Case Study: Security and mobility convince hospital to go wireless
Patient data kept private, staff made mobile.
By Bert Latamore, Computerworld | Computerworld UK | Published: 16:00, 08 June 2007
In health care, network dependability can literally be a matter of life and death, and in the US, federal law mandates security and privacy levels beyond those needed in any other vertical industry outside finance and national security. Many health care providers operate on shoestring budgets, in part because of the large population of uninsured individuals.
So when Tuality Healthcare, a 90-year-old not-for-profit integrated health care provider serving the western suburbs of Portland, Oregon, designed its Wi-Fi network, it moved carefully. "We, as an industry, are not early adapters of unstable technology," says Chris Herrin, Tuality's network services manager. For instance, the provider is only now upgrading from its Cerner Classic Clinical Information System, a dumb-terminal architecture, to the Cerner Millennium client/server architecture.
The health care provider operates Tuality Community Hospital, a 167-bed facility in Hillsboro, Oregon, as well as a 48-bed satellite hospital in nearby Forest Grove and clinics throughout the area.
Tuality, however, is heavily networked on the wired side. "We are a Cisco shop with a multi-gigabyte backplane built on six Model 6500 routers that can take transmission speeds to tens of gigs," Herrin says. "Right now, we are running at 6 to 8 gigs, and throughput is fabulous."
Tuality needs that speed to support its networked Picture Archival Computing System (PACS), which has become its lead application. With it the provider is replacing some of its traditional film images throughout its facilities, including operating theaters. It delivers images directly to doctors' offices, which, Herrin says, the doctors love and which has helped change the minds of some physicians about using computers.
It allows radiologists to read images at home, providing coverage for the emergency room evenings until 9pm, after which an outsourcer, Virtual Radiological Consultants, takes over for overnight emergencies. The radiologists access the images transmitted to them directly from the modality - X-ray, CAT or MRI - and either call or fax their reads to the emergency room.
PACS saves Tuality money by eliminating film and developing costs and cutting second- and third-shift personnel costs, and it has improved morale among the radiologists. But medical images are big and put heavy demands on the network. "We ran T1s to the radiologists' homes because the service agreement with our Internet provider was not sufficient to handle the uptime," Herrin says. That's why a 1,200-member organisation has such a heavy-duty network infrastructure.
"The PACS application broke through the barrier of computer resistance to the extent that our neurosurgeons and orthopedic surgeons wanted it in the ORs in place of film," Herrin says. "We still have some doctors resisting computers, but the mainstream is well versed and is encouraging and, in some cases, pushing us to use the latest and greatest."
This has paved the way for the next step, layering an Aruba Networks wireless edge network onto the environment to serve Tuality's Hillsboro main campus. While this will allow the provider to support mobile computing for its staff - most of whom spend the majority of their day away from desks and nurses' stations - and potentially may allow it to provide pass-through Internet service to patients and visitors, it also introduces a new security exposure. With the security and privacy requirements of the federal Health Insurance Portability and Accountability Act being a constant concern, Herrin was all too aware of the potential problems.
Avoiding a nightmare
"We looked at all the news stories about the guys who lost laptops full of people's personal information," he says. "That turns into a nightmare for a staff, so we want to come out of the gate strong with our initial wireless implementation."
He decided to implement the Aruba firewall but was not satisfied with Aruba's access control. Instead, he chose Network Chemistry's RFprotect, including:
RFprotect Scanner, a network-based vulnerability management solution for rogue wireless AP detection and remediation
RFprotect Mobile, a portable, laptop-based analyzer for automating site surveys, security assessments and incident response
RFprotect Distributed, a 24/7 wireless monitoring and intrusion-prevention system.
Tuality first looked at Network Chemistry because Gartner gives it a high rating, Herrin says. Then "users I talked to were unanimously enthusiastic about the products and the vendor's responsiveness," he adds.
"So we are working directly with Network Chemistry now, and so far it is going very well," he says. "With the strength of Network Chemistry's products and their ability to integrate, there is just no question that we will be ready to protect our assets and sensitive patient information when we go live."