Organizations that use RFID devices should systematically evaluate potential security and privacy risks posed by the technology, U.S. government officials say in a new report detailing best practices for retailers, manufacturers, hospitals and federal agencies.

RFID raises unique security concerns because, unlike a desktop computer or most devices overseen by a company’s network security crew, a single RFID tag may be handled by multiple organizations.

“When you go into RFID, the chain of custody is different,” says Tom Karygiannis, lead author of a 154-page report released by the Department of Commerce’s National Institute of Standards and Technology (NIST). “We’re talking about a global supply chain. You’re working with suppliers, manufacturers, retailers; different organizations may have possession of the merchandise that has the RFID on it throughout the life cycle. This raises new privacy and security risks.”

The publication, titled “Guidelines for Security Radio Frequency Identification (RFID) Systems,” includes recommendations such as the following:

* Use firewalls that separate RFID databases from an organization’s other databases and IT systems.

* Encrypt radio signals when feasible.

* Authenticate approved users of RFID systems.

* Shield RFID tags or tag reading areas with metal screens or films to prevent unauthorized access.

* Use audit procedures, logging and time stamping to help detect security breaches.

* Implement procedures for tag disposal and recycling that permanently disables or destroys sensitive data.

The report was mandated by Congress under the Federal Information Security Management Act of 2002. In addition to usage in the retail industry, RFID devices are matching hospital patients to lab test results and helping track dangerous materials, raising concerns about eavesdropping or unauthorized use.

The federal report includes hypothetical case studies, including one in which a government agency oversees supply chain management of hazardous materials that are handled by a number of organizations during transport. The risks involving RFID are numerous: adversaries could identify and target vehicles containing hazardous materials; eavesdrop on tag transactions to learn the characteristics of the materials; damage or disable a tag, making it easier to steal; or alter sensor or manifest data stored on the tag to undermine business processes.