Forward Medical Center Strategic Plan
Forward Medical Center Strategic Plan
Forward Medical Center Strategic Plan
Table of Contents
• Executive summary
• Review of Part 1 Forward Medical Center
• Review of the User Domains and their Technology Needs
• Technology Framework Requirements
• General Network Hardware/Software Review
• Technology Framework Design
• Report summary
• References
1
Forward Medical Center Strategic Plan
Executive summary
In this document we will combine all the parts required to provide a fully functional
network design to the forward medical center. Starting with a review of part 1 document
that includes the overall architect and user domains needs of the forward medical center
after part1 review we will be moving on to the technology frame work which will include a
review of the general physical network implementation requirements.
The technology framework requirements include a well-defined plan for network design,
protocols, and supporting technologies regarding the project. This design will keep in mind
any future expansion plans and implement technologies and hardware to make any future
expansion easy to implement and execute.
The document will also include campus and between buildings network components to
include switches and routers placements at each site. By providing a well-defined plan on
hardware placements and users requirement our team will give the forward medical center
IT staff a fully operational network that is immune to failure and easy to troubleshoot.
The document will also include a general network hardware/software review that will
provide a background on all the networking technologies we will be implementing in the
final design. The review will include wireless standards and covering all security and
authentication aspect of the design. A general network hardware/software review will also
include a review of wired devices, interconnecting hardware, and a well defined physical
and virtual security plan that covers security requirements including firewalls, intrusion
detection systems, authentication, encryption standards, and anti-virus solutions
All security devices and protocols in this document will be in compliance with HIPAA and
HITECH requirements.
Finally, this document will include a technology framework design that combines the user
domain needs in Part 1, the physical framework requirements in Part 2, and your
technology selection in Part 3 to create the final Forward Medical Center network
infrastructure proposal. This frame work will cover the overall design of the network and
create a layout of all diagrams to cover the hub sites located across the medical center, the
connection between all these hub sites, and the wireless network design for the medical
center.
Our team will provide the medical center a secure network that can handle the medical
center high bandwidth network traffic and security requirements. Our design is versatile
flexible and ready to be implemented using the latest and most secure hardware and
software that are both HIPAA and HITECH compliance.
2
Forward Medical Center Strategic Plan
A medical center network carries significant private, personal health information that
requires high protection and high tolerance of network failure, and that’s what our design
kept in mind throughout the network.
First, we started with two switches in each floor located in a switching closet. Devices in
each floor will be distributed between the two switches, so if one switch fails only part of
that floor will fail and not the entire network of that floor.
The same scenario goes to separating the network between a west and east hub so
buildings will have two different points of failure. If one hub fails, only part of the network
fails.
There is a total of seven VLANs in the design that separates the crucial traffic of the medical
devices from all other network traffic and keeps the network secure. Wired network traffic
is separated from wireless network traffic, and guest traffic is separated from the medical
center staff traffic. Also, all administrative access and server traffic are on a separate VLAN
from all other traffic. This will give the IT administrators proper ways to manage and
troubleshoot the network.
The design also includes cloud servers located inside a HIPAA compliant AWS Virtual
Private Cloud (VPC) that will sync and replicate all servers and services located on the
hospital premises. This hybrid design provides the highest fault tolerance network design
and it is HIPAA required for disaster recovery, which means if the medical center building
is destroyed due to a disaster no personal and health records will be lost.
The AWS architecture provides high security and connectivity via VPN that is configured to
only route traffic to and from the server farm on premises.
The design put a big emphasis on the wireless network and its security due to its
importance and due to many medical devices becoming wireless by default because the
latest wireless standards allow for high bandwidth data transfer.
To protect the sensitive information on the wireless network we used WPA2-Enterprise
protection with ESET network attack protection. Also, all users will be managed by Cisco
NAC Solution in conjunction with Windows RADIUS server and Domain Controller server to
authenticate users and encrypt traffic.
In order to be compliant with the HIPAA Security Rule and HITECH Act, the hospital will
abide by the process and policies that are written by the compliancy officer of the hospital.
While security rule is for the electronic information, privacy is to be maintained on all
health records in whichever format. The main goal of HIPAA is to maintain the security and
privacy of Electronic Personal Health Information otherwise known as E-PHI. The HITECH
3
Forward Medical Center Strategic Plan
Act increased the span of HIPAA. It took a more focused, structured approach on getting
medical facilities using Electronic Health Records. The HITECH Policy allowed for flexibility
in the technological advancements in the Electronic Health Records. The Security Rule
does not specify the technology that must be used but that the issue must be addressed
within the entity.
The networking needs will vary by floor, but normally each department/floor will contain
the following:
• Nursing stations
• Medical records room
• Patient rooms
• Guest lounge
In a hospital network we must presume the default mode for most devices is wireless. The
majority of devices in a hospital depend on being mobile like workstations on wheels,
nursing stations, patient beds, tablets, and mobile imaging devices.
In our Forward Medical Center design, we will be utilizing the following connectivity:
Nursing Stations: Nursing stations will have wired and wireless connection to the
network and utilizing a separate VLAN from the guest wireless access. Doing this
will give the nurses the freedom to move their stations from room to room without
worrying about connectivity.
Medical Records Room: Medical records rooms will have workstations (PC) that
will connect to the network via ethernet. The location of the room will determine
which switch the workstation will connect to.
Patient Rooms: Patient rooms will have multiple devices connected to the network
via ethernet on a separate VLAN from workstations and nursing stations. Patient
rooms will also have staff Wi-Fi access.
Guest Lounge: Guest lounges will only have Wi-Fi access that utilizes a guest
network VLAN that is separated from all other critical hospital traffic.
Doctors and Nurses Tablets: All staff tablets will connect wirelessly to the same
VLAN the nursing stations utilizes.
Some parts of the hospital will have miscellaneous devices that require a connection to the
network such as imaging devices, X-ray machines, CT/CAT scanner, and ultrasound
machines. These will be connected to the network on a separate VLAN and will have a
higher priority for traffic and bandwidth.
