MGN Wireless Arch

Cisco Medical-Grade Network (MGN) 2.
0
Wireless Architectures
Last Updated: August 4, 2012
EDCS-1182127
About the Authors
About the Authors
Stuart Higgins, Healthcare Enterprise Architect, Cisco Smart Business

Architectures
Stuart is an Enterprise Architect for the Cisco Smart Business Architecture (SBA) team. In this role, he
leads the initiative to drive healthcare requirements into the SBA architecture and back into Cisco
products and solutions. In the past, Stuart has produced a number of Cisco Validated Designs (CVDs)
for Cisco's healthcare-based solutions, as well as defining a number of healthcare-relevant
architectures including the Cisco Medical Grade Network 2.0 portfolio. Stuart works with many Medical
Device Manufacturers and participates on various healthcare standards bodies including the
IEC-80001 JWG7, Wi-Fi Alliance Healthcare Task Group and the Continua Health Alliance. He has
produced a number of healthcare-focused white papers including the Medical Grade Network 2.0
portfolio (Wireless Architectures, Campus Design and Security).
Stuart Higgins
Stuart provides both internal and external webinars on various healthcare architectures, best practices,
industry trends, and solutions. He is often called upon to consult with Medical Device Manufacturers on
product technology integration considerations and design along with best practices for deployments
of their medical device products. Stuart has over 24 years working in the healthcare industry, including
17 years at Siemens Healthcare. As an active Cisco Certified Internetwork Expert (CCIE #3194), Stuart
has a comprehensive understanding of the issues facing healthcare customers, the dynamics
influencing industry change, and the understanding of the technologies that can be best used to
improve the quality of healthcare worldwide.
Curt Mah, Technical Marketing Engineer, CMO ESE, Cisco Systems

Curt is a Technical Marketing Engineer at Cisco with 15 years of networking experience in the industry.
He is focused on developing and validating Cisco solution architectures that optimize workflow and
improve productivity for the Healthcare Industry. He has worked in the areas of network consulting and
Curt Mah product development and has supported fortune 500 companies in the areas of infrastructure
deployment, Routing/Switching/WAN and Security. Curt has architected solutions for Broadband Triple
Play (voice, video, data) for Service Providers and Healthcare offerings, including Biomedical Network
Admission Control and PACS storage optimization. In addition, Curt has co-authored the Cisco Press
book Deploying Cisco Voice over IP Solutions and has spoken at numerous industry events including
Networkers/Cisco Live, NetWorld+Interop, and the California Medical Instrumentation Association.
Curt holds a Bachelor of Science degree in Electrical Engineering Technology from California
Polytechnic University in San Luis Obispo. Curt is a Cisco Certified Internetwork Engineer (CCIE #3856)
in Routing and Switching.
2 Cisco Validated Design

CONTENTS
Introduction 8
Protected 8
Responsive 9
Interactive 10
Resilient 10
Summary 11
Wireless Overview in Healthcare 12
Importance of Wireless in Healthcare 12
Mobile Nature of Caregiver 12
Mobile Nature of Bio-Medical Devices 13
Voice Services 14
Location-Based Services 15
Privacy Concerns 17
HIPAA Compliance 17
IEC 80001-1:2010Application of Risk Management for IT Networks Incorporating Medical
Devices 18
HITRUST Alliance 19
Other Regulatory Bodies 20
Strong Authentication and Encryption 20
Wireless Uses in Healthcare 21
Biomedical Devices 21
Voice 22
Cisco Location-Based Services 22
Security 27
Guest Access Services 27
Clinical Access 28
Wireless Architecture Overview 29
Access Point 31
Indoor Cisco Access Points 31
Wireless LAN Controller (WLC) 33
Design Considerations 35
Authentication 36
Wireless Control System (WCS) 37
Cisco Prime NCS 37
3
Contents
Mobility Services Engine (MSE) 38

Campus Design Considerations 38
Branch Design Considerations 39
Network Management Tools 41
Rogue AP Detection 41
Auto RF 43
Dynamic Channel Assignment 44
Interference Detection and Avoidance 45
Dynamic Transmit Power Control 45
Coverage Hole Detection and Correction 45
Client and Network Load Balancing 46
ClientLink 46
Band Select 47
Healthcare Caveats 47
RF Spectrum Management 48
Remote Office Wireless 50
Providing Remote Wireless Services 50
Security 51
FlexConnect 52
Switching Modes 53
Authentication Modes 53
Voice 55
Rogue Detection and Radio Resource Management (RRM) 55
Outdoor Wireless 55
Mesh Architecture 56
Cisco Outdoor Mesh Access Points 57
Wireless Endpoints 59
Biomedical Device Considerations 59
Smart Infusion Pumps 59
Patient Monitors 66
SSID Considerations 71
Co-Channel and Multifloor Separation 72
Mobile Radiology 75
Barcode Scanners 77
Clinical Systems 78
RF Design Considerations 81
Security 83
Telephony and Voice Services 85
Quality-of-Service (QoS) 86
4
Contents
RF Design Considerations 88
Security 90
Co-Existence issues with other Biomedical Devices 91
Traffic Patterns 91
HIPAA/FDA Concerns 92
Wireless Guest Services 93
Healthcare Guest Access Services 93
WLAN Controller Guest Access Option 94
Supported Platforms 94
Auto-Anchor Mobility to Support Wireless Guest Access 95
Visiting Physicians 95
Contractors 96
Patients and Guests 96
Environmental and Physical Considerations 96
JCAHO and Infectious Control Risk Assessment (ICRA) Requirements 96
PoE Switches and Console Cables 97
Distributed Antenna Systems (DAS) Design and Deployment Considerations for Healthcare 97
DAS Benefits 99
Wi-Fi over DAS Considerations 100
Cisco Recommendations when Working with DAS Vendor 101
5
Cisco Medical-Grade Network (MGN)
2.0Wireless Architectures
Introduction
The Cisco Medical-Grade Network (MGN) architecture is based on the set of best practices that apply
to each foundational network technology. The definition of the term medical-grade often varies
according to individual expectations. To properly frame the context in which the Cisco MGN 2.0
architectures are based, this guide defines the attributes used to describe a Cisco MGN.
In general, a Cisco MGN has the following basic attributes or characteristics:
Protected
Responsive
Interactive
Resilient
Protected
Healthcare networks world-wide comprise the transmission of data regarding patients ongoing care,
diagnosis, treatment, and financial aspects. From a clinically-focused regulatory perspective, the Health
Insurance Portability Accountability Act (HIPAA) in the United States and the Personal Information
Protection and Electronic Documents Act (PIPEDA) in Canada are usually the first thought in these respective
geographies. In other parts of the world, similar standards exist with much the same intent as HIPAA and
PIPEDA but with varying degrees of specificity.
It is generally accepted that all clinically-focused networks provide a level of security and protection for
information that is either at rest or in-motion. Cisco has a number of security best practices that can be
directly applied to meet the regulatory compliance required by the healthcare organization. There is no
singular way in which networks can be designed to meet the security requirements of organizations.
Therefore, do not assume that this document or any of Cisco's MGN architectures dictate the only
approved method of providing such security measures. This document simply highlights the unique
challenges that medical networks face. An excellent starting point is to examine the best practices found
on Cisco's Design Zone website at http://www.cisco.com/go/designzone.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright 2012 Cisco Systems, Inc. All rights reserved

Introduction
A protected medical network is not simply comprised of a set of firewalls at the perimeter of the network,
and it does not end when the information is written to disk or tape. An MGN is considered protected
when the industry best practices are applied to the entire healthcare environment.
Wireless examples that are often overlooked include clinical-workstation client security, not only on the
patient floor but offsite, as is the case with remote clinicians. The methods used for both wireless
network authentication and clinical application/system authentication can be based on a centralized
authentication directory. For mobile wireless devices such as smartphones and tablets, a security policy
must extend beyond the borders of the healthcare network and campus, with specific consideration given
to loss or theft of the device.
Because of the wide scope that security practices play in the healthcare environment, this document
relies on the established set of best practices related to wireless security found on Ciscos Design Zone
website: http://www.cisco.com/go/designzone. Unique considerations above and beyond these best
practices are described throughout this document.
Responsive
The term responsive as it relates to Ciscos MGN is often misunderstood as simply a network latency or
bandwidth-related concern. Although an MGN must exhibit attributes related to high performance, the
term responsive is not applied in that manner.
Instead, the term responsive refers to the set of architectural attributes or characteristics that the network
must exhibit to expand and respond to the changing clinical requirements. These changes are often
driven by new clinical applications such as network-enabled modalities, or new regulatory requirements
such as Medical Device Data Systems (MDDS). In either case, the network must have built-in elasticity
so that it can better respond to new requirements without major redesign, thereby minimizing downtime.
A wireless network that meets all the current requirements placed on it and built using the best practices
found on Cisco's Design Zone is much more likely to be elastic.
For example, when a self-service kiosk is installed in the outpatient area to facilitate self-service
admissions, a credit card is used to identify the patient and begin the intake process. For security, the
network (both wired and wireless) and the data center where the self-service admission, discharge,
transfer (ADT)-based application is hosted must be compliant with Payment Card Industry (PCI)
standards. To be medical-grade, the network must be built so that it can adapt to the PCI requirements.
This requires the wireless network to support Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access 2 (WPA2) using an approved Extensible Authentication Protocol (EAP) method for
authentication. Furthermore, the use of intrusion detection and prevention (IDS)-based systems would
need to be implemented (if not already) in such a way as to detect and alert the network operator during
the early stages of a wireless attack.
From a pure bandwidth and latency perspective, the network must be built to support the implementation
of new applications or modalities. In the example of a 256-slice computed tomography (CT) scanner, the
network should not require a forklift upgrade, but rather provide the ability to expand capacity through
a number of well understood and implemented techniques, as described in the best practices found on
the Cisco Design Zone website (http://www.cisco.com/go/designzone).
In all cases, the ability for the network to be responsive to the new demands placed on it is critical to
maintaining uptime, serviceability, and adherence to regulatory changes. Network designs that do not
take into consideration such techniques do not serve the best interest of the healthcare community and
are therefore not medical-grade as defined by Cisco.
Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

EDCS-1182127 7
Introduction
Interactive
Care providers interact with patients and clinical staff every minute of the day in any number of settings.
The interactive attribute as it is applied to Ciscos MGN relates to the ability of the care provider to
seamlessly interact with the network and its related resources. Various technologies exist to extend the
network into one without borders, and can include technologies such as wireless (Wi-Fi, 4G/LTE, 3G,
Bluetooth, and Zigbee). Combining these transport technologies with virtual private networks (VPN) as
well as security and virtual desktop infrastructure (VDI) architectures enables a bring-your-own-device
(BYOD) collaborative-based solution.
The use of wireless technologies is an obvious choice within the healthcare industry as the care provider
is often not tied to a fixed central location. Being able to interact with the clinical resources while mobile
both inside and outside of the hospitals borders is key in providing this interactive characteristic.
For the healthcare provider, primary devices that facilitate efficient patient care include wireless
computers on wheels, wireless 802.11, and dual-mode smartphones and tablets. A wireless network
designed specifically for data-only services does little to provide reliable voice, video, and biomedical
services.
Ciscos best practices with respect to BYOD, wireless, VPN, remote access, wireless, voice over
wireless, video and so on are available on the Cisco Design Zone website:
http://www.cisco.com/go/designzone.
Resilient
Perhaps one of the most well-known attributes of Cisco's MGN is that of resiliency. For the network
engineer, this term typically relates to high availability architectures. Indeed, this is exactly what is
required by the industry for any MGN. Such networks are said to be six sigma compliant, or capable of
achieving 99.999 percent of availability. Achieving such high availability from the perspective of the
care provider is sometimes a significant challenge as it equates to approximately five minutes of
downtime per year. While such availability targets are noble pursuits, from the perspective of the clinical
user they are seldom if ever realized.
Within a healthcare-focused data center, such availability at the network layer can indeed be achieved.
In many cases, however, the applications used to support the clinical user are simply not built to achieve
this level of availability, and often result in scheduled downtimes. These service disruptions are often
because of software upgrades or patches being applied. Other commonly encountered service disruptions
that are often not considered are systems that are outside the administrative control of the hospital IT
staff, such as eligibility applications within the payer space or external clinical laboratory systems.
In the 802.11 wireless world, however, a number of complicating factors make designing a network with
99.999 percent availability even more challenging. The 802.11 bands comprising both the 2.4 GHz and
5 GHz spectrum are unregulated RF domains. The FCC stipulates that for users of unlicensed bands
including the 802.11, each device must expect and accept interference that may affect reliability. This
means that each wireless network deployed will encounter many sources of interference, and must be
designed to identify their sources and mitigate the effects. With effective spectrum management through
Cisco Clean Air, the network administrator has the tools necessary to improve availability through
dynamic mitigation technologies. Cisco Clean Air can be used to rapidly locate and identify sources of
interference, resulting in improved wireless availability.
However, even with the best wireless network design, it may not be possible to build a wireless network
that achieves six sigma availability. Simply put, the RF spectrum is a shared medium and as such, there
is always the chance of outside RF influences, otherwise known as interference. Because hospitals are
public spaces, it is simply not possible to strictly regulate and prevent sources of interference from
entering the environment.

