Wireless Security Targets Compliance & Convenience

Kurt Induni, network services manager, oversees the Network Operations Center at Ochsner Health System in New Orleans.Healthcare providers are mobile and steadily becoming even more so. Use of wireless devices is growing, from personal handhelds to medical devices that link to wireless networks. An industry study published by The FocalPoint Group estimates an impressive growth rate of the wireless technology market in healthcare, from $1.8 billion in 2005 to more than $7 billion in 2010. Ensuring secure access and efficient management is essential.

Unique needs

The healthcare industry provides unique dilemmas to IT professionals. “We serve hundreds of masters who have very different ways of doing business,” says Kurt Induni, network services manager of Ochsner Health System in New Orleans. As manager of an enterprise information systems shop, Induni set the standard of security to protect information and protect access to information.

Not only are there wide-ranging wireless needs in healthcare, the industry has “really had to come of age with security,” he says. “It’s probably a high priority on every network manager’s list.” Securing a wireless network sometimes is easier than a wired network. Induni can more easily police the wireless network through back-end management, while the wired network is still policed by users through their identification and passwords.

Ochsner went wireless in 1996 with an emergency department pilot project to do bedside registration for patients who came in without a friend or family member. With a 500-bed hospital and 600-physician clinic in one complex, “our wireless needs quickly grew from that point forward,” says Induni. The problem with keeping up, however, was that each of more than 500 autonomous access points required manual configuration, monitoring and upgrading. “That made any kind of dynamic changes to the wireless network very tedious and a long process.”

In fact, the wireless network “stayed as static as we could possibly keep it, mainly because of resources.” Two years ago, Induni implemented solutions from Cisco (formerly Airespace): the Cisco WiSM (Wireless Service Module) housed in Cisco 6509 Switches, Cisco WCS (Wireless Control System) to provide the centralized management and the Cisco 2700 location appliance to provide graphical location capability. Currently, Ochsner has 570 Cisco 1200 access points. This allows Induni to protect the overall security of the enterprise network, make dynamic changes to the entire enterprise and provide wireless services that before were very resource intensive. For example, he recently got a call to update 38 personal digital assistants (PDAs). To do so, he simply built a private network just for those devices. Since converting to a controller, updating the entire network takes “a matter of minutes.”

You can only do so much

Cook Children’s Health Care System in Chicago has seen growth in both personal and medical devices that use wireless networking, says Ross Jones, manager of telecom/networking, information services. When the organization installed wireless networking almost five years ago, Jones brought in NEC — already his network vendor. “We currently have several different wireless networks and we tend to segregate the traffic by the type of network that they’re on,” he says. That includes charting in the HIS, voice traffic, clinical monitoring and business operations.

You can only do so much to secure wireless networks, Jones points out. “When we were building the network here, we realized we were going to be going out over the air. If someone really knows what they’re doing, they can intercept what’s going through the air.” To prevent that, Jones has made certain activities unavailable via wireless in different parts of the building. And just because information is intercepted, that doesn’t mean it can be read. Understand where your signals are going, he says. Don’t broadcast your service set identifiers — part of the way that a computer finds the network that it should be using. “Some people say it’s such a weak thing that it really doesn’t matter. It doesn’t keep the bad guys away, but if someone is trolling for a network, they’ll find somebody else before you and there’s value in that.”

Jones has configured his system so that wireless devices don’t connect to just any network, only his. “We don’t want laptops straying off.” Many personal wireless devices, such as laptops, come with their own security built in. However, that may be the only product that supports that type of security. “We haven’t found that to give us the flexibility we need,” Jones says. “We have found, especially in light of the new mix of devices, that standards-based security measures are better [as opposed to proprietary systems].” In some cases, he has separate networks with separate security models. It’s important, he says, to remember the capabilities of handheld devices, such as data access anytime anywhere and portability, and accommodate them.

Jones also uses firewalls between his wireless and wired networks. “We can filter traffic to very specific services on any given network,” he says. The different efforts “together bring us into a fairly comprehensive security stance for this technology.”

Lessons learned

With the rapid increase in use of mobile devices and wireless networks, many facilities are learning as they go. “I think the biggest lesson we learned is that the wireless network needs to be treated differently from a users’ understanding,” says Induni. Wireless devices provide the user with mobility, but that mobility comes at the cost of performance. Users won’t experience delays if they are on a single access point, but the more users on a wireless network, the more bandwidth that must be shared. As a result, performance steadily degrades. “Sometimes people don’t understand that,” he says. “People are spoiled by wired networks. They come to expect wired speeds on a wireless network. Wireless is for mobility, not for performance.”

Any facility that doesn’t currently have a wireless presence should find a partner that can help bridge the experience gap, says Jones. “You can actually purchase expertise to understand where your signal is going and what type to buy,” he says. He recommends periodically surveying your environment to see if other networks have popped up around you. “It’s good to understand if somebody else’s network is bleeding into your building. Make sure your devices aren’t trying to connect with that.”

Jones also recommends looking at converged antenna solutions, which weren’t available five years ago. “Some products now let you do more than just wireless data. If you’re going to have this sizable outlay to install wireless in your facility, at least look at these products,” he says. A converged infrastructure allows for more devices without a lot more cabling.

Although wireless often means IT staff can manage security on the backend and take the onus off users, Jones still routinely provides basic security training. That includes appropriate creation, such as using a combination of letters and numbers but not using personal information, and reminding users not to share accounts.

Looking ahead

Use of tablet PCs and other handheld devices is growing, along with medical equipment that links to a wireless network. Induni is starting to create wireless location services by implementing the Cisco location server. “That’s the next major breakthrough for us,” he says.

He is mapping out the infrastructure and building maps for every floor that has wireless capabilities. The idea is to always know where patients and facility assets are. That will allow for easier targeting of technical problems and a smoother flow for patients. For example, data from the location server will be used to update the status boards of surgical patients.

Jones has worked to create a flexible and multilayered security model, so he’s ready for the future. “If you rely on one technology and one tactic to secure a wireless network, especially in healthcare, it will either create problems for you or you will come to a point where you can’t support something new someone wants to do.”