4
Forward Medical Center Strategic Plan
The user population in this section will consist of employees and administrators that
connect to the network using devices such as desktops, laptops, tablets and smartphones.
• Workstations (desktops)
Will connect to the network via the switch located in the switch closet for the specific floor
where the employees are located in that building. The desktops will be wired to the
network and will utilize VLAN 10, which handles all staff wired access to the network.
• Laptops
Employees work laptops used for administrative work and hospital related business will
connect to the network via Wi-Fi using the nearest access point (see wireless network Page
5). The traffic for this network will be routed through VLAN 30 which handles all staff and
nurses wireless traffic. If laptops are being used as a stationary work station they will be
wired and connected to VLAN 10.
• Tablets and Smartphones
Tablets and smartphones will connect to the network wirelessly via the nearest access
point (location dependent) and all traffic will be routed through VLAN 30.
• Authentication and Authorization
Not all administration staff and offices will have full access to the network. Users will be
required to login whether on their wired devices or wireless devices and the appropriate
server will authenticate the user and provide access to the authorized parts of the network
relevant to that user.
For example, the human resources office in the medical school will only need access to
some parts of the database that are related to the school’s work and won’t need access to
the hospital/patient data.
The IT department will follow their standard operation procedures by providing proper
accesses to the Forward Medical Center staff and configuring the RADIUS server and
Domain Controller to authenticate users and control access as required.
5
Forward Medical Center Strategic Plan
Nursing Floors
The user population for this section will consist of nurses that require access to the
network using tablets, laptops, thin clients and nursing stations.
• Nursing Stations (Work Station on Wheels)
These stations are required to be mobile and many cases so we assumed the default mode
to be wireless because nurses take those stations to different patient rooms to track
patients vitals and so on. Nurses uses those stations to enter private, and sensitive patient
health info and it requires strong security and will connect to VLAN 30. All traffic from
nursing stations will have priority for bandwidth over all other traffic on that VLAN.
• Laptops
Nurses laptops will connect to the network via Wi-Fi using the nearest access point (see
wireless network Page 5). The traffic for this network will be routed through VLAN 30
which handles all staff and nurses wireless traffic. If laptops are being used as a stationary
work station they will be wired and connected to VLAN 10.
• Tablets and Smartphones
Tablets and smartphones will connect to the network wirelessly via the nearest access
point (location dependent) and all traffic will be routed through VLAN 30.
• Authentication and Authorization
Nurses will be able to use the network to retrieve, store, and edit patient information. Users
will be required to login, whether on their wired devices or wireless devices, and the
appropriate server will authenticate the user and provide access to the authorized parts of
the network relevant to that user.
The nursing floors hold private health care information that must be protected and
secured. All nursing stations will timeout within 3 minutes of inactivity and will logout the
user after 8 minutes (See legal compliance section).
There will be no guest Wi-Fi access in the nursing floors except in the guest lounge. All
doors will require card access and all visitors must check in at the front desk in any nursing
floor.
6
Forward Medical Center Strategic Plan
ER/ICU/OR
• In the ER and ICU, there will be a WAP which is connected to a switch in each
department.
• The WAP will allow guests in the guest lounge to access the network via Wi-
Fi.
• Along with allowing guest access, the WAP will also allow for employee use
of the network as well, but will have to be done on a different frequency than
the guest network to allow the employees to be able to access the network
for work.
• Each department will also allow for wired connections such as desktop computers,
laptops and other medical devices needing to access the network.
• Guests will have limited access to the network and can only complete
basic tasks, such as using the internet (limited by firewalls and other
precautions necessary to prevent the network from being attacked), with
harmful websites denied access.
• The OR will be the only department that does not have any type of guest access,
since there is not public access to the OR.
• The OR will also allow for employees to connect to the network via Wi-Fi and
wired connections.
• Since each department is considered high bandwidth, all areas except the guest
lounges/guest access portions will be connected with high speed cables to allow
quicker upload and download speed.
• With time of the essence, especially in the ER and OR, it is important the
doctors and nurses can quickly and efficiently use a computer or device
without lagging due to low available bandwidth.
• Each department will have the need for guest and public access, except the OR.
• The OR will be employee only access.
• The ICU and ER will have keycard access to the employee only portion, with
all employees having keycards to swipe that allow access in.
• Since each department will have two switches, one switch can be labelled for guest
access and the other for employee access making it easier for the Network
Administrator to set up the protocols between the two.
7
Forward Medical Center Strategic Plan
• The ER and the ICU will have the largest user population, including both staff and
guests.
• The users will include doctors, nurses, nursing assistants, therapists,
housekeeping, guests, visitors, and administration.
• The OR will be “staff only” and the only population accessing that portion will be the
staff – doctors, nurses, and technicians.
Medical Offices
For the networking of the medical offices, it would most effective to use 10Gb/s switches in
order to transmit data as fast as possible and minimize the chance of any hiccups or
bottlenecks. The information going in and out of these offices can be extremely important
and the time it takes to reach a hospital can be crucial. To further reduce the chance of any
slowdown, CAT-6 ethernet cables would be used on each desktop computer to ensure both
max speeds and security. Though some other systems will still require a Wi-Fi connection,
which will be provided by the wireless access point in the building.
The Forward Medical Center consists of 8 buildings. Each building will have one network
closet per floor where all devices will be connected via ethernet or wireless to an edge
switch located in these closets.
Each switch will have two fiber optic uplinks connecting to a distribution switch located in
one of the two hubs.
The following buildings will connect to the east hub via fiber optic:
• Administration
• Emergency services
• Radiation/Oncology
• Hospital
The following buildings will connect to the west hub via fiber optic:
• Medical school
• Professional center
• Outpatient center
• Psychiatry and counseling center
8
Forward Medical Center Strategic Plan
The diagram below shows the hub locations within the medical center:
Each of the west and east hubs will have two distribution switches connecting to a core
switch in the main hub. The main hub will have 2 core switches with uplinks to 2 routers.
9
Forward Medical Center Strategic Plan
In addition to the physical on-premises server farm, our network design will be a hybrid
cloud solution for higher fault tolerance and better disaster recovery.