8 EDCS-1182127
Introduction
Adding to the problem is the increasing popularity of consumer-class devices such as Wi-Fi (personal
802.11 to 3G/4G/LTE bridges) and Bluetooth devices, which bring what are essentially interference
generators into the clinical workspace. In the case of Wi-Fi, because of the lack of 3G/4G/LTE integrated
into laptops and other personal computing devices, it is expected to see this technology expanded to new
generations of cell phones, which will further increase the potential for interference. Therefore, it is
Cisco's best practice and recommendation to move all critical clinical applications and voice services to
the 802.11a or 5 GHz band.
Even in the unregulated 5 GHz space, there is always a chance of interference generated by other
wireless clients (for example, visitors and patients) or even radar sweeps from local airports or weather
monitoring stations. Many of these interference generators are typically transient in nature, but can
significantly interfere with the workflow of the care provider.
Perhaps the most discussed aspect of wireless reliability involves life safety and patient
monitoring-based systems. In the case of patient monitors, the reliability of the physiological data being
streamed to a central logging/display and archiving system is crucial. These devices are often mandated
in the vendors FDA filing as having to respond to physiological changes with a very small window of
time. For most vendors in this space, the analysis of the telemetry is performed with the use of wireless
connectivity. Resulting alarms are therefore generated and announced locally by the device itself, while
the telemetry information is being streamed to a central station for use by the telemetry nurse. In these
systems, some level of burden must be placed on the wireless devices themselves with respect to
reliability. Unfortunately many such devices have lagged behind the industry in terms of Wi-Fi-based
technological advances, resulting in non-optimal reliability.
Taking into consideration the shortcomings found in some legacy-based biomedical devices, an 802.11
wireless MGN is one that is designed and implemented using the best possible techniques and resulting
architectures. With respect to wireless as compared to wired, such architectures will remain a topic of
further discussion within the industry. At the present, however, the reliability of the overall wireless
network design, excluding outside RF interference generators, is what Cisco considers medical-grade.
Over time, biomedical devices will be improved along with that of the 802.11 or other wireless standards
available. To the industry, however, the best currently available products and deployment architectures
represent the Cisco MGN as it relates to the uniquely challenging wireless network.
Summary
In conclusion, it is important to reflect on the point that the term medical-grade network (MGN)
generates a great deal of discussion, as it should. Given the fact that there are no formal network-specific
standards or metrics that can be applied to determine what constitutes an MGN, the reader should
understand that the best known industry practices when applied properly can achieve what Cisco terms
an MGN.
Such network architectures often comprise the set of attributes as defined in the proceeding section, but
what makes an MGN different from other network architectures is the use of biomedical devices, federal
regulations, and the criticality of systems involved in life safety.
Additionally, technologies evolve, and the underlying techniques used to achieve these standards will
therefore also change. The network architect and engineering teams responsible for the deployment of
medical networks (wired or wireless) must consider the attributes and concerns described above to
provide the best possible service available with the current state of technology, thereby resulting in what
is considered a Cisco MGN.
This document is intended to augment where appropriate and to highlight challenges that must be taken
into consideration that are not described in the set of best practices found at the Cisco Design Zone
website (http://www.cisco.com/go/designzone).

EDCS-1182127 9
Wireless Overview in Healthcare
Importance of Wireless in Healthcare

It is widely recognized throughout the world that healthcare has one of the most mobile workforces with
an incredible dependency on collaborative communication. Given the highly mobile and communicative
nature coupled with the need to be consistently connected to numerous clinical systems, wireless
technology is needed in all acute patient care environments.
Caregivers are not alone when it comes to the need for mobility within the healthcare setting. Many
clinical and robotic systems along with bio-medical devices require continuous and secure network
connectivity. Again, because these devices are highly mobile, Cisco's wireless technologies provide the
needed connectivity in a manner consistent with the high expectations that exist within the medical
community.
Cisco's wireless networking products have the exclusive endorsement of the American Hospital
Association (AHA), which represents and serves all types of hospitals, healthcare networks, patients,
and communities. AHA members include nearly 5000 hospitals, healthcare systems, networks, and other
care providers, as well as 37,000 individuals.
Mobile Nature of Caregiver

Throughout the global acute care setting, groups of care providers attend to their daily responsibility of
providing quality care to their patients. These groups range from the attending physician to a wide range
of specialists. The attending physician, for example, requires connectivity to a number of systems
providing voice, alerting/paging (lab, pharmacy, code teams), clinical (CPOE, EHR, PACS), and in some
cases access to their remote physicians office for the scheduling follow-up appointments and
procedures.
The nursing staff has a wide range of roles ranging from providing care at the bedside, within the
emergency department or trauma center, and various locations throughout the hospital including OR,
Oncology, Lab, Radiology, and so on. In each of these roles, clinicians are highly mobile throughout
their day. Staying connected to the supporting healthcare systems, whether it is with an electronic device
or another colleague working in conjunction with the care providermobility solutions from Cisco, is
key to optimizing patient care and driving efficient clinical workflow.
In each case, these groups of caregivers need consistent connectivity to the clinical and scheduling
systems to reference patient records, enter orders via Computerized Physician Order Entry (CPOE),
administer medications, and be notified of alarm events as indicated by a wide array of biomedical
devices. In all cases, Cisco's mobility solutions provide this linkage and improve clinical workflow
throughout the continuum of care. (See Figure 1.)

10 EDCS-1182127
Figure 1 MGN and the Continuum of Care
Use of
BYOD devices
Screening
3G/4G services
Portable
connected via VPN
Prevention Diagnosis ultrasound
technologies to aid
wireless
in increased prevention
Cisco
Medical-Grade
Wireless Network Wireless infusion pump
video in ED, Surveillance Treatment delivering monitored
Postop, Recovery treatment regiments
Management
Wireless biomedical
292828
devices providing continuous
patient management
Mobile Nature of Bio-Medical Devices

Caregivers are not the only people who are mobile within an acute care setting. Patients are also highly
mobile as they traverse various ancillary departments in order to be diagnosed or receive treatment. (See
Figure 2.)
Often times, the various biomedical devices that are used to monitor the patients health or deliver
treatment also go mobile. For the acutely ill patient population, patient monitors and smart infusion
pumps are often transported with the patient to various points of treatment. Likewise, traffic in the
reverse direction occurs. An example is when an infusion order is entered into the pharmacy system on
behalf of a patient. In some deployments, the order is downloaded to the smart pump providing patient
context and treatment guidelines such as the infusion rate, dose time, and other metrics.
During this period of mobility, the continuous logging of telemetry is often required along with periodic
electronic medical record (EMR) updates from the smart infusion pump. Information about the patients
health as well as the delivery of critical medications is recorded within the patients electronic health
record (EHR) and used by physicians and caregivers for diagnosis and the monitoring of treatment.
Another example focuses on the biomedical device that is mobilized and brought directly to the patient.
For example, consider a mobile ultrasound or C-arm brought directly to the patient's room. Once the
studies are acquired by the technologist, they are streamed using 802.11 wireless technology and
uploaded to the picture archiving and communication system (PACS) for a radiologist to read and
provide a diagnosis. Without wireless technology, the study would not be uploaded to the PACS system
until the technician plugs the modality into a wired Ethernet port, further delaying workflow and
diagnosis.

EDCS-1182127 11
Figure 2 Patient Mobility
Voice Services
Providing easy to use and reliable voice services to the mobile care provider is yet another means to
improve clinical workflow and ultimately patient care. In a recent Joint Commission on Accreditation of
Healthcare Organizations (JCAHO) study, 84 percent of healthcare providers cited a breakdown in
communication as the number one cause of sentinel events leading to patient injury or death. Many of
these events were caused by delay of treatment or a breakdown in communication among staff members.
A care provider often realizes that something is seriously wrong with a patient, but has difficulty in
locating the staff necessary. These delays can unfortunately result in poor patient care and at the same
time reduce the job satisfaction among caregivers.
Creatively applying voice communications in its many different formats can provide the missing link
that is too often encountered in todays dynamic clinical environments. Adding wireless mobility to
voice communications allows these services to be available to the caregiver no matter where they may
be within the healthcare enterprise. Services include traditional on-net and off-net dialing, voice mail,
adhoc-based group paging, patient and biomedical-based alarms and conference calling, as well as
group-based push-to-talk, all available to the caregiver within seconds.
By enabling rapid communication among caregivers using a variety of formats and extending that reach
regardless of their physical location, is a powerful tool in achieving both higher workflow efficiencies
and better overall patient care.
Given the fact that many healthcare providers have existing 802.11-based wireless networks in place,
adding voice services and leveraging a common infrastructure is a trend that is increasingly popular
within healthcare environments worldwide. One recent healthcare study found that 40 percent of all
cellular minutes used by staff were between care providers within the same building. By leveraging the
dual-mode capabilities of smartphones or incorporating voice within BYOD tablet devices, the care
provider can be provided reliable voice services, further leveraging the 802.11 network. Not only does
this approach reduce costs, but it also extends other information such as presence and access to clinical
systems that otherwise could not be used.

12 EDCS-1182127
Location-Based Services
In healthcare, being able to efficiently locate a medical asset or another care provider not only saves
money, but in some cases can contribute significantly to the quality of patient care. A recent report
published by the BBC for the UK not-for-profit data standards group GS1 found that 37 percent of the
nurses surveyed spent over two hours per-shift searching for missing items. For details, refer to the
following URL:
http://news.bbc.co.uk/2/hi/health/7881807.stm
The most common items lost were IV pumps, drip stands, thermometers, pharmaceutical storage keys,
and mattresses. For the UKs National Health System (NHS), this accounted for up to 900m or $1.4
billion dollars in wasted wages annually. This is only one healthcare system, and one can argue the
accuracy of the statistics, but ask any care provider about their personal stories of trying to locate
something on a patient floor and in a timely manner and you will quickly conclude the necessity of a
location-based system within all acute healthcare environments.
Note Location-based services can be broken down into various technologies. This document addresses only
active 802.11-based RFID; other RFID solutions based on passive or infrared technologies are not
discussed.
Several methods can be used to provide location-based tracking. The first and simplest is called cell
origin. In this approach, an asset can be tracked to the area serviced by a single access point. In some
environments, this can range from 2500 to 5000 square feet and may be sufficient for inventory
control-based deployments. The cell origin strategy is highly efficient, because it does not need to apply
any complex mathematical formulas to triangulate the position. For inventory control, the accuracy is
sufficient if the goal is to determine at a glance that all particular items are located within the floor. This
approach is also used to track the location of a care provider, allowing others to determine in which
floor/wing/building a physician or ancillary department employee is located. (See Figure 3.)
Figure 3 Location-Based Services

190534
Depending on the RFID requirements, this approach may meet the requirements of the healthcare
organization. In most healthcare environments, however, such granularity may not be adequate, and
therefore is not considered a best practice for a Cisco MGN architecture.

EDCS-1182127 13
Distance and RF fingerprinting techniques are the next commonly deployed methods to determine the
location of an asset with much greater accuracy over that of the cell origin-based approach described
above.
To provide near medical-grade location services, it is necessary to triangulate the position of an asset in
two dimensions (X and Y) by recording the receive signal strength indication (RSSI) of an asset by three
or more access points in a single horizontal plane. By using RSSI, tracking is simply a matter of
recording the signal strength of the device by three or more access points and applying a path loss (signal
loss) algorithm to each recorded sample. This sampling information is collected by a location-processing
engine such as that found in the Cisco Mobility Solution Engine (MSE).
In a perfect world, RSSI-based systems would provide reasonable accuracy, but the world is not perfect
and neither is RSSI. This means that as you move away from an access point in one direction and at a
consistent rate, the signal level will in most cases not drop at an equal and linear rate. These signal
fluctuations are caused by obstructions such as walls (open today, closed tomorrow), doors, dietary food
carts, med carts, gurneys, and even human beings.
To combat these issues, a technique called RF Fingerprinting can be applied to the RSSI-based system.
This technique records the RF patterns that exist as a tracked object moves around in the RF
environment. By recording these patterns and applying them to the RF patterns received in real-time,
accuracy can be increased significantly.
For example, to locate and record the RF patterns that exist on a patient floor, the system must be taught
about the patterns. This process is called calibration and requires the recording and physical movement
of a test subject such as an RFID tag, 802.11 wireless phone, or computer on wheels (CoW). Once
collected, the RF pattern information is normalized and statistically groomed to provide accurate path
loss models that can be applied to the location algorithms. The Cisco MSE provides RF
Fingerprint-based location services and if properly calibrated can often provide room-level accuracy.
The value of location-based services is clear, but perhaps the use cases are not. Vendors such as
Aeroscout (acquired by Stanley Black and Decker) produce active RFID tags that can be not only used
to provide location information as described above, but can provide other useful metrics. The Aeroscout
T5b and T5c tags provide external temperature probes that can be used to monitor hospital refrigerators
and freezers that store vaccines, pharmaceuticals, blood, food, patient test results, and other items. The
tags send temperature readings in intervals specified by the administrator (128ms to 3.5 hours)) via the
802.11b/g wireless network. Likewise, the T5h tag provides both real time temperature and humidity
monitoring. When a threshold is exceeded, alarm events can be generated to inform the appropriate
support group within the hospital that an environmental event is occurring.
By taking quick action to such alarm events can prevent the loss of many expensive pharmaceuticals as
well as other precious biomedical items such as blood/plasma and, in some cases, donor organs.
For other assets such as wheelchairs, patient monitors, and even patients, the T4 RFID tag from
Aeroscout features a motion sensor providing real-time updates not only to the location but also whether
the tag is in motion. For wheelchairs and other items, having access to its location and utilization is not
only important to the care provider, but it can provide some useful information that is often overlooked.
To receive federal or state grant monies, healthcare institutions may need to provide positive
confirmation that a certain percentage of the asset in question is used. By monitoring the level of usage
of each asset in question, a healthcare institution can easily provide the asset-tracking report needed to
apply for the grant, while at the same time reducing asset loss because of theft or misplacement.
One final example of location-based services is in providing performance metrics for ancillary
departments throughout the hospital. By data mining, the location of gurneys and wheelchairs, choke
points within the OR, ED, Radiology and so on, can be monitored. Wait times in pre-operation,
post-operation, and Radiology can be tracked, providing highly useful trending data over time as to the
performance and utilization of key areas within the hospital. (See Figure 4.)

14 EDCS-1182127
Figure 4 AeroScout 802.11 Active RFID Tags with and without Temperature Sensors
There are many other use cases for medical-grade location-based services within the acute healthcare
environment. By using location-based services in both obvious and creative ways, the healthcare
organization can leverage the installed infrastructure while at the same time improve clinical workflow
and patient care.
Privacy Concerns
Although information security is a top priority for any organization, healthcare providers must be
especially diligent in protecting confidential patient data. In addition to the evolving threat posed by
hackers and other intruders, government regulations such as HIPAA establish privacy requirements for
protected health information (PHI).
Network-based applications have transformed virtually every industry, and healthcare is no exception.
Solutions that allow access to EMRs, medical management systems, imaging, biomedical information,
material management, patient accounting, admitting information, and online claims submissions are
becoming commonplace in wireless, wired, and mobile scenarios.
Because the overall network security is only as strong as its weakest link, providers need to be as certain
as possible that wireless LANs (WLANs) are providing the same level of access control and privacy as
wired LANs. In contrast to a wired LAN, in which a physical connection controls access to the network,
WLANs broadcast data through the air. Any wireless-enabled device in the area, such as a patients
laptop in a waiting room or a wireless PDA in a neighboring office, presents a potential security threat.
Special security considerations should be made to meet the requirements established by U.S. and
international regulatory bodies and organizations including HIPAA, HITRUST, Data Security Standards
(DSS) and PIPEDA.
HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted to safeguard
PHI by mandating procedures and controls to assure the public that critical and private information is
controlled from loss of confidentiality, integrity, or availability.

