Mission Critical: Wireless Security

 Wireless networks and wireless access devices give healthcare workers the freedom to access mission-critical applications and private patient data from anywhere throughout the hospital enterprise. At the same time, these networks also are used by patients and visiting family members to access the internet. Healthcare facilities must utilize a multitude of security technologies to mitigate any risks and ensure the integrity of their wireless infrastructure.

Wireless technology is mobilizing physicians and nurses at Moore Regional Hospital in Pinehust, N.C., a 400-bed, acute-care hospital that is the flagship facility for FirstHealth of the Carolinas. Moore Regional serves as the referral center for a 15-county area in North and South Carolina. The FirstHealth system also includes Montgomery Memorial Hospital and Richmond Memorial Hospital, as well as five clinics.

Nearly 300 wireless Cisco Access Points (APs) have been deployed at Moore Regional. The robust wireless infrastructure allows nurses to utilize wireless laptops at the patient’s bedside and do bar-coded medication scanning. Physicians utilize wireless handheld devices such as PDAs to do patient charting and acquire medical histories. The hospital staff also utilizes wireless IP phones for instantaneous communication. “Our staff can take these phones to any of FirstHealth’s three hospitals and remain connected,” says Jon Campbell, director network services.

In addition, Moore Regional provides its patients and visitors with guest internet connection that can be accessed via a non-hospital owned wireless device. “We trunk virtual LANs (VLANs) to each AP which is similar to creating multiple physically separated networks,” explains Campbell. Creating multiple VLANs basically establishes multiple individual network pipes to each AP. These isolated pipes essentially have their own network connection and can not communicate with one another unless configured to do so, thus allowing physicians, nurses and patients to have wireless access to specified network resources. However, their level of access is based on their roles and credentials within the hospital. “The ability to have these multiple VLANs across the AP is very effective in controlling traffic,” says Campbell.

Overall, FirstHealth’s wireless security design is based on two protocols, Cisco’s EAP-FAST (Flexible Authentication via Secure Tunneling) and the open-standards PEAP (Protected Extensible Authentication Protocol). Both protocols work in combination with Cisco’s Access Control Server (ACS) to provide necessary authentication. In addition, the IT staff uses a Cisco Wireless LAN Solutions Engine (WLSE) to manage all the APs, evaluate who is accessing them and monitor for any rouge wireless devices.

One of the biggest security challenges the hospital confronts is getting different vendors to comply with FirstHealth’s wireless security standards. “Some of the vendors were still trying to use WEP [Wired Equivalent Privacy],” explains Campbell. To tackle this challenge, Campbell says it is imperative to create a security standards document that clarifies exactly what a facility will and will not use. Campbell also emphasizes how important it is not to build a static environment. Organizations should not simply deploy their wireless security and say they are done, says Campbell. The wireless infrastructure constantly needs to be monitored and tweaked.

Providence Health & Services is a network of 27 hospitals and healthcare facilities spanning the states of Alaska, Washington, Montana, Oregon, and California. Seven hospitals in Oregon affiliated with Providence Health have already mobilized its workforce and are now adding a new feature to its network. To create a more favorable and comfortable environment for its patients, visitors and family members, the Oregon hospitals are starting to provide public wireless access to the internet, says Dick Gibson, MD, PhD, chief medical information officer of Providence Health & Services in Oregon.

To do this, the hospitals added a Bluesocket Inc. wireless network, which sits on top of the existing Cisco private Wi-Fi system. “We can use the same APs for the public as we do for internal employees, but without concern that they are going to utilize too much bandwidth or that they are going to impact network security,” says Gibson. The Bluesocket technology acts as a wireless network gateway; ensuring visitors utilizing wireless devices do not threaten the integrity or security of the wireless network.

Patients and visitors use the internet to check email or surf the web, but healthcare employees utilize the network to acquire and send private, patient information. Therefore, the internal network has been secured by WPA (Wi-Fi Protected Access) and Microsoft Active Directory. The internal network is entirely segregated from the external network by the Bluesocket technology, mitigating security challenges. Acting like a very intelligent firewall appliance, the Bluesocket technology also governs the amount of bandwidth utilized by each visitor on the network, Gibson says.
“Every technology has its benefits and its risks, and Wi-Fi networks are no different,” Gibson says. With the effective authentication and encryption methods currently available, we believe the risk to security and confidentiality is low.  We need to be vigilant and continually update our technology to stay ahead of security risks.”