An Amazon AWS Cloud will host a duplicate of all servers and services that communicate
and sync with the on-premises servers.
The AWS cloud connects to the on-premises server farm as follow:
A Virtual Private Network (VPN) tunnel will connect to the network firewall utilizing AWS
Direct Connect which creates a dedicated network connection from the on-premises
network to the AWS Cloud.
The AWS Direct Connect is elastic and can automatically scale to provide enough
bandwidth during peak hours.
“AWS Direct Connect lets you establish a dedicated network connection between your
network and one of the AWS Direct Connect locations. Using industry standard 802.1q
VLANs, this dedicated connection can be partitioned into multiple virtual interfaces.
This allows you to use the same connection to access public resources such as objects
stored in Amazon S3 using public IP address space, and private resources such as
Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using
private IP space, while maintaining network separation between the public and private
environments. Virtual interfaces can be reconfigured at any time to meet your changing
needs.”
The AWS Direct Connect will establish a network with a virtual router that routes Server
VLANS traffic in and out of the AWS Virtual Private Cloud (VPC). The VPC will host all
servers and services (similar to the one on premises) as an AWS instance managed
remotely through the AWS console by the IT staff at the hospital.
Our AWS Cloud will host a variety of storage containers such as AWS S3 for rapid access
storage and AWS Glacier for archive storage. These AWS storage instances are secure and
HIPAA compliant.
The AWS HIPAA compliance storage follows some general strategies that separate private
data from regular data, track data flow with automation, and provide security for all
sensitive data.
HIPAA and states rules indicates that health information must be stored for long periods of
time (decades). The length is determined by state or the information type. That’s why using
Amazon AWS Glacier Archive Storage is the best solution to keep archived data in a
separate storage. AWS Glacier is designed for 99.999999999% of durability. Data is
automatically distributed across a minimum of three physical Availability Zones that are
geographically separated within an AWS Region.
10
Forward Medical Center Strategic Plan
“Hospital systems need to retain petabytes of patient records (LIS, PACS, EHR, etc.) for
decades to meet regulatory requirements. Amazon Glacier helps you reliably archive
patient record data securely at a very low cost.”
Lastly AWS provides AWS Cloud Watch, a feature of AWS that monitors all AWS instances
and collects metrics/logs, sets alarms, and provides automatic reactions to changes in AWS.
For example, if our AWS Database server fails, Cloud Watch can automatically provision
another Database server to keep our network running at all times.
The Forward Medical Center will connect to a Substantive Network Operating Center at the
Administration Building NOC at the corporate headquarters to provide general network
overview and backup services for individual building emergency administrative backup
utilizing the AWS backup infrastructure described above.
The Network Operating Center IT staff will access the network via Virtual Private Network
(VPN) tunnels for security purposes the NOC staff will be authenticated via the
authentication server and will also have access to the AWS infrastructure by connecting to
the Amazon Virtual Private Cloud (VPC) also via VPN tuneless connected to the AWS cloud.
11
Forward Medical Center Strategic Plan
12
Forward Medical Center Strategic Plan
Building Networks
• Each building will have multiple WAPs, with each floor on each building having 2
WAPs, one on the North side and one on the South side of the building.
• Each WAP are connected to a single access switch
Hospital:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
13
Forward Medical Center Strategic Plan
Emergency Services:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Radiation/Oncology:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Radiation/Oncology:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
14
Forward Medical Center Strategic Plan
Outpatient Center:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Medical School:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
15
Forward Medical Center Strategic Plan
Professional Center:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Administration:
Will contain 2 WAPs per floor, each floor will have 1 on the north and 1 on the
south
Guest:
Will not have a designated WAPs, rather will use which WAP is closest
16
Forward Medical Center Strategic Plan
Building Requirements
Due to the vast amount of data that needs to be accessed throughout the medical center
and the urgency of some of this data. The speed that the employees can get the information
they need is extremely important and can even be the difference between life and death.
To have the ability for information to be transmitted as quickly as possible both in and
outside of the hospital. Would be to use a Cat 6 ethernet connection that used Gigabit
network switches and powerful servers. All wired devices will connect to the networking
closet located on corresponding floor via twisted shielded cat 6 cables.
All networking closet from each floor will connect to the east or west hub (location
depended) via optical cables. The east and west hubs will then connect to the main hub via
optical cables also.
Nursing floors
As each floor has its own nursing station they will all have similar amount of roughly 15
workstations with both laptop computers and wireless tablets if they need to be carried
around to easily write down information
Medical offices
Will have similar workstation set ups on each floor and will contain desktop computers
linked up with ethernet cables in order to be able to receive data as fast as possible.
Whether it’s from servers from inside the hospital or downloading patients records from
another hospital.
These will have few workstations with some tablets all linked up wirelessly as the internet
connection usage in this area would not be high bandwidth.
Department/Floor
• ER/ICU/OR
This would have one of the highest internet speeds in the entire hospital as this is where
information would have to be received as fast as possible. There would be 30 workstations
some of which being in the patient’s rooms and will be all linked up via a CAT- 6 wired
connection.
17
Forward Medical Center Strategic Plan
Guests lounges
Will have a few computers that are on the guest WIFI authentication for guests will be
handled by the authentication server. All guest traffic will be carried on a separate VLAN
from hospital traffic.
Patients rooms
Will also have 1 workstation is each room with a wireless connection in order to receive
basic data. As using a wired connection in so many patient rooms may become crowded is
terms of wiring.
• Radiation/oncology
The imaging area workstations would be sending very high resolution and large files, so a
high amount of bandwidth would be required for this area. As such, a wired connection
using CAT 6 ethernet cables would be used to ensure the highest speeds possible. However,
with the electromagnetic interference being produced by the MRI machines, no Wi-Fi
networks would function properly. Because of this, the CAT 6 cables will be a shielded,
twisted pair to help prevent machine interference of the network connection
An ethernet switch would also be used in this department to compensate for the large
amount of bandwidth that is being used. The workstation in the Laboratory will also be
connected using the same CAT-6 cable. Hospital employee card readers would be used at
the entrance of the door to control access to the area.