EDCS-1182127 15
An organization is subject to HIPAA if it exchanges data related to the healthcare profession. Improper
release of private information has become frequent. News stories often highlight serious infractions such
as public posting of diagnosis and patient information or inadvertent release or loss of personal records.
This law requires that all data on patients be kept secure and private. Wireless security becomes a very
significant part of any healthcare facilitys overall security strategy. Generally, a combination of standard
wireless security standards on clients should be considered to meet HIPAA requirements.
HIPAA audits of hospitals by the U.S. Department of Health and Human Services are becoming more
frequent and increasingly focused on the protection of electronic PHI (ePHI). This is raising awareness
in the healthcare industry about the prospect of more enforcement actions related to the data security
requirements of the federal HIPAA legislation.
The audits being conducted assume that data privacy mandates are already in place in a healthcare
facility. The security rules require organizations that handle electronic health data to implement
measures for controlling access to confidential medical information and protecting it against
compromise and misuse.
More information about HIPAA can be found at the following URL http://www.hhs.gov/ocr/privacy/
IEC 80001-1:2010Application of Risk Management for IT Networks Incorporating Medical Devices

The IEC 80001-1:2010 standard was ratified in late 2010. This voluntary standard provides high-level
guidance to healthcare delivery organizations in establishing an organizational structure, roles,
responsibilities, and life cycle management of a medical IT network. Such networks can be generally
classified as a general purpose IT network that provides connectivity to one or more medical devices. It
was developed by a joint working group of the IEC 62A committee.
The responsibility of such networks falls into the domain of the healthcare delivery organization. The
responsibility and ultimate accountability is placed upon the senior management of this organization with
the support to perform the following functions:
Establishing a policy for how the institution will manage risk for the network so that the key
properties are maintained
Establishing the process for applying risk management throughout the life cycle of the network
Assigning people to execute the risk management process
Providing the necessary resources
Specifying the criteria by which risk is determined to be acceptable
Approving the results of the risk management process.
Healthcare organizations that maintain and operate networks which include medical devices are urged
to consult and implement the IEC 80001 recommendations. By using the prescribed IEC 80001
framework, healthcare organizations can minimize the risk involved in operating such networks. It is
beyond the scope of this document to fully describe the risk management process that the IEC 80001
provides. For more information on the IEC 80001 standard, please consult the following URLs:
http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863
http://www.aami.org.
In addition to the standard, there are the following three published technical reports. These documents
are indented to provide additional specifics that can be used in the risk mitigation process.
IEC/TR 80001-2-1:2012Step-by-step risk management of medical IT networks; practical
applications and examples

16 EDCS-1182127
IEC/TR 80001-2-2:2012Guidance for the communication of medical device security needs, risks
and controls
IEC/TR 80001-2-3:2012Guidance for wireless networks
Cisco provides consultative services that assist healthcare organizations in all aspects of the MGN
architecture. This includes preparation, planning, design, implementation, operation, and optimization.
By carefully applying a disciplined approach to operating medical networks, healthcare organizations
can be better prepared to operate such networks while reducing risk and improving care. (See Figure 5.)
Figure 5 Cisco Lifecycle Services Approach
Prepare Plan Design
Develop a business Assess readiness to Create a detailed design

case for a technology support proposed to address business and
investement solution technical requirements
Optimize Operate Implement

Achieve operational Maintain network health Deploy new
227931
excellence through through day-to-day technology
ongoing improvements operations
More information about Cisco's consultative services can be found at the following URL:
http://www.cisco.com/go/advancedservices
HITRUST Alliance
Perhaps no other industry can lay more claim to the necessity of wireless technology than that of modern
healthcare. The Health Information Trust Alliance (HITRUST) exists to ensure that information security
becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems
and exchanges. For more information, see the following URL: http://www.hitrustalliance.net/
Information security is critical to the broad adoption of, use of, and confidence in health information
systems, medical technologies, and electronic exchanges of health information. The main goals of
HITRUST are to enable the following:
Collaboration with healthcare, business, technology, and information security leaders to standardize
on a higher level of security to build greater trust
Certifiable framework that any and all organizations in the healthcare industry can implement and
be certified against
The foundation of all HITRUST programs and services is the HITRUST Common Security Framework
(CSF), a certifiable framework that provides organizations with the needed structure, detail, and clarity
relating to information security tailored to the healthcare industry. HITRUST is enhancing and
simplifying security and compliance by delivering cost efficiencies to the healthcare industry by
establishing common, acceptable practices through the CSF, and other collaborative community
initiatives. In addition, HITRUST strives to provide education and guidance, and facilitates
organizations towards meeting the requirements of the CSF.
The HITRUST Alliance is led by a seasoned management team and governed by an executive council
made up of leaders from across the healthcare industry and its supporters. These leaders represent the
governance of the organization, but other founders also compromise the leadership to ensure the
framework meets the short and long term needs of the entire industry. Members of the executive council
can be found at the following URL: http://www.hitrustalliance.net/council.php

EDCS-1182127 17
Other Regulatory Bodies

A survey of other US and international regulatory bodies that require security measure include the
following:
Data Security Standard (DSS)
The Payment Card Industry (PCI) uses the DSS that affects all healthcare facilities that process,
store, or transmit credit or debit card information over their networks. To pass PCI compliance, a
healthcare provider must address its procedures, security policies, and technical infrastructure so
that it can demonstrate adherence to the PCI DSS v1.2 specification sub-requirements. Once a
company becomes compliant, there are ongoing requirements to maintain compliance.
PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA or PIPED Act) is a
Canadian law relating to data privacy. It governs how private-sector organizations collect, use and
disclose personal information in the course of commercial business. For more information, see the
following URL: http://laws.justice.gc.ca/en/ShowFullDoc/cs/P-8.6//20090818/en
EC 95/46
The Data Protection Directive 95/46/EC on the protection of individuals with regard to the
processing of personal data and on the free movement of such data) is a European Union directive
which regulates the processing of personal data within the European Union.
Red Flags
The Red Flags Rule, a law by the FTC, requires certain businesses and organizations including
many doctors offices, hospitals, and other health care providers to develop a written program to
spot the warning signs or red flags of identity theft.
Strong Authentication and Encryption

For the WLAN network, security is based on both authentication and encryption. Strong authentication
and encryption policies are essential in meeting the wireless privacy objectives as described previously.
A survey of authentication and encryption policies is listed in Table 1. Details on the availability and
recommendations of security features are listed in the appropriated endpoint sections.
Table 1 Authentication and Encryption Policies
WLAN Security Mechanisms

Feature Static WEP 802.1x WEP WPA/WPA2 Personal Pre-Shared WPA 2 (Enterprise)
Key (PSK)
Identity User, machine User or machine User or machine User or machine
or WLAN card
Authentication Shared key EAP Pre-shared keys Individual
userid/password
Integrity 32-bit Integrity 32-bit ICV 64-bit Message Integrity Code CRT/CBC-MAC (Counter
Check Value (MIC) mode Cipher Block
(ICV) Chaining Auth Code -
CCM) Part of AES
Encryption Static keys Session keys Per Packet Key rotation via TKIP CCMP (AES)

18 EDCS-1182127
Table 1 Authentication and Encryption Policies (continued)
Key Distribution One time, Derived from Derived from PMK Derived from PMK
Manual Pair-wise Master
Key (PMK)
Initialization Vector Plain text, Plain text, Extended Initialization Vector 48-bit Packet Number
24-bits 24-bits (IV)-65-bits with (PN)
selection/sequencing
Algorithm RC4 RC4 RC4 AES
Key Strength 64/128-bit 64/128-bit 128-bit 128-bit
Supporting None RADIUS RADIUS RADIUS
infrastructure
Medical-Grade No No Yes1 Yes
1. WPA uses the RC4 encryption algorithm and augments a Temporal Key Integrity Protocol to aid in improving the strength of the encryption
mechanism. Recently, there have been reports that Computer Scientists in Japan have found a way to compromise the encryption.
Wireless Uses in Healthcare

Perhaps no other industry can lay as much claim to the necessity of wireless technology as that of the
modern healthcare environment. As described previously, healthcares unique mobility requirements
coupled with the need for immediate and continuous connectivity to the clinical network provide a
challenging set of requirements. Providing access to clinical systems for both the caregivers and
biomedical devices is the most common use case for wireless technologies in the modern healthcare
environment.
Healthcare environments world-wide continuously strive to provide optimum patient care, but with the
increasing demand to provide that care at a lower flat-price point. In doing so, some innovative uses of
wireless technology help drive that goal forward.
This section discusses some of the unique capabilities of 802.11-based wireless technologies within the
modern healthcare environment, and provides an overview of how healthcare customers world-wide are
using wireless technologies to improve patient care.
Biomedical Devices
Biomedical devices such as patient monitors, smart infusion pumps, personal ultrasound, portable x-ray,
and ventilators are the fastest growing population of networked-connected devices in a clinical
environment. Most of the main vendors in this space support 802.11-based wireless LAN capabilities to
provide network access for patient monitors and smart infusion or IV pumps. Vendors must develop risk
analysis-based performance metrics for alarm delivery times, and then design a system to meet those
requirements.
Smart infusion pumps in an acute-care setting usually comprise a relatively large number of wireless
devices. These types of devices are the most mobile in nature because they are in close proximity to the
patient under care. Security involving these devices and the methods available for authentication and
encryption are an important aspect of the deployment of the MGN.
Patient monitors comprise the second largest percentage of biomedical devices in a hospital setting.
Patient monitoring systems are designed to monitor the physiological conditions of a patient using
different metrics. Monitors generally send the vital signs information about patients to a backend central
server on a continuous basis. Unicast or sometimes multicast/broadcast traffic of small but very frequent
intervals (that is, 300 byte, 4x/sec) is used to communicate patient telemetry and alarm data.

EDCS-1182127 19
The life-critical requirements used for continuous patient monitoring are more critical than smart
infusion pumps, and as a result, network connectivity needs to be engineered appropriately.
Voice
As stated previously, healthcare providers are a highly mobile group of people. Providing these
caregivers with reliable mobile communications by itself dramatically increases productivity by making
the caregivers instantly available for communications, decreasing the time spent tracking down other
caregivers and resources. Integrating these mobile devices with the appropriate clinical applications can
further improve workflow and productivity. One example of the possibilities is nurse call.
In a traditional nurse call system, when a patient pushes a nurse call button, a light is lit outside the
patient's room at a central nursing station. The charge nurse at the central nursing station has to call the
patient and identify the problem. The charge nurse then pages, via an overhead or room pager, to find an
available resource. The nurse must stop whatever he or she is doing and respond to the request. Finally,
the nurse can return to what he or she is doing before being interrupted. By integrating the nurse call
system with mobile communications, when a patient presses the nurse call button, the nurse assigned to
the room is alerted with a message on the phone. The nurse may then press a single button and talk with
the patient to determine the request, and either respond immediately if it is urgent or respond later if it
is not urgent.
Another more specific nurse call example is a code blue alert. Typically, when a code blue is initiated, a
page is sent to all the members of the code blue team. Provided the location of the code blue emergency,
they then begin the response protocol. By integrating wireless phones, collaboration applications, and
code blue alerts, a conference call can be automatically set up between the code blue team members and
nurse call patient device. This provides immediate collaboration with team members who are not present
on the floor in question so as to provide guidance and be aware of the situation prior to attending to the
patient. This can lead to improved patient care by reducing treatment delays.
These are just a few examples of how integrating mobile wireless communications and unified
communications can improve caregiver efficiency and patient care. Others within an acute care setting
include dietary, housekeeping, transportation, security, and various others.
Cisco Location-Based Services

Cisco's Location-Based Services (LBS) provide a healthcare facility with the ability to track the location
of any WiFi-based device or 802.11-based active RFID tag. As described elsewhere in this document,
collaborating with the network is one attribute of the MGN architecture. As such, being able to interact
with the network when tracking the location of a resource, whether a person or medical device, is key in
optimizing workflow and enhancing overall operational efficiencies.
Note Starting in Release 6.0 of the Cisco MSE Context-Aware Engine for tags, non-Cisco compatible
extensions (CCX) compatible tags are not supported.
An LBS system comprises the following items, which are subsequently discussed in further detail:
Wireless Control Server (WCS)
Wireless LAN Controllers (WLC)
Mobility Services Engine 3300
Properly designed RF Network for optimal location resolution

20 EDCS-1182127
802.11-based wireless devices or active 802.11 RFID tags compliant with the Cisco-compatible
extensions for Wi-Fi tags specification
In healthcare environments, room-level accuracy is the goal, with bed-level accuracy being the
desired golden standard. With location-based technology based on RSSI coupled with RF
Fingerprint capabilities, room level accuracy can be achieved, provided that one of the following
two approaches are used and properly executed:
Exciter-based RFID tagsThese are also referred to as chokepoint triggers and are typically
used at the entrance of a room. When an Exciter-based RFID tag passes near or under a trigger
point, the tag location is communicated back to the MSE. Each Exciter is configured for its
specific location, so location accuracy is greatly improved.
Proper access point placement to achieve three or preferably four access points providing path
loss information to the RFID tag or 802.11-based device with at least -75dBm of signal to the
device being tracked. By creating an AP perimeter that encircles the covered area, accuracy can
be dramatically increased. This technique creates what is called a convex hull and is discussed
in detail in the supporting Location-Based Services Design Guide found on the Design Zone
website at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/wifich5.html#wp1051949
Note Placing APs within patient rooms is acceptable by many healthcare organizations in most cases.
Some healthcare environments serving the mental health and incarcerated communities may not
find a surface mounted AP acceptable. In such settings, using a locking enclosure or locating the
AP above the ceiling tile enclosed within an enclosure is recommended. Integrated ceiling tile
antennas may not be supported by the Cisco TAC, and have been found to produce less than
optimal location accuracy.
Historically, hospital wireless access point placement was commonly performed with the sole objective
of providing wireless data and voice services. As such, the goal of the RF engineer who performed the
site survey was to build an RF environment that provides adequate data and voice coverage in the
required areas. Many times, however, location-based service requirements were not taken into account
at the onset of the project.
This can be commonly seen when access points are placed in a straight line down the hallway of a patient
floor, and no perimeter AP placement is implemented. When this approach is taken, the ability of the
MSE to create a highly accurate RF path loss profile is significantly reduced. As the distance from the
AP is increased, the level of accuracy increases significantly.
Take for example the traditional AP placement strategy shown in Figure 6. In this illustration, the access
points are placed down the hallway in a single axis, and the absence of a convex hull exists because
the lack of an established AP perimeter results.

