirement by adding support for DFS and transmit power control (TPC) on every DFS channel.

How does DFS work?

If a Wi-Fi AP detects a radar system on a channel with DFS enabled, the AP must announce to associated client devices that it is vacating the channel on which the radar is detected and the new channel to which it is moving. The client devices must immediately vacate the channel and are expected to associate to an AP on a different channel.

How does DFS affect mobility?

For the 5 GHz bands that include DFS channels, clients are forbidden from performing active scans and must only use passive scanning. This can increase the time required to identify and select candidate roaming targets. This increase in scanning time may prevent some clients from keeping their connection active while roaming across APs.

When an AP detects radar it is allotted a period of time to search for available channels. This time period may exceed the application connectivity threshold and cause a client to lose its connection even though the DFS rules were strictly followed.

In some environments, it may be preferable to restrict RF usage to channels in which DFS is not mandated. Consult the country-specific regulations to determine which channels are DFS mandated.