Nursing stations
Will be the same on both floors with 4 workstations when not using mobile tablets.
Medical office
Patient rooms
18
Forward Medical Center Strategic Plan
Guest lounges
Will have 4 computers to use along with Wi-Fi which would require authentication via
authentication server.
• Outpatient Center
This building is basically a smaller hospital so it will have similar networks to the hospital as
it has less patient rooms but still have many therapy areas where information will have to
be recorded and received.
Nursing stations
Will be the same on both floors with 7 workstations when not using mobile tablets. There
will also be a check in location which requires some workstations
Medical office
Patient rooms
These will have bigger patient rooms with less total patients compared to the other
buildings so these will have 3 workstations
Guest lounges
Will have 4 computers to use along with Wi-Fi which would require authentication via
authentication server.
Nursing stations
Will be the same on both floors with 5 workstations when not using mobile tablets.
Medical office
Patient rooms
Guest lounges
Will have 4 computers to use along with Wi-Fi which would require authentication via
authentication server.
• Medical School
This is somewhat separate from the other facilities as is contains much less emergency
situations as the other buildings in the network. Because of this Wi-Fi would be a more
common form of connection to save on wiring as speeds are not nearly as important.
Medical records
Lecture hall
Class room
Will be on each floor and will have one workstation and 30 classrooms on each floor for a
total of 60 classrooms
Clinical room
Will have one workstation in each room and have 15 on each floor for 30 workstations
• Professional Center
Medical office
Patient rooms
20
Forward Medical Center Strategic Plan
Guest lounges
Will have 15 computers to use along with Wi-Fi which would require a code to use from the
front desk.
• Administration
This building has 2 floors and consists of mostly wired connections.
Medical office
Guest lounges
Will have 4 computers to use along with Wi-Fi which would require authentication via
authentication server.
Administrative office
Medical records
21
Forward Medical Center Strategic Plan
Because there is extensive use of wireless throughout the hospital, it’s important to
understand that we will be using the wireless standard of 802.11ac. This standard is not as
susceptible to interference because it operates on the 5GHz band.
This standard also has an indoor range of approximately 115 ft and is capable of high-
speed large-bandwidth file transfers. This makes it ideal for a network with many users, a
majority of which will likely be sending test results and other large data files back and
forth. The only possible issue is range, which will require the installation of WAPs in the
North and South side of every floor.
Securing the wireless network must also be taken into consideration. Without some
method of encryption, all the data being passed over a wireless network could potentially
be stolen. WPA-2 Enterprise is the current gold standard for wireless network security and
should be utilized here. It offers authentication a RADIUS server and AES encryption for
data passing over the wireless network, ensuring only the intended recipients can see the
data being sent.
Guided Medium
This is where the impulses (electrical or light) are guide along the path from one end to the
other end of the physical medium. Three examples of guide media are Twisted pair, Fiber
Optic, and coaxial cables. In our design we will be using shielded twisted pair Cat6 cables
to connected devices to switches and fiber optic cables to connect the switches from the
east and west hub to the switches in the main hub. Below is a description and
implementation of the cabling:
Twisted pair cable is two wires that are twisted around each other. The twist is done to
help protect against signal interference. The twisted pair can be unshielded (UTP) or
shielded(STP). A shield wire adds a protection between the twisted pair and the outer
casing. Shielded twisted pair is used “To further improve noise rejection, a foil or wire
braid shield is woven around the twisted pairs,” according to
www.telecomworld101.com/Guided.html.
A twisted pair can run speeds of 0-100 Mhz. Cat6 cabling will be used from the access
switch to the VLANs and from the firewall to the Core switch. While the cat6 is a little more
22
Forward Medical Center Strategic Plan
expensive than cat5e, it is necessary to use Cat6 for the high data intensity of a hospital
environment.
Fiber Optic is made up of glass or plastic fibers that transmit optical light through the fiber.
It is ideal for long distances. Fiber optic is ideal for speed sensitive devices. It is not affected
by signal interference. This will be used in the switches specifically to transfer large files.
Especially in a hospital organization; the networks have to be built to work within the
department specifics.
Fiber optic is the best option when moving data in through the core, distribution and the
access switches in hospital. With time sensitivity being a main aspect in the hospital, the
hospital will use fiber optic to facilitate speed and heavy loads of traffic. While this may add
to the expenses, it is worth the expense. The Core of the network will rely on its speed and
so will the medical staff.
The Forward Medical Center consists of 8 buildings. Each building will have one network
closet per floor where all devices will be connected via ethernet or wireless to an edge
switch located in these closets.
Each switch will have two fiber optic uplinks connecting to a distribution switch
located in one of the two hubs.
The distribution switches will then connect to 2 core switches located in the main hub.
The core switches will then connect to 2 routers that connects to the firewall and the
service provider.
Network VLANS
Virtual area networks are networks that are created to separate different hosts into groups
based on the criteria set up by the network administrator. Different networks can be based
on different departments through the company, school or organization. The hospital will
separate the VLANs by departments. Switches can be set up to house multiple VLANs.
By setting up the multiple VLANs, the switch acts as divider between the different VLANs.
Although there maybe multiple VLANs on one switch, theses VLANs cannot communicate
with one another. The separation of the VLANs allows for more manageable network
traffic. The cost is cheaper to set up more VLANs; then adding more routers through the
hospital network.
The forward medical center will have the following VLANs:
23
Forward Medical Center Strategic Plan
VLAN 10: This VLAN will consist of all wired hospital staff workstations and laptops.
VLAN 20: This VLAN will carry all VoIP traffic.
VLAN 30: This VLAN will carry all hospital staff wireless device traffic.
VLAN 40: This VLAN is the administrative access VLAN to the wireless access points to
manage wireless network traffic.
VLAN 50: This VLAN will carry all traffic from all devices in patient rooms.
VLAN 60: This VLAN will host all server farm traffic.
VLAN 100: This VLAN will carry all guest Wi-Fi access traffic.
Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
wireless, and VPN users and devices to the network; evaluate and remediate a device for
policy compliance before permitting access to the network; differentiate access based on
roles; and then audit and report on who is on the network. To comply with Sections
164.312(c)(2), 164.310(a)(1) and 164.312(d), the hospital will set up an End-Point
Authentication.
End Point
Our security proposal begins with ESET Endpoint Protection for workstations and ESET for
Servers for the server farm. ESET provides a robust, low-profile solution that will suit not
only the needs of the organization’s PCs, but will provide security for all of the
organization’s cell phones and tablets as well. By establishing this security on all the work
stations, the hospital will be in accordance with HIPAA Security Rule 164.310(c). ESET also
comes with IDPS systems, helping detect intrusions before anything can be done to internal
systems. The Cloud Malware Protection System will help ESET stay abreast of current
threats far quicker than definition updates from other companies. ESET also contains a
Host-based Intrusion Prevention system, which will monitor system behaviors and look for
abnormalities in program behavior that it will then prevent from executing.
24
Forward Medical Center Strategic Plan
ESET also offers encryption across all devices. ESET not only offers full disk encryption, but
it also offers encryption for: removable media, Outlook encryption via a plug-in, text and
clipboard contents encryption, and virtual disk and archive encryption. The encryption
used is FIPS 140-2 Validated 256-bit AES encryption. From the server side, all commands
and data are AES or RSA encrypted. The data integrity will be protected in accordance to
sections 164.312(e)(1) and 164.312(a)(1) of the Security Rule.
From a configuration standpoint, ESET can be entirely configured from the administrator
console, allowing the IT staff an unprecedented amount of control in how the antivirus
solution is managed, deployed, and configured. An IT Administrator will be able to
completely configure ESET from the console, including setting policies, triggers, and tasks.
From a cost standpoint, the administrator will also be able to manage ESET licenses in real-
time, allowing for the ability to re-purpose licenses as PCs are replaced, saving on licensing
costs.
To keep with a unified solution, we suggest running ESET File Security for your file servers,
and ESET Mail Security for the Exchange server. ESET File Security also has a Host-based
Intrusion Prevention System, allowing for attacks to be stopped before they can perform
any malicious actions. By using ESET File security, the hospital will be conforming to
section 164.308(a)(5) of the Security Rule. ESET Mail Security has built-in anti-spam and
anti-phishing protocols with above-average detection rates, mitigating the risk of user
error, especially with regards to phishing emails. It also contains anti-virus and anti-
spyware scans, flagging and removing suspect emails. 164.308(a)(5)
Since every ESET product can be managed from the administrator console, configurations
shall be set that updates will install automatically for all ESET components as soon as they
are available. The robust logging of ESET will also allow the IT Administrator the ability to
review logs and see if any attacks may have occurred, even ones curtailed by the Host-
based Intrusion Prevention System. Sections 164.308(a)(1) and 164.308(a)(6) requires a
review of activity which is accomplished by the logs of ESET. These logs are needed to be
reviewed for incidents and developing future processes.
Wireless networks will be set up for both hospital staff and guests. The staff networks will
require a WPA2-Enterprise password that will rotate out monthly. The guest networks will
also require a WPA2-Enterprise password but will be located on a separate subnet from
the hospital staff wireless to limit their access to the hospital intranet.
25
Forward Medical Center Strategic Plan
ESET’s network attack protection will be used to detect vulnerabilities on the network and
can also look for vulnerabilities in protocols such as SMB, RPC, and RDP. This will allow for
an additional layer of protection against network-conducted attacks and vulnerabilities for
which a patch has not been implemented yet. A risk analysis is required by the Security
Rule in section 164.308(a)(1) to be done once a year or after a major upgrade. By
monitoring the risk analysis continually, the hospital will be achieving a higher standard
than what is required by HIPAA.
26
Forward Medical Center Strategic Plan
The Forward Medical Center consists of 8 buildings. Each building will have one network
closet per floor where all devices will be connected via ethernet or wireless to an edge
switch located in these closets.
Each switch will have two fiber optic uplinks connecting to a distribution switch located in
one of the two hubs.
The following buildings will connect to the east hub via fiber optic:
• Administration
• Emergency services
• Radiation/Oncology
• Hospital
The following buildings will connect to the west hub via fiber optic:
• Medical school
• Professional center
• Outpatient center
• Psychiatry and counseling center
The diagram below shows the hub locations within the medical center:
27
Forward Medical Center Strategic Plan
Each of the west and east hubs will have two distribution switches connecting to a core
switch in the main hub. The main hub will have 2 core switches with uplinks to 2 routers.
28
Forward Medical Center Strategic Plan
The networking needs will vary by floor, but normally each department/floor will contain
the following:
• Nursing stations
• Medical records room
• Patient rooms
• Guest lounge
In a hospital network we must presume the default mode for most devices is wireless. The
majority of devices in a hospital depend on being mobile like workstations on wheels,
nursing stations, patient beds, tablets, and mobile imaging devices.
In our Forward Medical Center design, we will be utilizing the following connectivity:
Nursing Stations: Nursing stations will have wired and wireless connection to the
network and utilizing a separate VLAN from the guest wireless access. Doing this
will give the nurses the freedom to move their stations from room to room without
worrying about connectivity.
Medical Records Room: Medical records rooms will have workstations (PC) that
will connect to the network via ethernet. The location of the room will determine
which switch the workstation will connect to.
Patient Rooms: Patient rooms will have multiple devices connected to the network
via ethernet on a separate VLAN from workstations and nursing stations. Patient
rooms will also have staff Wi-Fi access.
Guest Lounge: Guest lounges will only have Wi-Fi access that utilizes a guest
network VLAN that is separated from all other critical hospital traffic.
Doctors and Nurses Tablets: All staff tablets will connect wirelessly to the same
VLAN the nursing stations utilizes.
Some parts of the hospital will have miscellaneous devices that require a connection to the
network such as imaging devices, X-ray machines, CT/CAT scanner, and ultrasound
machines. These will be connected to the network on a separate VLAN and will have a
higher priority for traffic and bandwidth.