EDCS-1182127 21
Figure 6 Traditional AP Placement
1 PL
PL 2
LWAPP LWAPP LWAPP Single
PL PL3 Axis
1 2
PL
292829
Note how the RF path loss (PL) from an asset being tracked typically does not have a significantly
different signal level to determine location with a high level of accuracy. To provide more accuracy,
additional APs on different axes must be deployed, effectively creating an AP perimeter.
Healthcare organizations are deploying 802.11n access points within the patient rooms for performance
reasons. The hidden benefit to the added performance is the increased accuracy, as shown in Figure 7.
The diagram shows the beginning of establishing an AP perimeter, but falls sort of providing one for the
entire floor, as shown in Figure 7.
Figure 7 AP Perimeter
LWAPP
Multiple
1 PL Axis
PL 2
WAPP
LWAPP LWAPP LWAPP
PL
1 2
PL
Convex Hull/AP
LWAPP Perimeter
292830
To provide an AP perimeter, deploying APs on multiple axes as well as establishing a complete AP

perimeter is critical to increasing accuracy. In Figure 8, an AP perimeter has been established. The
resulting convex hull provides room-level accuracy in most healthcare environments.

22 EDCS-1182127
Figure 8 Establishing an AP Perimeter
LWAPP LWAPP LWAPP LWAPP
LWAPP LWAPP LWAPP
LWAPP
APP LWAPP LWAPP LWAPP
292831
Optimized Convex
Hull/AP Perimeter
Note In many wireless illustrations, APs are arranged in straight columns and rows. In actuality, it may be
preferred to stagger the APs to some degree to achieve greater accuracy.
Depending on the channel selection, in some bands the increased AP density may result in co-channel
interference. This depends on the construction materials used. Wireless clients operating on the same
channel on adjacent floors may also cause co-channel interference. To reduce the likelihood of
interference on adjacent floors, it is recommended to stagger the APs in such a way as to not stack
access points, especially on the same channel. In Figure 9, note how the APs are not stacked between
floors. This approach is recommended if there is bleed through from the adjacent floors.

EDCS-1182127 23
Figure 9 Non-Stacked Access Points
4th Floor AP Layout
LWAPP
LWAPP LWAPP LWAPP
LWAPP
3rd Floor AP Layout
LWAPP
LWAPP LWAPP LWAPP
LWAPP
292832
LBS can be used not only to provide location and utilization information, but can also be used to provide
environmental measurements. JCAHO requires healthcare organizations to provide auditing of all
environments used to contain or store temperature-sensitive medications or specimens. As such, many
healthcare organizations have protocols in place that measure the temperature in various medical
refrigerators every hour.
This time-consuming task can be automated through the use of 802.11 RFID temperature tags. The
measurement data is collected on a configurable time frame and reported back to the MSE for later
reporting. Alternately, alerts can be generated if the measurement falls outside of a configured range.
Server and storage system faults or sometimes even failures have been directly tied to that of ambient
temperature. Enabling an MGN not only relies on the basic networking and IT aspects, but also extends
to all aspects of operation. Within the data center, for example, these same tags can be used for the
collection of historical temperature monitoring, again alerting proper personnel when a fault condition
is detected.

24 EDCS-1182127
Time differential of arrival (TDOA)-compatible systems can add improved accuracy by measuring the
time it takes for a given RF signal sent from an 802.11 device or tag to be received by two or more sensor
stations. Vendors such as Aeroscout have TDOA solutions that require the placement of TDOA-based
sensors in addition to access points. TDOA information collected is sent to the Cisco Mobility
TDOA-compatible systems and can add improved accuracy by measuring the time it takes for a given
RF signal to be received by two or more sensor stations. Vendors such as Aeroscout have TDOA
solutions that require the placement of TDOA-based sensors in addition to access points. TDOA
information collected is sent to the Cisco MSE. The MSE uses the TDOA location algorithm developed
by Aeroscout to determine the location. This provides a constant metric that is not affected by changes
in the RF environment, which is the time of arrival of a packet. In low ceiling indoor environments,
however, the use of TDOA systems may be negatively affected by multipath interference. TDOA systems
provide high level accuracy in larger indoor environments such as warehousing, or outdoor environments
where multipath interference is low.
Depending on the desired accuracy levels required, RSSI, Exciter/chokepoints should be deployed in a
healthcare environment. These techniques can be mixed or matched to achieve the requirements set forth
by the healthcare organization. For detailed information about LBS, consult Cisco's Design Zone located
at the following URL: http://www.cisco.com/go/designzone
Security
WLANs share many of the security challenges that wired networks present. Both require user
authentication, authorization, auditing, and protection from threats such as viruses and other malicious
code. WLANs also present new challenges generally related to the nature of the technology used, which
is outside the enterprises control because it is in the air. In addition, wireless networks cannot be
confined within a physical facility; anyone within transmission range can listen in, masquerade as trusted
participants, extend the network, and disrupt operations.
Guest Access Services

The Internet has become as important to many people world-wide as cellular phone service has become.
As such, healthcare organizations and ambulatory-based healthcare providers are offering guest Internet
services to not only their patient community, but students and contractors as well.
Providing Internet access to the acute patient, outpatient, and residents of long-term care communities
provide the much needed access to the outside world. This is especially true during times when the
individual may need such communication mechanisms in planning their post-care plan. For long-term
care residents, guest Internet access has become the norm in providing e-mail, entertainment, voice, and
video conferencing services. Providing a wireless Internet service that meet these service requirements
involves some common requirements:
Guest user authentication
Anonymous access after acceptance of an acceptable use policy
Authenticated access after providing supplied login credentials
Paid access after payment and identification process is completed
Guest access to walled garden
No authentication required, controlled access to specific websites
Acceptable use policy acceptance, controlled access to specific websites
Resource control
Access controls placed upon user controlling bandwidth and websites visited

EDCS-1182127 25
QoS policies placing guest access below that of clinical usage

Session Initiation Protocol (SIP) Snooping to provide call admission control functionality for
SIP-based voice services
Logging
Maintain access logs and sites accessed
The model for students and/or authorized contractors is similar to the requirements outlined above, but
may provide additional rights not provided to the general patient and visitor population. These may
include additional bandwidth, longer login times, and access to specific internal websites related to job
role or student responsibilities.
Many healthcare organizations are looking to outside guest access providers to manage guest Internet
services. This hybrid approach allows the guest user to use the existing wireless infrastructure (APs,
wireless controllers). The network backhauls the guest access to an egress point in the network where it
is handed off to a guest provider. Many service providers offer this service, which has the following
advantages:
Use of existing wireless infrastructureNo parallel 802.11 network required
Authentication and acceptable use policy is the responsibility of the outside vendor
Bandwidth to Internet is out-of-band and is not reliant on the healthcare organizations existing
Internet connectivity. (However, some ISPs may provide such services on existing circuits.)
Customer support for guest access is handled by the outside vendor, and does not place additional
burden on healthcare system IT support personnel
Guest access instructions can be provided at the front desk and by nurse stations; can also be
communicated via digital media signage located throughout the hospital.
The decision to adopt guest Internet access is one that most organizations have made. The real decisions
are based on the access model being used. Should an outside vendor be engaged to manage the service
offering, or is there significant capacity both in personnel resources and Internet access to support the
service in-house?
For more details about guest access services, refer to Cisco Design Zone website at the following URL:
http://www.cisco.com/go/designzone
Note Determined users or patients within a healthcare facility that may begin to use Wi-Fi devices for
establishing wireless 802.11 communications. This can effectively result in interference to the
802.11-based infrastructures. By providing reliable guest wireless services, the use of such devices may
be reduced.
Clinical Access
Clinical systems refer to systems that support clinical workflow and decision support, including
electronic health record (EHR) and computerized physician order entry (CPOE) systems. Often these
systems include laboratory and pharmacy systems as well as imaging applications.
These clinical systems often support 802.11 wireless standards as mobile workstation or computers on
wheels, sometimes referred to as CoWs or WoWs. These carts allow caregivers to access clinical systems
at the point of care. Healthcare professionals can have real-time access to various applications in a
clinical information system (CIS) while mobile or at a patient's bedside.

26 EDCS-1182127
Wireless Architecture Overview
One of the principal RF-based aspects of CoWs is the inclusion of an external antenna that supports all
of the 802.11 bands that will be used. Figure 10 shows the Metro Flo 1760 mobile computing
workstation. Note the inclusion of an external and predominately located multi-band antenna. Mounting
the RF radiator externally can provide significant improvements in performance. For cases where the RF
environment changes drastically, as in the case of the automatic closure of fire doors for example, such
RF considerations can become a make-or-break decision.
Figure 10 Metro Flo 1760 Mobile Workstation
Externally located
802.11b/g/a/n Antenna
227932

Cisco's Medical-Grade Network 2.0Wireless Architecture is a subset of the overall Cisco MGN
architecture. This section provides an overview of the key components, specific design considerations,
and component placement for the wireless architecture within a healthcare environment.
Figure 11 illustrates the range of technologies and products as part of the wireless architecture.

EDCS-1182127 27
Figure 11 Wireless Architecture
Third Party Integreation

to LBS (Nurse Call,
Cisco Identity BioMed, EMR)
2500 WLC Sevices
Engine MSE ACS WCS
MSE
Wireless
V Management PC
Cisco Cisco 5500 Series (Browser Based)
SRE WLC Wireless LAN Cisco
Controller MGN 2.0 Prime NCS
Campus
Cisco
Catalyst 6500
Wireless Services
Module (WiSM/
WISM2)
V
Cisco ISR Wireless
V
LAN Controller Voice and QoS
Module (WLCM) Enabled L3 Access
V Switches
V
V
SSC
292833
The wireless architecture is composed of the following components:
Access points (AP)
Wireless LAN Controllers (WLC)
Wireless Control Systems (WCS)
Mobility Services Engine (MSE)
The following sections provide an overview of these relevant components.

28 EDCS-1182127
Access Point
Wireless Access Point (WAP) is a device that allows wireless communication devices to connect to a
wireless network using Wi-Fi, Bluetooth, or related standards. The WAP usually connects to a wired
network, and can relay data between the wireless devices (such as computers or printers) and wired
devices on the network.
Within the Cisco MGN wireless architecture, there are two categories of APs: standalone and
lightweight or CAPWAP/LWAPP. This section briefly discusses the various models of AP products
available within each category, and contrasts features, functionality, and applications.
Note Access points in the new Control and Provisioning of Wireless Access Points (CAPWAP) standard that
is based on the Cisco proprietary LWAPP standard are referred to as wireless termination points (WTPs).
More information can be found about CAPWAP in RFC-5415 at the following URL:
http://www.ietf.org/rfc/rfc5415.txt
Indoor Cisco Access Points

All Cisco APs sold today support the Cisco Unified Wireless architecture and utilize the LWAPP
protocol to provide wireless services. Starting in Release 6.0 of the WLC software, LWAPP is replaced
by the CAPWAP standard. (See Table 2.)
Table 2 Indoor Cisco Access Points
Office Business Interactive

Extend Standalone Ready Media Mission Critical
Cisco Aironet 600 Series 1040 Series 1140, 1250, 1040 Series 1140, 1250, 3500 Series Access Point 3600 Series
Access Access Point Access Point 1260 Series Access Point Series Access Controller -based Access
Points Controller Standalone Access Point Controller Point Point
-based Standalone -based Controller Controller-
-based based
Product
Image
Category Business- Business- Best-in-class Business- Best-in-class Best-in-class performance Ground-

ready access ready access performance ready access performance access point for breaking
point for point for access point point for access point for mission-critical enterprise speed and
remote wireless for enterprise wireless enterprise applications reliability
wireless connectivity applications connectivity applications for mission-
connectivity critical
enterprise
applications
Targeted for Teleworkers Commercial, Mid-sized Commercial, Mid-sized to Mid-sized to large Mid-sized
and remote small enterprise small to large enterprise enterprise to large
employees enterprise, mid-sized enterprise
branch enterprise,
branch

EDCS-1182127 29
Table 2 Indoor Cisco Access Points (continued)
Dense - Yes Yes Yes Yes Yes Yes

endpoint
clients
Extended - - Yes - Yes Yes Yes
coverage
Interactive Yes - - - Yes Yes Yes
multimedia
(Voice/Video)
Performance Yes - - - - Yes Yes
protection in
congested RF
environments
Radio - - - Yes Yes Yes Yes
Resource
Management
Cisco - - - - - Yes Yes
CleanAir
technology
Cisco - - Yes - Yes Yes ClientLink
ClientLink 2.0
Cisco - - - Yes Yes Yes Yes
BandSelect
Cisco - - - Yes Yes Yes Yes
VideoStream
Rogue AP - - - Yes Yes Yes Yes
Detection
Adaptive - - - Yes Yes Yes Yes
wIPS
Cisco Yes - - Yes Yes Yes Yes
OfficeExtend (1140 Only)
FlexConnect - - - Yes Yes Yes Yes
Wireless - - - Yes Yes Yes Yes
Mesh
Power 100 to 240 802.3af 802.3af 802.3af 802.3af 802.3af 802.3af
VAC, 50-60
Hz Local
Power
Supply
Installation Home Office Office Rugged 3500i: Office Office Office
3500e: Rugged
3500p: Rugged
Wi-Fi 802.11a/b/g/n
Standards
For further information on Cisco Access Points, see the following URL:
http://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#~high-end

30 EDCS-1182127
Wireless LAN Controller (WLC)

Most acute healthcare environments require deployment of wireless networks on a large scale, with
typically a limited and generalist-based IT staff. To reduce the cost of operation, it is necessary to
manage such large-scale deployments centrally.
The Wireless LAN Controller (WLC) is a device that assumes a central role within the wireless network.
Traditional roles of access points, such as association or authentication of wireless clients in a
centralized architecture, are now performed by the WLC. Access points, called lightweight access points
(LAPs) in the unified environment, register with a WLC and securely tunnel all the management and data
packets to the WLCs. The WLCs then decode the packets and switch them between wireless clients and
the wired network. All configuration is done on the WLC directly, or through a software-based
management system called the Wireless Control System (WCS). The LAPs download their specific
configuration from WLCs upon registration and provide wireless access to authenticated wireless client
devices.
In addition to providing authentication and data services, access points that support Clean Air
technology relay detailed RF information regarding RF interference, rogue APs or clients, and potential
coverage holes that may exist within the deployed infrastructure. For all critical care healthcare
environments, especially medical IT networks that contain medical devices and are used for the
treatment or diagnosis of a patient, Clean Air is an absolute requirement. Without such capabilities, the
healthcare delivery organization does not have a complete and accurate picture of the RF spectrum, and
therefore cannot identify and mitigate risks that may arise as a result of outside RF influences.
For convenience, this document refers to all Cisco Unified Wireless controllers as WLCs because of the
general uniformity and commonality of features across all of Ciscos WLC platforms.
The simple timing-dependent operations are generally managed on the LAP, and more complex and less
time-dependent operations are managed on the WLC.
For example, the LAP handles the following:
Frame exchange handshake between a client and AP
Band select-based probe responses
802.11n beam forming and Cisco ClientLink
Transmission of beacon frames
Buffering and transmission of frames for clients in power save mode
Response to probe request frames from clients; the probe requests are also sent to the WLC for
processing
Forwarding notification of received probe requests to the WLC
Provision of real-time signal quality information to the switch with every received frame
Monitoring each of the radio channels for noise, interference, and other WLANs
Monitoring for the presence of other APs
Other functionality is handled by the WLC. Some of the MAC-layer functions provided by the WLC
include the following:
802.11 authentication
802.11 association and reassociation (mobility)
802.11 frame translation and bridging
802.1x/EAP/RADIUS processing

EDCS-1182127 31
Termination of 802.11 traffic on a wired interface, except for the REAP and FlexConnect, which are
discussed later in this guide.
When the WLAN CAPWAP tunnel traffic reaches the WLC, it is mapped to the matching VLAN
interface configured on the WLC defined for the SSID. The wired interface ports on the 5508 WLC are
typically configured using an 802.1q trunk. This trunk then has a number of VLANs configured with
each one mapped to one or more SSIDs. To further enhance the availability, the gigabit ports also support
Link Aggregation using EtherChannel, eliminating a single uplink from becoming a single point of
failure. This high availability-based design can be taken a step further and configured using
multi-chassis EtherChannel, which means that ports can be aggregated across multiple switches to
eliminate the switch as a single point of failure.
By designing wireless networks for high availability at the onset, healthcare delivery organizations can
begin to use the IEC-80001-1-2010 standard. Cisco strongly encourages the IEC-80001-based risk
manager to work with Cisco and its partners to review network designs with the intended focus to
identify and mitigate potential areas of risk before the wireless network is deployed. Ideally, this should
involve the various medical device vendors in play along with the Cisco reseller and/or Cisco Advanced
Services.
Table 3 summarizes the various Cisco Unified Wireless WLCs and their features:
Table 3 Cisco Unified Wireless WLCs
Controller for ISR

2500 Series G2 5500 Series WiSM2 Flex 7500 Series
Product Image
Target Small or Small or Mid-sized to large Mid-sized to large Large number of

medium-sized medium-sized enterprise enterprise branches
business business
Centralized Yes
Management
Centralized Data Yes Yes Yes Yes -
Policy Enforcement
Cisco OfficeExtend Yes - Yes Yes Yes
Teleworker Solution
Wireless Mesh Yes Yes Yes Yes -
Workgroup Bridge Yes Yes Yes Yes -
Link Aggregation - - Yes - -
Group (LAG)
Radio Resource Yes
Management (RRM)
Cisco Network Yes Yes Yes Yes -
Access Control (NAC)
Datagram Transfer Yes - Yes Yes Yes
Layer Security (DTLS)

32 EDCS-1182127
Table 3 Cisco Unified Wireless WLCs (continued)
Cisco Compatible Yes Yes Yes Yes -

Extensions Call
Admission Control
(CAC)/Wi-Fi
Multimedia (WMM)
Multicast Yes Yes Yes Yes -
Cisco VideoStream Yes Yes Yes Yes -
Guest Services Yes
(Wireless)
Guest Services - - Yes Yes -
(Wired)
Form Factor Desktop ISM/SM module One rack unit Blade for Cisco 1 RU appliance
for (1-RU) appliance Catalyst 6500
1941/2900/3900 Series Switches
ISR G2 (CAT6K) Up to 7
per Chassis
Interfaces or 4 x 1 Gigabit ISR G2 backplane 8xGE CAT6K backplane 2 x 10 Gigabit
Network I/O Ethernet (GE) Ethernet
Access Points 550 ISM 510, 12500 1001000 3003000
Managed SM 550
Clients Supported 500 500 7,000 15,000 30,000
Throughput 500 Mbps 500 Mbps 8 Gbps 20 Gbps 1 Gbps
# of Access Point 30 30 500 500 1000
Groups
Access Points per 25 25 25 25 50
Group
WLANs 16 16 512 512 512
Mobility Layer 2/ (L2/L3) (L2/L3) (L2/L3) L2
Layer 3
(L2/L3)
Design Considerations
Beginning in Release 5.2 of the WLC software, Control and Provisioning of Wireless Access Points
(CAPWAP) was introduced. This IETF standard is based on Cisco's proprietary Lightweight Access
Point Protocol (LWAPP) and is used to communicate between APs and the WLC. WLCs running
software prior to Release 5.2 use the LWAPP protocol for much of the same function. One of the
advantages of CAPWAP over LWAPP is the management traffic between the WLC (also known as access
controller) and the AP (also known as Wireless Termination Points or WTP) is encrypted. CAPWAP is
defined in RFC-5415 and can be found at the following URL: http://www.ietf.org/rfc/rfc5415.txt. It is
therefore recommended to ensure that all wireless deployments within healthcare environments use
version 5.2 or higher of firmware on the WLC to provide an additional layer of security for ePHI traffic.
CAPWAP provides for the configuration and management of WLAN(s), in addition to tunneling WLAN
client traffic to and from a centralized WLAN controller (WLC). Figure 12 shows a high-level diagram
of a basic centralized WLAN architecture, where lightweight APs connect to a WLC through the use of
a tunnel.

EDCS-1182127 33
Figure 12 CAPWAP and LWAPP APs Connected to a WLC
LWAPP
CA
PW
AP
LWAPP
CAPWAP
CAPWAP supported
in WLC 5.2 and higher
P
AP
LW
LWAPP
292834
Authentication
For the wireless network, user-based security is composed of authentication and encryption. Common
security mechanisms for WLAN that are considered medical grade are as follows:
Wi-Fi Protected Access (WPA PSK)Provided the PSK meets the NIST complex passphrase
recommendations and comprises a small number (<25) of devices to minimize the impact of a re-key
if the PSK becomes compromised
Wi-Fi Protected Access 2 (WPA 2 Enterprise)
Wireless networks that use Open Authentication, Wired Equivalent Privacy (WEP), or Ciscos WEP
Extension using CKIP are no longer considered medical grade because of their weak security.
Both WPA and WPA2 are defined by the Wi-Fi Alliance, which is the global Wi-Fi organization that
created the Wi-Fi brand. The Wi-Fi Alliance certifies inter-operability of IEEE 802.11 products and
promotes them as the global, wireless LAN standard across all market segments. The Wi-Fi Alliance has
instituted a test suite that defines how member products are tested to certify that they are interoperable
with other Wi-Fi Certified products.
The original 802.11 security mechanism, WEP, was a static encryption method used for securing
wireless networks. Although it applies some level of security, WEP is insufficient for securing all forms
of clinical communications. In short, WEP should not be used by any modern healthcare organization
because of the security risks that it creates. WPA is an 802.11i-based security solution from the Wi-Fi
Alliance that addresses the vulnerabilities of WEP. WPA uses Temporal Key Integrity Protocol (TKIP)
for encryption and dynamic encryption key generation by using either a pre-shared key, or
RADIUS/802.1x-based authentication. The mechanisms introduced into WPA were designed to address
the weakness of the WEP solution without requiring hardware upgrades. WPA2 is the next generation of
Wi-Fi security and is also based on the 802.11i standard. It is the approved Wi-Fi Alliance interoperable
implementation of the ratified IEEE 802.11i standard. WPA 2 offers two classes of certification:
enterprise and personal. Enterprise requires support for RADIUS/802.1x-based authentication, while
pre-shared key (personal) requires only a common key shared by the client and the AP. Although the new
Advanced Encryption Standard (AES) encryption mechanism introduced in WPA2 generally requires a
hardware upgrade from earlier versions of WLAN clients and APs, all Cisco CAPWAP and LWAPP APs
support WPA2.
The Cisco Wireless Security suite provides the user with the options to provide varying security
approaches based on the required or pre-existing authentication, privacy, and client infrastructure. The
Cisco Wireless Security Suite supports WPA and WPA2.

34 EDCS-1182127
Authentication based on 802.1x using the following EAP methods:

Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)
PEAP- Generic Token Card (PEAP-GTC)
PEAP-Microsoft Challenge Authentication Protocol Version 2 (PEAP-MSCHAPv2)
EAP-Transport Layer Security (EAP-TLS)
EAP-Subscriber Identity Module (EAP-SIM)
Encryption:
AES-CCMP encryption (WPA2)
TKIP encryption enhancementsKey hashing (per-packet keying), message integrity check (MIC)
and broadcast key rotation via WPA TKIP Cisco Key Integrity Protocol (CKIP) and Cisco Message
Integrity Check (CMIC)
Support for static and dynamic IEEE 802.11 WEP keys of 40 bits, 104, and 128 bits
Wireless Control System (WCS)

The Cisco Wireless Control System (WCS) is the platform for wireless planning, configuration, and
management of wireless networks comprising multiple Wireless LAN Controllers. In addition, it
provides the tools necessary to allow network managers to design, control, and monitor wireless
networks from a central location. The WCS also supports location tracking, IPS, and WLAN systems
configuration, monitoring, and management.
With the Cisco WCS, network administrators have a solution for RF prediction, policy provisioning,
network optimization, troubleshooting, user tracking, security monitoring, and WLAN systems
management. Graphical interfaces make wireless LAN deployment and operations simple and
cost-effective. Detailed trending and analysis reports make Cisco WCS vital in supporting ongoing
network operations.
Cisco Prime NCS

Cisco Prime Network Control System (NCS) provides converged user, access, and identity management
across both wired and wireless networks. This product is ideally suited to healthcare environments that
are adopting a BYOD strategy by providing a single pane of glass to manage users in a consistent manner
on both wired and wireless networks. Designed with users and their mobile devices in mind, Cisco Prime
NCS speeds network troubleshooting by giving IT complete visibility into connectivity, regardless of
device, network, or location. Deep integration with the Cisco Identity Services Engine (ISE) further
extends this visibility across security and policy-related problems, presenting a complete view of client
issues with a clear path to solving them. To aid in IEC-80001 compliance, Cisco Prime NCS is ideally
suited to manage the full lifecycle management of Cisco wireless LAN infrastructure with specific focus
on the deployment and management of branch networks.
The platform provides complete WLAN services management, supporting:
Cisco CleanAir technology, a systemwide capability of the Cisco Unified Wireless Network
providing proactive, high-speed spectrum intelligence to combat performance problems because of
RF interference
Cisco ISE integration, which allows for visibility into user and endpoint attributes, their posture, and
profiling information for both wired and wireless clients

EDCS-1182127 35
Integration with the Cisco Mobility Services Engine (MSE), which enables Cisco Context-Aware
Software for real-time location tracking and local services discovery, along with Cisco Adaptive
Wireless IPS (wIPS) Software for detection, containment, and location of security threats
Mobility Services Engine (MSE)

The Cisco 3300 Series Mobility Services Engine (MSE) is an appliance-based platform for delivering
mobility services in a centralized and scalable fashion across wired and wireless networks. The MSE
supports an open API for easy integration with enterprise and mobile applications, as well as the
development of industry-relevant services. The MSE currently supports:
Cisco Context-Aware SoftwareProvides real-time network visibility and asset management for
Wi-Fi clients, tagged assets, and wired devices. Organizations gain critical business intelligence to
improve workflow, troubleshoot mobile clients, and quickly locate rogue devices and interferers.
Cisco Adaptive Wireless Intrusion Prevention System (IPS) SoftwareDetects and reports on the
full range of 802.11 attacks, providing advanced forensics for threat analysis and prevention.
Customers can maintain constant awareness of their RF environment to minimize legal liability,
protect brand reputation, and assure regulatory compliance-including PCI 2.0 standards.
The platform also provides:
Intelligence within the network to solve business problems, and the flexibility to provide for
evolving needs
Integration with Cisco CleanAir Technology, which enables crucial forensics and policy
enforcement capabilities to create a self-healing, self-optimizing network
An open API based on Simple Object Access Protocol (SOAP) and XML for enterprise and mobile
application development with a broad partner ecosystem
Campus Design Considerations

The MGN architecture defines best practices as applied to both wired and wireless deployments in a
converged network. This architecture can be applied towards a campus design and used more specifically
in the following settings:
Acute care facility
Large hospital
Figure 13 shows a typical acute care campus environment.

36 EDCS-1182127
Figure 13 Acute Care Campus
Access
Portable
TelePresence
Ultrasound
Smart
Infusion
Pump
North Access 1 Distribution/Aggregation
NAM3
Clinical LWAPP
Workstation Stack Master
Network
Analysis Identity
Module Sevices
8o2.11n
Cisco AP Engine
South Access 1 Multi-Node Campus Core
7925G
Nx 10G
Nursing 10G
Point of Station
Sale G
10 Nx
Device 10
G
G
10
Nx
South Access 2 10
Nx
G
CT/MR 10G
8o2.11n North Access 2

AP
LWAPP
Cisco
Stack Master Prime NCS
Wireless LAN
Controller(s)
CoW RFID
Tag IP
Medication
Administration Cart Patient
292835
Monitor
Most acute care environments require deployment of wireless networks on a large scale, and such
large-scale deployments must be managed centrally. In multiple WLC environments, the use of
Cisco Wireless Control System (WCS) is recommended along with Cisco Prime NCS.
The WLC is generally used in a CAPWAP, provided that the WLC is running version 5.2 or higher,
which is recommended. Association or authentication of wireless clients is done by the WLC.
Access points register themselves with a WLC and tunnel all the management and data packets to
the WLCs, which then switch the packets between wireless clients and the wired portion of the
network. All the configurations are done on the WLC. LAPs download the entire configuration from
WLCs and act as a wireless interface to the clients.
In the acute care setting, choices of WLC vary depending on overall building size, number of access
points and their location, and centralized management approach.
To facilitate the influx of BYOD devices, many healthcare organizations are deploying the Cisco
Identity Services Engine (ISE) to enable profiling of devices and streamlining the provisioning
process of these devices to authorized wired and wireless users.

EDCS-1182127 37
Branch Design Considerations

The MGN architecture can be applied towards a branch design (see Figure 14). These design principles
are used to enable the following settings:
Ambulatory care facility
Clinics
Small physicians office
Figure 14 Branch Office
Ambulatory Care
Portable
Ultrasound
Cisco Clinical
7925G Workstation
User PC with
Desktop UC
Client
To WAN Edge
at Main Campus
ISR with Integrated
Firewall, 802.11 AP
and WAE EHR
292847
Application
In larger ambulatory care facilities, an ISR G2 is generally used to provide WAN termination and VPN
backup services. The Wireless LAN Controller Module for the ISR G2 can be used to provide local WLC
functionality in the event that a centralized WLC strategy is not used. For smaller remote clinics, the use
of a centralized WLC hosted at the affiliated Healthcare Delivery Organization data center is a common
deployment strategy. As discussed previously, the LAPs by default tunnel all the traffic back to the
WLC, which in most cases is not an optimal design choice. Instead, local traffic can be locally switched
to the Ethernet port on the AP by enabling FlexConnect (called FlexConnect previous to release 7.2) on
the remote SSID/AP. This ensures that wireless traffic generated at the remote facility and destined for
a local server or printer, for example, does not traverse the WAN unnecessarily. All the advantages of a
centralized security policy along with CleanAir and intrusion services are still available. (See Figure 15.)
Note FlexConnect and FlexConnect require that the total round trip time (RTT) does not exceed 100 ms for
voice deployments and 300 ms for data-only deployments.