The diagram in the next page represents what the typical building network will look like in
this design.
29
Forward Medical Center Strategic Plan
30
Forward Medical Center Strategic Plan
VLANs Explanation
VLAN 10: This VLAN will consist of all wired hospital staff workstations and laptops.
VLAN 20: This VLAN will carry all VoIP traffic.
VLAN 30: This VLAN will carry all hospital staff wireless device traffic.
VLAN 40: This VLAN is the administrative access VLAN to the wireless access points to
manage wireless network traffic.
VLAN 50: This VLAN will carry all traffic from all devices in patient rooms.
VLAN 60: This VLAN will host all server farm traffic.
VLAN 100: This VLAN will carry all guest Wi-Fi access traffic.
Wireless Network
Wireless is dominating the network in today’s mobile world. Because of this, our design for
the network will put a big emphasis on wireless access points and ensure the entire
Forward Medical Center has access to a wireless network.
“Coverage is, of course, assumed inside the facility, but do not neglect areas where staff
or visitors congregate outside the wards and examination areas – cafeterias, gardens,
parking lots and even elevators are areas where coverage can make a huge difference in
productivity. Pay close attention to coverage in “popular” areas to ensure sufficient
density of access points are provided: nurses’ stations, auditoriums and staff lounges.”
The standard wireless access point will operate with IEEE 802.11ac standard, which is the
current fastest wireless standard capable of transferring large files. Many devices support
802.11ac standards, but even if a device uses 802.11n it will still be able to utilize the high
throughput of 802.11ac.
The Forward Medical Center wireless access points will utilize Flexible Radio Assignment
technology
“Flexible Radio Assignment is a Cisco innovation designed to provide a better mobile
user experience for high-density networks by automatically detecting when a large
number of devices are connected to a network. Once the detection is made, Flexible
Radio Assignment changes its dual radios in the access point from 2.4 GHz/5 GHz to 5
GHz/5 GHz to serve more clients. The access point performs this function while still
monitoring the network for security threats and RF interference that may affect
performance”
31
Forward Medical Center Strategic Plan
Each floor in each building will have two wireless access points on the south and north side
of the building, except the Imaging/Laboratories building. The wireless access points will
have an overlap on each floor. To avoid channel collisions, each wireless access point will
follow the following configuration settings:
• North Wireless Access Point
For each floor there will be a north wireless access point with the following configuration:
NAME: The name of the wireless access point will be NORTH-[Building Name]-[Floor
Number]-WAP For example the hospital building 2nd floor north wireless access point will
be named NORTH-Hospital-2-WAP
Channel: All North side wireless access points in all buildings will be on channel 11
SSID: The SSID for all hospital staff access will be FMC-WIFI
Authentication: WPA2 Enterprise, users authentication will be handled through the
Remote Authentication Dial In User Service (RADIUS) server located in the main hub
Encryption Protocol: AES
VLAN: 30
• South Wireless Access Point
For each floor there will be a south wireless access point with the following configuration:
NAME: The name of the wireless access point will be SOUTH-[Building Name]-[Floor
Number]-WAP For example the hospital building 2nd floor south wireless access point will
be named SOUTH-Hospital-2-WAP
Channel: All South side wireless access points in all buildings will be on channel 6
SSID: The SSID for all hospital staff access will be FMC-WIFI
Authentication: WPA2 Enterprise, users authentication will be handled through the
Remote Authentication Dial In User Service (RADIUS) server located in the main hub
Encryption Protocol: AES
VLAN: 30
Each building will also include an outdoors wireless access point to extend the network to
the outdoor areas of the hospital like gardens and guest parking lots. The outdoor access
points will be configured as follows:
32
Forward Medical Center Strategic Plan
NAME: The name of the wireless access point will be [Building Name]-OUTDOOR-WAP for
example the hospital building outdoors wireless access point will be named HOSPITAL-
OUTDOOR-WAP
Channel: All outdoors wireless access points on all buildings will be on channel 3
SSID: The SSID for all hospital staff access will be FMC-WIFI
Authentication: WPA2 Enterprise, users authentication will be handled through the
Remote Authentication Dial In User Service (RADIUS) server located in the main hub
Encryption Protocol: AES
VLAN: 30
Some wireless access points on each floor in each building will also advertise the guest
wireless network with SSID FMC-Guest-WiFi and all guest traffic will be routed through
VLAN 100
The main hub is where the east and west hubs connect and where the core of the Forward
Medical Center network is located. The main hub consists of two core switches, two routers
and a firewall.
The main hub also hosts the Forward Medical Center server farm, which includes the
following servers:
• RADIUS Server/Cisco NAC Solution
The Remote Authentication Dial-In User Service Server manages the Forward Medical
Center’s wireless network authentication, authorization, and accounting. It provides
correct access to the hospital staff wireless access network for employees, and to the guest
wireless access network for guests. The RADIUS server can authenticate guest users and
give them only guest access as well as determine their session length.
Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
wireless, and VPN users and devices to the network; evaluate and remediate a device for
policy compliance before permitting access to the network; differentiate access based on
roles; and then audit and report on who is on the network.
33
Forward Medical Center Strategic Plan
• Internal Webserver
This server will host the Forward Medical Center internal web traffic that employees use to
access the center intranet. Employees will also be able to access the server remotely using
the following example configurations;
In this example configuration, you can look at what NAT and ACL configuration will be
needed in order to allow inbound access to a web server in the DMZ of an ASA firewall, and
allow outbound connectivity from internal and DMZ hosts. This can be summarized as two
goals:
Allow hosts on the inside and DMZ outbound connectivity to the Internet.
Allow hosts on the Internet to access a web server on the DMZ with an IP address of
192.168.1.100.
• Backup Server
This server will manage the backup of all servers and critical systems for the Forward
Medical Center.
• File Server
This server will provide the Forward Medical Center a secure, shared storage for the
hospital staff. This server will provide dense, cost-effective storage to address your ever-
34
Forward Medical Center Strategic Plan
growing data needs. Designed for a new class of data-intensive workloads, it is simple to
deploy and excellent for applications for big data, data protection, software-defined storage
environments, scale-out unstructured data repositories, media streaming, and content
distribution.
• Database Server
This will be a windows SQL database server that provides database services to other
computer programs or to computers, as defined by the client–server model.
• Mail Server
Using client-server application architecture, this server will handle the Forward Medical
Center emails transfer. Static NAT and Access List will be configured in order for remote
users to be able to check their work emails. Also, all users inside the network will be able to
check their email securely.
• Print Server
This server will connect printers to staff computers and other devices over the network to
que print jobs and send them to the proper printer.
• Domain Controller/Cisco NAC Solution
This server allows clients and hospital staff to access Windows Domain resources with
active directory. Cisco Network Admission Control (NAC) solutions allow you to
authenticate wired, wireless, and VPN users and devices to the network; evaluate and
remediate a device for policy compliance before permitting access to the network;
differentiate access based on roles; and then audit and report on who is on the network.
All servers and services will connect to two distribution switches for fault tolerance and the
distribution switches will connect to the two core switches of the main hub.
In addition to the physical on-premises server farm, our network design will be a hybrid
cloud solution for higher fault tolerance and better disaster recovery.
An Amazon AWS Cloud will host a duplicate of all servers and services that communicate
and sync with the on-premises servers.
The AWS cloud connects to the on-premises server farm as follow:
A Virtual Private Network (VPN) tunnel will connect to the network firewall utilizing AWS
Direct Connect which creates a dedicated network connection from the on-premises
network to the AWS Cloud.
35
Forward Medical Center Strategic Plan
The AWS Direct Connect is elastic and can automatically scale to provide enough
bandwidth during peak hours.
“AWS Direct Connect lets you establish a dedicated network connection between your
network and one of the AWS Direct Connect locations. Using industry standard 802.1q
VLANs, this dedicated connection can be partitioned into multiple virtual interfaces.
This allows you to use the same connection to access public resources such as objects
stored in Amazon S3 using public IP address space, and private resources such as
Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using
private IP space, while maintaining network separation between the public and private
environments. Virtual interfaces can be reconfigured at any time to meet your changing
needs.”
The AWS Direct Connect will establish a network with a virtual router that routes Server
VLANS traffic in and out of the AWS Virtual Private Cloud (VPC). The VPC will host all
servers and services (similar to the one on premises) as an AWS instance managed
remotely through the AWS console by the IT staff at the hospital.
Our AWS Cloud will host a variety of storage containers such as AWS S3 for rapid access
storage and AWS Glacier for archive storage. These AWS storage instances are secure and
HIPAA compliant.
The AWS HIPAA compliance storage follows some general strategies that separate private
data from regular data, track data flow with automation, and provide security for all
sensitive data.
HIPAA and states rules indicates that health information must be stored for long periods of
time (decades). The length is determined by state or the information type. That’s why using
Amazon AWS Glacier Archive Storage is the best solution to keep archived data in a
separate storage. AWS Glacier is designed for 99.999999999% of durability. Data is
automatically distributed across a minimum of three physical Availability Zones that are
geographically separated within an AWS Region.
“Hospital systems need to retain petabytes of patient records (LIS, PACS, EHR, etc.) for
decades to meet regulatory requirements. Amazon Glacier helps you reliably archive
patient record data securely at a very low cost.”
Lastly AWS provides AWS Cloud Watch, a feature of AWS that monitors all AWS instances
and collects metrics/logs, sets alarms, and provides automatic reactions to changes in AWS.
For example, if our AWS Database server fails, Cloud Watch can automatically provision
another Database server to keep our network running at all times.
36
Forward Medical Center Strategic Plan
37
Forward Medical Center Strategic Plan
To keep the network easier to manage and configure our team decided to use Cisco as the
hardware vendor the following devices will be considered in the design:
Cisco Catalyst 4500E Series Switches, the most widely deployed modular access switching
platform in the industry. The platform has time and again demonstrated leadership in this
space, specifically with PoE+, where the Cisco Catalyst 4500 was the first enterprise-class
switch to deliver PoE+ compliant switches, two years to the introduction of the IEEE PoE+
standard. UPOE is being introduced on the Cisco Catalyst 4500E platform in the form a new
E-Series line card, WS-X4748-UPOE+E, that is compatible with Supervisor Engine 8-E, 7-E,
7L-E and beyond. Cisco UPOE is backward compatible with both PoE (IEEE 802.3af) as well
as PoE+ (IEEE 802.3at).
The 8-E and 8L-E Supervisor Engines provide a highly available access switching platform.
In a redundant Catalyst 4500E chassis with two Supervisor Engines, the standby
supervisor seamlessly takes over if the active supervisor reloads. The same redundancy is
built in for fans and power supplies. In a single chassis with dual supervisors, four
uplinks are active on each Supervisor 8-E (or two uplinks on Supervisor 8L-E), providing
uplink redundancy when these ports are deployed as 10-Gigabit Ethernet uplinks in an
access deployment.
The Cisco Catalyst 4500E engines also support Cisco Virtual Switching System (VSS). Two
switch chassis can be connected and managed as one larger, virtual switch. If components
should fail on one physical switch, the second’s resources automatically take over the
functions.
38
Forward Medical Center Strategic Plan
The 4000 Series ISRs consolidate many must-have IT functions, including network,
security, compute, storage, and unified communications. So you get everything you need in
a single platform. That means significant savings in capital, operational, and management
expenses for lower total cost of ownership. The platform is modular and upgradable, so you
can add new services without changing equipment. It supports multiple application-aware
services concurrently while maintaining WAN performance of up to 2 Gbps, even during
heavy traffic loads. The backplane architecture supports high-bandwidth, module-to-
module communication at speeds up to 10 Gbps. The 4000 Series includes Cisco Trust
Anchor Technologies that help mitigate modern cyberattacks by verifying platform
integrity and providing protection from counterfeit and unauthorized modification of
hardware and software
Cisco® Aironet 1560 Access Points are built to withstand the often-unpredictable elements
of the great outdoors. With state-of-the-art 802.11ac Wave 2 Wi-Fi coverage, these compact
and durable access points are a breeze to deploy.
best-in-class 3800 Series access points support 802.11ac Wave 2, the latest Wi-Fi standard.
he 3800 Series supports 802.11ac Wave 2, which includes multiuser MIMO (MU-MIMO).