38 EDCS-1182127
Network Management Tools
Figure 15 Central Corporate Site and Remote Branch Office
Healthcare Delivery Organization
Cisco
Prime NCS
Local Resources
WCS
CAPWAP
WAN Control
Link
Si
Backend
Security Central Trunk or Practice
Controllers Centrally Access
Services Switched Management
Ports System
Medical Client Data
Office LWAPP LWAPP Locally
Building
Switched
Client Data
FlexConnect APs
Wireless Guest Clinical
292836
Internet User Wireless User

As caregivers become reliant on mobile communications devices and biomedical devices migrate to
wireless networking, the wireless LAN becomes a mission-critical component of the healthcare
infrastructure. There is probably no other industry that uses the range of wireless endpoints with their
own unique requirements as healthcare. The data streams from any of these endpoints could potentially
contain electronic Protected Healthcare Information (ePHI) requiring protection, both by encryption and
detecting and eliminating rogue users. At the same time, the physical structure contains its own
challenges. There may be multiple floors and a combination of old and new structures with some rooms
shielded and a requirement of roaming throughout for the mobile communications devices. The Cisco
WCS was covered in the previous section. This section focuses on some additional tools and techniques
to manage the wireless infrastructure.
Rogue AP Detection
Electronic Protected Healthcare Information (ePHI) and other proprietary information traverse the
healthcare network. This information must be protected from being viewed by unauthorized individuals.
The simplest threat vendor for a hacker is a rogue access point or ad-hoc network. A rogue AP is any AP
that is not part of the enterprise infrastructure and therefore does not have the required security
mechanisms in place. Rogue APs may be intentionally introduced by a hacker plugging an AP into the
network infrastructure with no security, or security controlled by the hacker. This requires physical
access to the network infrastructure. Rogue APs or ad-hoc networks may also be unintentionally
introduced into the network when an employee plugs their own AP or enables an ad-hoc network with
the intention of sharing a wireless printer. This AP or ad-hoc network may be discovered and exploited
by a hacker, providing them with access to other protected resources.

EDCS-1182127 39
The Cisco Unified Wireless Networking solution provides the means to locate and isolate rogue APs and
ad-hoc networks.
The first means of detection is observing/sniffing beacons and 802.11 probe responses. The system may
use the standard APs used to transport user traffic, or dedicated APs that transport no traffic but are
dedicated to scanning for rogue APs. Either model allows the capture of information on ad-hoc and rogue
clients. For more details on Air/RF detection, see the Wireless Security Design Guide at
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html.
The location feature of the WCS then uses the detected RF characteristics and known properties of the
managed RF network to provide a floor plan indicating the approximate location of a rogue AP. An
example of this is shown in Figure 16. The floor plan shows the location of all legitimate APs and
highlights the location of a rogue AP using the skull-and-crossbones icon, as shown in Figure 16.
Figure 16 Rogue AP Mapping
For more information on the Cisco Unified Wireless Location features, refer to the following URL:
http://www.cisco.com/en/US/products/ps6386/index.html
In cases where the detection mechanism described above is not effective (such as in branch offices that
contain only a few APs or where accurate floor plan information is not available), the Cisco Unified
Wireless network provides several mechanisms for tracking/correlating the rogue device to the wired
network. When an unknown AP is detected, it must be determined whether the AP is a rogue or an AP
on an adjacent network. The first means of detecting this is by deploying rogue detector APs, which are
APs that have the transmit side of the radios turned off. These APs then listen to the wired network for
Address Resolution Protocol (ARP) packets that include the MAC address of the suspected rogue. When
the ARP is detected, it verifies that the suspected rogue is in fact connected to the wired network. To be
effective at capturing ARP information, the rogue AP detector should be connected to all available
broadcast domains using a Switched Port Analyzer (SPAN) port because this maximizes the likelihood
of detection.

40 EDCS-1182127
If a rogue client resides behind a wireless router (a common home WLAN device), their ARP requests
are not seen on the wired network, so an alternative to the rogue detector AP method is needed.
Additionally, rogue detector APs may not be practical for some deployments because of the large number
of broadcast domains to be monitored (such as in the main campus network).
The Rogue Location Discovery Protocol (RLDP) option can aid in these situations. In this case, a
standard LAP, upon detecting a rogue AP, can attempt to associate with the rogue AP as a client and send
a test packet to the controller, which requires the AP to stop being an active AP and to go into client
mode. This action confirms that the rogue AP in question is actually on the network, and provides IP
address information that indicates its logical location in the network. Given the difficulties in
establishing the location data in branch offices and the likelihood of their being located in multi-tenant
buildings, rogue AP detector and RLDP are useful tools that augment location-based rogue AP detection.
Finally, a mechanism is provided to prevent clients from connecting to the rogue AP. Rogue
AP-connected clients, or rogue ad-hoc connected clients, may be contained by sending 802.11
deauthentication packets from local APs. This should be done only after steps have been taken to ensure
that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring WLAN.
To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC address
can be compared with MAC addresses collected by the AAA during 802.1X authentication. This allows
the identification of possible WLAN clients that may have been compromised or users that are not
following security policies.
Rogue AP detection, however, is not limited to that of a dedicated sensor-only rogue AP detector.
Instead, Cisco APs can channel scan during brief cycles to listen for rogue networks. During the time
when an AP is off channel scanning, associated wireless clients may transmit a frame to the AP that is
not received at that point in time. This situation is often misunderstood as resulting in a dropped frame.
In reality however, the PHY layer of the wireless NIC will retransmit the frame, ensuring that at the
upper protocol layers (IP, UDP, TCP, and so on) do not encounter a dropped packet. This is a key concept
to understand, especially when deploying certain classes of medical devices.
Note In the event that a medical device vendor requires that channel scanning be disabled, the healthcare
delivery organization must comply. To mitigate the security risk of rogue networks, the healthcare
delivery organization can mitigate that risk and remain compliant to the medical device vendor by
implementing sensor-only APs in those areas specified.
For more details on Rogue AP detection and isolation, see the Wireless Security Design Guide at
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html
Auto RF
Radio Resource Management (RRM), also known as Auto-RF, can adjust the channel (dynamic channel
assignment) and power (dynamic transmit power control) to maintain the RF coverage area. It adjusts
the power level of the AP to maintain a set baseline signal strength with neighboring APs. The default
signal strength depends on the software version, and this value is configurable. It adjusts the channel of
the AP when it notices nearby interference sources on the channel on which the AP is currently located.
It continues to optimize the RF coverage for the best reception and throughput for the wireless network.
RRM understands that the RF environment is not static. As different RF affecting variables change
(people in the room, amount of devices stored in the facility, leaves on trees for outside deployment,
interference from different RF sources, and so on), the RF coverage adjusts to these variables and
changes with them. Because these variables change continuously, monitoring for the RF coverage and
adjusting it periodically is necessary.

EDCS-1182127 41
The five major functions of RRM are as follows:

Dynamic channel assignment
Interference detection and avoidance
Dynamic transmit power control
Coverage hole detection and migration
Client and network load balancing
Dynamic Channel Assignment

The 802.11 MAC layer uses Carrier-Sense Multiple Access/Collision Avoidance (CSMA/CA). With
CSMA/CA, two APs on the same channel (in the same vicinity) get approximately half the capacity of
two APs on different channels because of the shared wireless channel. This is caused by the 802.11 MAC
sensing that the channel is busy, and deferring sending frames until the channel has become free. If the
802.11 MAC defers traffic that is not part of its own AP cell, this is considered interference. Interference
from another AP on the same channel is commonly called co-channel interference, and is to be expected
in most 2.4 GHz 802.11 deployments, because there are insufficient non-overlapping channels to prevent
some channel overlap from occurring. One of the goals of design, planning, and dynamic radio
management is to minimize the amount of co-channel overlap, which minimizes co-channel interference
and therefore maximizes AP traffic capacity. The Cisco Unified Wireless Network addresses this
problem and other co-channel interference issues by dynamically allocating AP channel assignments to
avoid conflict. Because the WLC, or a designated WLC (RF Group Leader), has system-wide visibility,
it can control how channels are reused to minimize co-channel interference.
The WLC examines a variety of real-time RF characteristics to efficiently handle channel assignments,
including the following:
NoiseThis limits signal quality at the client and AP, and can vary in range and periodicity. There
are numerous potential types and effects of interference. An increase in noise reduces the effective
cell size. The WLC, at regular intervals, reassesses the RF environment of an AP, and optimizes
channel selection to avoid noise sources while still maintaining overall system capacity. Channels
that become unusable because of excessive noise can be avoided. If other wireless networks are
present, the WLC shifts its channel usage to complement the other networks. For example, if one
network is on Channel 6, the adjacent WLAN is assigned Channel 1 or 11. This increases the
capacity of the network by limiting the sharing of frequencies. If a channel is used so much that no
capacity is available, the WLC might choose to avoid this channel.
Client loadClient load is taken into account when changing the channel structure to minimize the
impact on the clients currently on the WLAN system. The WLC periodically monitors the channel
assignment in search of the best assignments. Change occurs only if it significantly improves the
performance of the network or corrects the performance of a poorly performing AP.
The WLC combines the RF characteristic information to make system-wide decisions. The end result is
an optimal channel configuration in a three-dimensional space, where APs on the floor above and below
factor into an overall WLAN configuration.
Interference Detection and Avoidance

Interference (as it pertains to a Cisco Unified Wireless deployment) is defined as unwanted RF signals
in the same frequency band that can lead to a degradation or loss of service. These signals can either be
from 802.11 or non-802.11 sources such as certain microwave ovens or many cordless phones. It can, in

42 EDCS-1182127
certain instances, also include various sources of electromagnetic interference (EMI) such as arc welders
or federal/military radar facilities. APs are constantly scanning all channels looking for major sources
of interference.
If the amount of 802.11 interference hits a predefined threshold, the WLC attempts to rearrange channel
assignments to optimize system performance in the presence of the interference. This might result in
adjacent APs being on the same channel, but logically this represents a better scenario than staying on a
channel that is otherwise totally unusable because of an interfering AP.
For example, the WLC can respond to a rogue AP on channel 11 by shifting nearby APs to channel 1 or
channel 6.
Dynamic Transmit Power Control

Appropriate AP power levels are essential to maintaining a coverage area, not only to ensure correct (not
maximum) amount of power covering an area, but also to ensure that excessive power is not used, which
would add unnecessary interference to the radiating area. AP power settings are also used to control
network redundancy by helping to ensure real-time failover in the event of the loss of an AP. The WLC
is used to dynamically control the AP transmit power level based on real-time WLAN conditions. In
normal instances, power can be minimized to gain extra capacity and reduce interference among the APs.
RRM attempts to balance APs so that they see their neighbors at -65 dBm. If an AP outage is detected,
power can be automatically increased on surrounding APs to fill the coverage gap created by the loss of
the AP.
RRM algorithms are designed to create the optimal user experience. For example, if the power of an AP
is turned down to Level 4 (where level 1 = highest and level 8 = lowest) and the received signal strength
indicator (RSSI) value of a user drops below an acceptable threshold, the AP power is increased to
provide a better experience to that client. When Dynamic Transmit Power Control (DTPC) is enabled,
the access points add channel and transmit power information to beacons. Client devices using DTPC
receive the information and adjust their settings automatically.
Coverage Hole Detection and Correction

The coverage hole detection and correction algorithm is aimed at determining coverage holes based on
the quality of client signal levels and then increasing the transmit power of the APs to which those clients
are associated.
The algorithm determines whether a coverage hole exists when client SNR levels pass below a given
SNR threshold. The SNR threshold is considered on an individual AP basis and based primarily on the
transmit power of each AP.
When the average SNR of a single client dips below the SNR threshold for at least 60 seconds, this is
seen as an indication that the WLAN client does not have a viable location to which to roam. The AP
transmit power of that client is increased, correcting the coverage hole.
Client and Network Load Balancing

The IEEE 802.11 standard does not define the process or reasons for client roaming, and therefore it
cannot be easily predicted what clients will do in any given situation. For example, all users in a
conference room can associate with a single AP because of its close proximity, ignoring other APs that
are farther away but with greater free capacity.

EDCS-1182127 43
The WLC has a centralized view of client distribution across all APs. This can be used to influence where
new clients attach to the network if there are multiple good APs available. If configured, the WLC can
proactively use AP probe responses to guide clients to the most appropriate APs to improve WLAN
performance. This results in a smooth distribution of capacity across an entire wireless network. Keep
in mind that this load balancing is done at client association, not while a client is connected.
ClientLink
Although medical-grade wireless networks in healthcare have transitioned to 802.11n technology, many
networks will continue to support a mix of 802.11a/g and 802.11n wireless clients. Because these legacy
802.11a/g devices operate at lower data rates, the older clients can reduce the throughput capacity of the
entire wireless network because they are slow talkers. Cisco ClientLink technology solves this problem
by making sure that 802.11a/g clients operate at the best possible data rates, especially when they are
near cell boundaries.
Most 802.11n solutions offer improvements in the uplink communication from client to access point by
leveraging the reflected signals that bounce off of walls and other solid objects and combining them in
real time in an additive manner. Cisco ClientLink technology is unique in that it offers uplink
improvements as well as downlink communication from access point to client. By leveraging the beam
forming technology found in 802.11n MIMO APs, Cisco ClientLink is able to improve signal strength
in the downlink path (AP -> client) by taking advantage of these reflected signals. The result is an
improved downlink throughput of the legacy 802.11a/g clients, which improves the connectivity for not
only for the legacy clients, but also for all other clients on the network. The result is a more reliable
roaming experience and increased capacity of the network for all wireless clients.
Cisco has achieved this advancement by adding advanced signal processing into the Wi-Fi chipset.
Multiple transmit antennas are used to focus transmissions in the direction of the 802.11a/g client. The
result is an increase in the downlink (AP -> a/g client) signal-to-noise ratio and the data rate over range,
thereby reducing coverage holes and enhancing the overall system performance.
This technology essentially learns the optimum way to combine the signal received from a client, and
then uses that information to send packets in an optimum way back to the client. This technique is also
referred to as multiple-input multiple-output (MIMO) beamforming, transmit beamforming, or
cophasing, and it is the only enterprise-class solution on the market that does not require expensive
antenna arrays. Independent testing of Cisco ClientLink by Miercom labs has shown that the technology
increases throughput by up to 65 percent for existing 802.11a/g client devices connecting to a Cisco
802.11n network. The solution also increases the total available channel capacity by up to 27 percent
because of the resulting increase in throughput speed for 802.11a/g client devices.
The use of ClientLink therefore improves the overall availability and performance of the wireless
network. For converged medical IT-based wireless networks, ClientLink is a medical-grade tool that can
be used mitigate the risk associated with poor coverage areas, or areas temporarily affected by
interference. Healthcare organizations are encouraged to implement ClientLink whenever possible to
improve overall availability and reduce possible risk associated with poor coverage or oversubscribed
mixed environments.
Band Select
The Cisco best practice recommendation for clinical data is to migrate clinical users to the 5 GHz
spectrum. This recommendation is the same for all mission-critical services inclusive of voice. The
strategy for this recommendation is sound and centers around a number of considerations including the
lower noise levels encountered because of the lack of consumer-based devices within this space, the
large number of channels resulting in lower probability of co-channel interference, and so on.