Multiple data streams can travel from the access point to Wave 2-supported devices. The
devices connect all at once and get information faster.
39
Forward Medical Center Strategic Plan
Report summary
A medical center network carries significant private, personal health information that
requires high protection and high tolerance of network failure, and that’s what our design
kept in mind throughout the network.
First, we started with two switches in each floor located in a switching closet. Devices in
each floor will be distributed between the two switches, so if one switch fails only part of
that floor will fail and not the entire network of that floor.
The same scenario goes to separating the network between a west and east hub so
buildings will have two different points of failure. If one hub fails, only part of the network
fails.
There is a total of seven VLANs in the design that separates the crucial traffic of the medical
devices from all other network traffic and keeps the network secure. Wired network traffic
is separated from wireless network traffic, and guest traffic is separated from the medical
center staff traffic. Also, all administrative access and server traffic are on a separate VLAN
from all other traffic. This will give the IT administrators proper ways to manage and
troubleshoot the network.
The design also includes cloud servers located inside a HIPAA compliant AWS Virtual
Private Cloud (VPC) that will sync and replicate all servers and services located on the
hospital premises. This hybrid design provides the highest fault tolerance network design
and it is HIPAA required for disaster recovery, which means if the medical center building
is destroyed due to a disaster no personal and health records will be lost.
The AWS architecture provides high security and connectivity via VPN that is configured to
only route traffic to and from the server farm on premises.
The design put a big emphasis on the wireless network and its security due to its
importance and due to many medical devices becoming wireless by default because the
latest wireless standards allow for high bandwidth data transfer.
To protect the sensitive information on the wireless network we used WPA2-Enterprise
protection with ESET network attack protection. Also, all users will be managed by Cisco
NAC Solution in conjunction with Windows RADIUS server and Domain Controller server to
authenticate users and encrypt traffic.
In order to be compliant with the HIPAA Security Rule and HITECH Act, the hospital will
abide by the process and policies that are written by the compliancy officer of the hospital.
While security rule is for the electronic information, privacy is to be maintained on all
health records in whichever format. The main goal of HIPAA is to maintain the security and
privacy of Electronic Personal Health Information otherwise known as E-PHI. The HITECH
Act increased the span of HIPAA. It took a more focused, structured approach on getting
40
Forward Medical Center Strategic Plan
medical facilities using Electronic Health Records. The HITECH Policy allowed for flexibility
in the technological advancements in the Electronic Health Records. The Security Rule
does not specify the technology that must be used but that the issue must be addressed
within the entity.
This document built on the Forward Medical Center part 1 document we provided the
overall campus building diagram, components and services. We provided a review of each
building requirement and each department/floor design and required devices.
Our team also provided a background information on general network hardware and
software requirement to include reviewing the 802.11 wireless standards and its security
speed and range issues.
Since security is at most important in a hospital network our team made sure the network
is in compliance with HIPAA and HITECH by using ESET
Using ESET will bring your organization in compliance with HIPAA and HITECH. ESET has
the capabilities to balance patient privacy with clinician access and protect your
organization’s computer systems and networks from malware and other malicious attacks.
The IT Administrator will also utilize ESET’s HIPAA compliance checklist
once every quarter to ensure that your organization is maintaining current compliancy
standards. If you’ll refer to our earlier proposal, you will note that as our proposal
currently stands, the security measures we’ve recommended will bring your organization
in full compliance with HIPAA. The checklist from ESET will provide an ongoing piece of
accountability to ensure that no steps are missed when checking for HIPAA compliance in
the future.
41
Forward Medical Center Strategic Plan
References
Cisco (2016). Putting the ‘Flexible’ in Flexible Radio Assignment. Retrieved from
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/802-
11ac-solution/at-a-glance-c45-737165.pdf
Cisco. (2016). Cisco Catalyst 4500 Supervisor Engine 8-E and 8L-E. Retrieved from
https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-4500-series-switches/at-a-
glance-c45-736376.pdf
Cisco. (2016). Cisco 4000 Series Integrated Services Routers. Retrieved from
https://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-
isr/at-a-glance-c45-732425.pdf
Cisco. (2017). Tailoring the Correct Cisco Outdoor 1560 Access Point for You. Retrieved from
https://www.cisco.com/c/dam/en/us/products/collateral/wireless/aironet-1560-series/at-a-glance-c45-
737417.pdf
Cisco. (2016). Basic ASA NAT Configuration: Web Server in the DMZ in ASA Version 8.3 and
Later. Retrieved from https://www.cisco.com/c/en/us/support/docs/security/asa-5500-
x-series-next-generation-firewalls/115904-asa-config-dmz-00.html
Cisco Network Admission Control (NAC) Solution Data Sheet. (2017, July 27). Retrieved
April 05, 2018, from https://www.cisco.com/c/en/us/products/collateral/security/nac-
appliance-clean-access/product_data_sheet0900aecd802da1b5.html
Cisco Network Admission Control (NAC) Guest Server Data Sheet. (2017, November 30).
Retrieved April 05, 2018, from
https://www.cisco.com/c/en/us/products/collateral/security/nac-guest-
server/product_data_sheet0900aecd806e98c9.html
Endpoint protection. (n.d.). Retrieved April 04, 2018, from
https://www.eset.com/us/business/endpoint-protection/
42
Forward Medical Center Strategic Plan
Gibbs, M., & Quillen, H. (2007). The Medical-Grade Network: Helping Transform Healthcare. Retrieved from
https://www.cisco.com/c/dam/global/en_ca/solutions/strategy/healthcare/assets/docs/07CS1034_HC_Wh
itepaper_r5.pdf
Security Stack Social. (2017). What is the difference between a RADIUS server and Active
Directory? Retrieved from https://security.stackexchange.com/questions/130095/what-
is-the-difference-between-a-radius-server-and-active-directory
43