44 EDCS-1182127
With the advent of BYOD devices into the healthcare environment, the problem of dual-mode (2.4 and
5 GHz) devices prefer the 2.4 GHz space. Unless each device is manually configured to disable the 2.4
GHz radio, or the SSID is made available only on the 5 GHz band, chances are high that they will
associate to the 2.4 GHz space. This is because a dual-mode radio (2.4/5 GHz) sends two discovery
probes searching for wireless services being offered. An access point with Band Select disabled responds
with a probe response on both the 2.4 and 5 GHz band as soon as they are received. If the 2.4 GHz probe
request is sent out first by the wireless client, it is likely to receive a probe response from the 2.4 GHz
side of the AP first.
Band Select if enabled delays the 2.4 GHz response by a few milliseconds and allows the 5 GHz response
to be received by the wireless client first. This induced delay allows the wireless client to associate to
the 5 GHz side of the AP, reaping all the benefits of the 5 GHz spectrum with the network administrator
needing to manually configure each device.
It is recommended to enable Band Select to further enhance the wireless connectivity afforded in the 5
GHz band. Enabling the feature does not disable the 2.4 GHz probe responses, nor does it negatively
impact legacy 2.4 GHz only devices.
Healthcare Caveats
Although there are many benefits to Radio Resource Management (RRM), care should be taken when
deploying RRM in the healthcare environment. For example, the client-side support for Dynamic
Transmit Power Control (DTPC) requires a minimum of CCX 2.0 for the wireless client to effectively
participate in DTPC. Because most medical devices typically have a very long life cycles, they may have
limited wireless functionality in this area. If enabled, RRM may modify the characteristics of the
network and could result in the endpoint being able to receive but have insufficient power to
communicate with the access point. (See Figure 17.)
In all cases, the healthcare delivery organization is encouraged to identify the supported configuration
for wireless operation from the medical device vendor. By collecting this information during the
planning phases of a wireless network or wireless medical device deployment project, the healthcare
delivery origination can be assured that their wireless infrastructure will meet the requirements set forth
by the medical device vendor.
Figure 17 Dynamic Transmit Power Control
LWAPP
292837
100mW 5mW
RF Spectrum Management
In the healthcare environment, wireless interference may come from a range of unintentional sources,
from Bluetooth headsets to microwave ovens, wireless phone, wireless cameras, personal Wi-Fi devices,
or intentional interference from jammers. A few documented instances include 2.4 GHz wireless DECT
phones installed by nurses who did not like the wireless communications device the hospital provided,
medical devices using 802.11FH that needed code updates, and 2.4 GHz security cameras installed in a
hospital without notifying IT. Figure 18 shows examples of interference.

EDCS-1182127 45
Figure 18 Typical Wireless Interference
The snapshots shown in Figure 18 show examples of common RF-based interference. The
Cisco CleanAir and Spectrum Expert technologies intelligently identify the type of interference
(microwave oven, DECT phone, Bluetooth, and so on) and allow the network administrator to locate and
isolate the source of interference in the unlicensed 2.4-GHz and 5-GHz bands.
Cisco CleanAir technology is embedded in the Cisco 3500 and 3600 lightweight access points and
accessible from the WLC, Cisco Wireless Control System (WCS), and Cisco Prime NCS.
The Cisco Spectrum Expert Wi-Fi (see Figure 19) includes the following components:
Cisco Spectrum Expert Wi-Fi sensor
Cisco Spectrum Expert software
Cisco Spectrum Expert antenna
The Cisco Spectrum Expert Wi-Fi sensor is a sensor in CardBus card form factor for notebooks. It is
supported on Microsoft Windows-based laptops and delivers comprehensive spectrum intelligence. It is an
excellent tool when used in conjunction with Cisco CleanAir and allows the wireless network administrator
to further diagnose and locate illusive sources of interference. Using Spectrum Expert in conjunction with
Cisco CleanAir, the network administrators can streamline wireless network troubleshooting with better
visibility into the RF spectrum.

46 EDCS-1182127
Figure 19 Cisco Spectrum Expert Wi-Fi Application and Cardbus Product (Laptop not included)
The Cisco Spectrum Expert provides a wide range of information on the RF Spectrum under analysis
including channel utilization, interference power, graphs of active devices, real time FFT, FFT duty
cycle, sweep spectrograms, and information on the interfering device. The Cisco Spectrum Expert
product may be used standalone or integrated with Cisco WCS in addition to Cisco CleanAir. (See
Figure 20). Information from multiple Cisco Spectrum Expert Sensors and CleanAir enabled APs may
be combined in this solution to provide a complete view of spectrum usage.
Note Cisco Spectrum Expert is typically used as a spot check utility and is extremely useful tool in the overall
troubleshooting phase. For complete RF spectrum management in a medical-grade wireless network, the
deployment of CleanAir-based access points that provide continuous monitoring and reporting of the
overall RF spectrum is strongly suggested.

EDCS-1182127 47
Remote Office Wireless
Figure 20 Cisco Spectrum Intelligence Solution
Cisco Wireless
Control System
(WCS)
Cisco Wireless LAN Controller
LAN/WAN Wireless/Wired
Network Network
Cisco
Access Points Cisco Spectrum
with CleanAir Expert Sensors
292838
Cisco Detected Incompatible, Interfering or Rogue Devices

The need for secure wireless connectivity does not end within the acute care environment. Within the
physicians practice as well as clinics, providing a wireless architecture with all the same robust security
architectures found within the hospital setting.
A growing trend world-wide is to extend the wireless security model and the overall wireless
management to clinics and practices affiliated with the healthcare system. There are multiple reasons for
this trend, but first and paramount is that of security. Today, many clinics and physician practices have
connectivity to the main hospital(s) to which they are associated. This connectivity provides access to
lab reports, EHR, e-mail, and scheduling systems.
This section focuses on the overall architecture needed to provide robust wireless within the ambulatory
care environment using a centralized security and management model.
Providing Remote Wireless Services

With Cisco's Unified Wireless architecture, there are three methods of operation for 802.11 access
points. The first is commonly referred to as autonomous mode. In autonomous mode, the AP does not
require the WLC to operate. This approach, while not optimal, does provide wireless services and may
be used when the number of access points in the management domain is small (typically < 5).

48 EDCS-1182127
In autonomous mode, each access point contains an operating system (IOS) that allows the access point
to execute the configuration stored within the access point. This configuration contains the security
mechanism for each of the WLANs (or SSIDs) configured along with power, channel, and other
operating parameters and configured.
For those clinics and physician's offices that do not have connectivity back to its parent and supporting
healthcare system, autonomous mode makes sense for deployments that contain less than five access
points. In this case, the wireless configuration must be manually managed and may occasionally require
onsite visits from the supporting staff to upgrade the IOS or implement configuration changes.
A better approach over that of autonomous mode is the OfficeExtend Access Point architecture (see
Figure 21). In this approach, the APs create an encrypted DLTS VPN tunnel between the access point
and a centralized WLC using the Internet to provide connectivity. The benefits of this approach is that it
provides centralized management without requiring each remote office to install and maintain a WLC.
Figure 21 OfficeExtend Access Point Architecture
Corporate Secure Transfer of

Device PHI Data
DTLS VPN
Hospital Hospital
WLAN Network
LWAPP
Locally Internet
Defined Broadband
WLAN OfficeExtend Modem Wirelless LAN
Router
AP Controller
e.g. Linksys
227877
Practive Management
System, EMR, local resources
For sites that have connectivity to the supporting healthcare system either through a WAN or VPN
connection, the centralized CAPWAP or LWAPP architecture is preferred. This strategy is inclusive of
not only clinics and private practices, but may also extend into the physicians home provided that VPN
access is also managed to the healthcare system.
Security
Security is a primary concern when it comes to providing remote wireless solutions. Wireless security
should not only refer to authentication and encryption, but should also include controlling management
access to the wireless and securing the wireless client.
Because all physician practices typically involve the transmission of private patient information, the
approach to security must be taken as a serious consideration for all such deployments. In the United
States, HIPAA requires that best practices be used by all Covered Entities (CE) to safeguard what is
commonly referred to as protected health information (PHI). In other countries, various regulatory
bodies mandate similar safeguards be in place for the protection of private healthcare information.
With the U.S. Senate approval of the American Recovery and Reinvestment Act of 2009, it is widely
anticipated that the adoption of electronic health record (EHR) systems will increase dramatically. With
each of these systems deployed within private practices and clinics, the need to extend enterprise-class
security services for both wired and wireless is necessary.

EDCS-1182127 49
To ensure that ePHI is not exposed, the use of WPA2 Enterprise should be implemented on all clinical
networks. The use of WPA-TKIP may provide adequate protection today, but it is expected to be
outdated in the near future. The use of WPA Personal or WPA2 PSK may be used provided that each
PSK is used in 25 or less devices and the passphrase used conforms to the NIST recommendations for
strong password management. The problem that many healthcare organizations have encountered with
the use of WPA/WPA2 PSK is when a PSK is compromised, either through the theft of a device or
through the loss of an employee. When this occurs in environments with a large number of medical
devices deployed, a compromise requires that each device be manually re-keyed. This process is both
extremely time consuming and may be disruptive to the set of devices using the compromised PSK.
Again, to reduce the risk it is recommended that PSK not be used on an critical deployments or in
deployments where the number of devices and/or users is < 25. WPA2 Enterprise offers a much better
solution that scales well and eliminates the need to rekey each device because each device/user has a
unique userid and password.
In addition, and generally a good practice, all web-based EHR systems should employ the use of SSL to
protect the data that traverses the wired network. Although not absolutely necessary, it does provide
another level of encryption and improves the overall security posture of the network.
Note Computer scientists in Japan have developed a mechanism in which it is claimed that WPA-TKIP can be
compromised in a few minutes. Given this possible venerability, it is recommended that all wireless
access to clinical systems employ the use of WPA2 Enterprise, which uses the AES cryptographic
algorithm and is considered highly secure. For more information, refer to the following URLs:
http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html
http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%
20on%20WPA.pdf
FlexConnect
FlexConnect, formerly Hybrid Remote Edge Access Point (FlexConnect), provides local wireless access
to network resources within a remote office such as a physician practice or clinic (see Figure 22). At the
same time, continuous remote management, configuration, and monitoring of the wireless infrastructure
is provided to a central location, providing real-time administration services.
The FlexConnect local-switching architecture provides healthcare systems that provide managed
wireless services to remote clinics and offices the ability to extend the organizations approved security
model for wireless connectivity directly to the remote location through the use of a private WAN or
VPN-based technology. In doing so, wireless users within the remote office are provided with secure
wireless access to resources that are local within the office without the need to traverse the WAN or VPN.
Examples include EHR or practice management systems operated by the practice, wireless voice
services, guest wireless, file storage, and printer resources.
Note Starting in Release 7.2 of the Wireless LAN Controller software, FlexConnect has been renamed to
FlexConnect.

50 EDCS-1182127
Figure 22 FlexConnect Local Switching Architecture
Parent Healthcare System

Health System Cisco
EHR (Electronic Prime NCS
Health Record)
Local Resources
WCS
VPN
CAPWAP or
LWAPP Control Cisco
7925G
Private
WAN Si
Backend
Security Central Practice
Centrally Trunk or EHR
Services Controllers Management
Switched Access
Remote Client Data Port System
Practice/
Clinic LWAPP LWAPP Locally
Switched
Client Data
FlexConnect APs
Wireless Guest Local Clinical
292839
Internet User Wireless User
Wireless user authentication with FlexConnect deployments operate in one of the two switching modes
and three authentication modes.
Switching Modes
The following are the switching modes:
Local switchedLocal-switched WLANs map wireless user traffic to discrete VLANs via 802.1Q
trunking, either to a router or switch. One or more WLANs can be mapped to the same local 802.1Q
VLAN. All wireless control traffic is tunneled back to the centralized controller separately via a
CAPWAP tunnel.
Central switchedCentral switched WLANs tunnel both the wireless user traffic and all control
traffic to the centralized controller where the user traffic is mapped to an interface or VLAN on the
controller.
Authentication Modes
The following are per-WLAN authentication modes:
Authentication centralThese are WLANs that require 802.1x, VPN, or web-based authentication
services. All authentication requests are sent across the CAPWAP tunnel to the central WLAN
controller and to the supporting RADIUS server for authentication services.

EDCS-1182127 51
Authentication localIncludes WLANs that use open, static, WEP, or WPA PSK methods for
authentication. FlexConnect handles these locally, if the WAN link is down; otherwise, these are
handled by the WLC in conjunction with the RADIUS server.
Authentication down802.1x, VPN, or web authentication is unreachable because of the
FlexConnect-based AP is operating in standalone mode.
To provide access to the local resources located at the clinic or physician practices, it is recommended
that local switching mode is used on the WLAN/SSID used by authorized office staff. In this mode, all
traffic generated by the local office staff is sent to the local LAN without the need to traverse the tunnel
to the central WLAN controller. See Figure 23.
Figure 23 Authentication for Authorized Office Staff
Clinic or Physician Practice Parent Healthcare System

New Identity Cisco Cisco
WCS Prime NCS
User EHR/Practice Sevices ACS
Management Engine s
FlexConnect
Standalone 802.1x
Mode
User Data LWAPP
dot1q
VPN/Private
Local Switched User Data
Centralized
Existing CAPWAP Control
292840
WLAN Controller
User
Local Auth
Local Switched Data
CAPWAP Control
For guest users, however, it may be desirable to configure the guest services WLAN/SSID to traverse
the WLAN and use many of the guest-based authentication services. The wireless guest is often
presented with a set of acceptable use policies (AUP) that must be agreed to before permitting access to
the Internet. By using the AUP-based authentication service available on the WLC and other such
services including rate limiting, wireless guests have the same experience within the clinic as they do
within the hospital. (See Figure 24.)

52 EDCS-1182127
Figure 24 Authentication for Guests
Clinic or Physician Practice Parent Healthcare System

EHR/Practice Healthcare WCS
Patient/Guest Management System EHR
Internet
Office
H-REAP
Staff dot1q
LWAPP Guest WLAN
Anchor Controller
VPN/Private
227824
Guest CAPWAP or LWAPP Tunnel
Note For data-only based FlexConnect deployments, total RTT cannot exceed 300 ms.
Voice
FlexConnect deployments are able to support Voice-over-Wireless LAN (VoWLAN) services. In many
remote offices, either a Cisco Unified Communication Manager Express (Unified CME) or Unified
Communications 500 series (UC-500) are typically deployed where up to 240 or 50 phones respectively
are required. Total RTT between the centralized WLC and the FlexConnect APs cannot exceed 100 ms
for deployments requiring voice services.
Standard RF considerations for voice must be followed, and are documented in the Cisco Unified
CallManager Express Solution Reference Network Design Guide available on at the following address:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/cmesrnd.html
Note Both the UC-500 and an ISR used for CME have the capabilities for integrated 802.11 wireless,
FlexConnect is not supported on these hardware platforms. The only supported wireless architecture
supported on these platforms is IOS autonomous mode.
Rogue Detection and Radio Resource Management (RRM)

Because many remote deployments have only a small handful of FlexConnect-enabled APs, full Radio
Resource Management (RRM) functionality might not be supported at each FlexConnect site. Full
support of the RRM services is available with FlexConnect, but the transmit power control (TPC)
algorithms are not triggered until four or more access points are within range of each other.
Therefore, some FlexConnect installations might never adjust the transmit power of their radios. This is
because RRM requires four or more access points within the same administrative domain are within
range of each other. In many FlexConnect installations, the number of access points deployed does not
exceed three and therefore full RRM capabilities might not be available.

EDCS-1182127 53
Outdoor Wireless
Rogue access point detection is disabled when an FlexConnect access point enters standby mode. A
standby mode is when connectivity between the access point and the WLC is disrupted. Furthermore, in
standby mode, neighbor discovery, interference, channel load, path loss and coverage measurements,
rogue containment, and intrusion detection are disabled. These features are disabled because the access
point is no longer able to send these metrics to the WLC. Additional information can be found in the
Mobility Services Engine - Context Aware Mobility Solution Deployment Guide found at the following
URL: http://www.cisco.com/application/pdf/paws/107571/mse-cams-guide.pdf
Outdoor Wireless
Wireless is pervasive in our society today. Within healthcare, in-building wireless services are
commonplace to allow healthcare workers to improve their efficiency and collaboration. What is not
often considered is extending the 802.11-based wireless infrastructure to the outdoor environment.
A number of use cases can support the deployment of outdoor wireless, and healthcare delivery
organizations can adopt a phased approach in their deployment plans. One of the first steps in support
of outdoor wireless is within the campus environment. There are often a number of buildings within a
few city blocks that support the healthcare system. Physicians who are on-call or simply performing
rounds each morning often walk between various buildings and parking garages. Providing secure and
reliable 802.11-based services within this outdoor space improves their access to clinical systems as well
as the overall care team involved with their patient within their care.
Common spaces and garages are an excellent starting point to support voice and virtualized desktop
services. Expanding this coverage to more public areas such as streets that connect the buildings would
be a second logical step in providing pervasive coverage. The final step is in providing coverage within
a few miles of the healthcare system along major roads that are used by first responders and EMS care
teams. By providing coverage in these areas, care teams can improve their collaboration capabilities
raising the situational awareness of the receiving Trauma and Emergency departments.
Mesh Architecture
Physical network connectivity is often the first hurdle in providing coverage to large remote areas. Many
garage and courtyards were not designed with the intention of extending IT and/or biomedical services.
By employing outdoor mesh access points, healthcare delivery organizations can extend coverage using
wireless RF as the back haul. The Cisco outdoor wireless mesh solutions offer the following main
features:
Award-winning 802.11n technology with integrated RF intelligence for optimized performance and
RF mitigation
Exceptional levels of enterprise security with an intrusion prevention system and Cisco CleanAir
Technology
Centralized management for easy maintenance and configuration
Optimization for support of high-bandwidth applications such as voice and video
The Cisco Aironet 1550 Series Outdoor Access Point with Cisco CleanAir technology is the industry's
first enterprise and carrier-grade 802.11n access point to create a self-healing and self-optimizing
wireless network that mitigates the impact of wireless interference. It offers a flexible, secure, and
scalable mesh network for high-performance mobility across large metropolitan-sized areas, enterprise
campuses, manufacturing yards, and mining pits. The Cisco Aironet 1550 Series supports
multiple-device and multiple-network application delivery such as real-time seamless mobility, video

54 EDCS-1182127
Outdoor Wireless
surveillance, 3rd Generation (3G) and 4G data offload, and public and private Wi-Fi access. Designed
to meet customer needs in a broad range of industries, the Cisco Aironet 1550 Series offers the following
benefits:
Flexible deployment optionsAccess or mesh network, extension of an Ethernet network, and
Ethernet, fiber, wireless, or cable backhaul.
Service provider supportWi-Fi for next-generation mobile data offload and personalized mobile
services.
Cisco CleanAir technologyIntegrated spectrum intelligence to detect, classify, and mitigate RF
interference from unauthorized wireless bridges or malicious devices.
High-bandwidth video surveillance over Wi-Fi without the high cost of installing cables over long
distances.
High-performance, multipurpose network with low CapEx and OpEx.
Integrated wired and wirelessThe Cisco Borderless Network Architecture provides cost savings
with end-to-end network access solutions that include wireless, switching, routing, and security.
The mesh architecture allows for easier deployments that do not require that each access point have
hard-wired connectivity to the hospital systems network. Instead, the mesh protocols used determine the
best neighbor AP to use to create a completely converged outdoor wireless environment, as shown in
Figure 25.
Figure 25 Wireless Mesh Architecture
Parent Child Neighbor

Rooftop:d6:80 Mesh:7a:70
Mesh:78:90
RAP
MAP MAP
LAN
MAP MAP
Building 1
148446
Each Root AP as noted by a RAP provides physical connectivity to the network. Root APs can be
connected to the network using Gigabit Ethernet over copper or fiber. Mesh access points (MAPs) form
their connectivity to their parent using 802.11-based RF. Both RAPs and MAPs provide wireless client
access all from the same centrally managed WLC already in use within the healthcare system. The same
tools for configuration (WCS and Cisco Prime NCS) are used in the support and operation of the mesh
and non-mesh wireless environment. This reduces the expense of deploying because the network
administrator can leverage the same tools in the design, rollout and operation of the mesh wireless
network.

EDCS-1182127 55
Outdoor Wireless
Cisco Outdoor Mesh Access Points

The Cisco 1550 Series of outdoor access points come in a variety of models, as shown in Table 4.
Table 4 Cisco Outdoor Mesh Access Points
Cisco Aironet 1552E Cisco Aironet 1552H Cisco Aironet 1552C Cisco Aironet 1552I
Product Image
Antenna Three external dual band Integrated low profile

AC Power 100480VAC No 100277 VAC
80 Watts
50 Watts
Battery Backup Yes6AH TBD No No

PoE Input Support YesUsing Power non 802.3af Injector No No
AIR-PWRINJ1500-2=
PoE Outdoor Support Yes 802.3af No
(Cameras and other
802.3af devices)
Fiber SFP Backhaul Yes No
Option (100Mbps)
Hazardous Location use No Yes Class 1, Division No No
2/Zone 2
Embedded DOCSIS 3.0 No No Yes No
Cable Modem
Ethernet Port Yes (100/1000)
Power over Cable System N/A N/A Yes (4090VAC) N/A
45 Watts
Mounting Pole, wall, or strand
Supported WLC WiSM, WiSM2, 5500, 4400, 2504, 2112, 2125, 2106, WLCM, SRE
ClientLink & CleanAir Yes
Support
Approximate AP Density 9 AP/sq-mile 3.5 AP/sq-km 14 AP/sq-mile 5.3 AP/sq-km
in A Domain
Approximate AP Density 25 AP/sq-mile 10 AP/sq-km
in E Domain
Cisco outdoor mesh reference material and design guides can be found at the following URLs:
http://www.cisco.com/en/US/products/ps8368/index.html
http://www.cisco.com/en/US/products/ps6366/products_white_paper09186a0080b34501.shtml

56 EDCS-1182127
Wireless Endpoints
Wireless Endpoints
Biomedical Device Considerations
Smart Infusion Pumps

Smart infusion pumps represent a growing trend in the healthcare industry. Their deployment numbers
within an acute care setting usually represent a relatively large number of wireless devices. For wireless
network administrators, considerable concern for the coexistence of these new wireless devices with
existing wireless devices is warranted. Security involving the devices and the methods available for
authentication and encryption are also significant considerations during the design process.
At first, it may seem that an infusion pump requires continuous access to the network. Although this is
the desired objective, it does not mean that a loss in wireless connectivity results in the loss of infusion
and a negative impact to the patients treatment.
Most if not all infusion pump vendors today have designed their infusion pump products to function in
what is referred to as a protected mode during disruptions of network connectivity. During the network
disruption, manual processes or protocols are used to administer new medication or implement infusion
rate changes. During this time, all drug advisories continue to be enforced on the pump since the last
medication formulary download. Switching to a manual protocol process is cumbersome, and can result
in medical errors if the clinician does not adhere to the protocol. For this reason, connectivity should be
maintained at all times, if possible.
To maintain connectivity, wireless services supporting this class of medical device must be pervasive
throughout the healthcare campus. Failure to do so may result in the smart pump roaming into a service
area where access is not available.
Smart pumps typically have the following connectivity needs:
Timely formulary/drug library updatesLibraries created by the pharmacy to enforce medication
delivery protocols
Recording delivery rates to the patients EHR
Access to drug libraries
Integration with computerized prescriber order entry (CPOE), bar-coded medication administration
(BCMA), and electronic medication administration systems
Smart pump firmware updates
Alarm and event notification
Remote device management
RF Design Considerations
As stated earlier, a smart infusion pump does not stop working when it loses connectivity to the wireless
network. Having said this, the objective of all wireless networks is to maintain connectivity throughout
the environment in which the wireless client operates.
From an RF design perspective, smart infusion pumps are relatively non-demanding devices. Their
ability to tolerate slow roams, IP address changes, and off-channel scanning usually helps ensure proper
operation.

EDCS-1182127 57
Wireless Endpoints
With regard to roaming, the decision to roam to a better access point is always the responsibility of
the 802.11 wireless clients. This has led to various roaming algorithms, yielding wildly different results
when compared to other wireless devices. The term stickiness refers to the tendency of a wireless client
to cling to and remain associated to an access point beyond a point that other wireless clients would
have implemented a roam.
When a wireless client clings to an access point longer than it should, data rates are automatically
decreased to maintain connectivity. During this time, if the wireless client has a significant amount of
data to send or receive, performance of the service area or cell is decreased for all wireless clients within
the cell sharing the same 802.11 band. This is because of longer transmission times at the lower data
rates, resulting in blocking the ability of other wireless clients from accessing the channel.
As a general rule of thumb, the objective should be to provide 25 dbm of SNR in all areas that an infusion
pump operates or is stored. One caveat is that many times the site survey is performed using a laptop
with internal or external wireless cards. The RF characteristics of newer laptops with 802.11n or external
wireless cards may be significantly different than that of legacy wireless clients and often biomedical
devices. In the case of 802.11n, beamforming and other techniques may show a higher signal level then
would be expected from a legacy b/g/a device. Another consideration is due in part to the physical design
characteristics affecting the RF aspects of the device. Because of poor antenna placement or lower
receiver sensitivity, an area surveyed and considered within the norms of standard best practices may for
certain devices not meet the requirements set forth by the vendor.
One recommendation is that after the sight survey is completed using standard best practices and RF
survey techniques, each biomedical device that is slated to be used in the area be introduced and tested
in the environment where it will be used. This includes not only the patient room (shown in yellow in
Figure 26) but also within the bathroom (shown in blue in Figure 26) with all doors closed to create a
worse case test. Note that the bathroom shown on the right in Figure 26 would typically have reduced
signal strength because of the additional distance from the hallway than that of the left patient room.
Again, the goal is to striving for 25dbm of SNR in all areas where a device would be used.
Figure 26 Basic RF Design
227825
Ciscos Radio Resource Management feature adds additional RF intelligence into the wireless network
by allowing the access point to periodically sample other channels, look for rogue APs, and to take RF
path loss measurements of adjacent access points. This information is compiled and passed to the
wireless controller, which recommends and implements certain dynamic changes to the wireless
network. During the sampling of other channels (typically 50 ms per channel with 10 ms for channel
change), the access point is effectively off the air and no longer communicates to the wireless clients
which it serves. This results in an performance reduction of approximately 1.5 percent.

58 EDCS-1182127
Wireless Endpoints
Note A commonly misunderstood aspect of channel scanning is that traffic is lost if the AP is off channel when
a wireless client attempts to transmit a frame. The PHY layer firmware automatically retransmits the
frame when it does not receive an acknowledgement from the AP. Because this is at the PHY layer, the
upper layer protocols (IP, UDP, TCP, and so on) are not aware of this physical layer retransmission.
Therefore, from the perspective of the application running on the wireless client, little or no impact is
presented to the wireless client.
For infusion pumps, the channel scanning interval is not of sufficient duration to cause any connectivity
or throughput issues. In areas where Ciscos wireless phones such as the 7921G, 7925G, or 7926G are
in use (during active voice calls), the associated AP does not channel scan. If you suspect that RRM
channel scanning is impacting the performance of your smart pump, it is recommended to either disable
RRM; or use a Cisco 7921G, 7925G, or 7926G phone that is in an active call as a troubleshooting step.
It is also recommended to confirm with the medical device vendor the supported configuration of the
wireless infrastructure.
Security
The security model for most biomedical devices varies widely as a majority of device vendors focus their
engineering efforts upon the clinical and biomedical capabilities of their devices. These clinical
capabilities are typically those that are the main factors in the purchasing decision; and rightfully so.
Because of this fact, the wireless and security characteristics of the devices often lag behind the industry
best practices. Many times, the biomedical or IT staff responsible for the wireless network are not
included in the purchasing decision because it is often made based solely by the clinical team.
This approach often results in the wireless engineering team responding after the fact and implementing
the best security mechanisms available by the vendor. The optimal approach often does not meet the
healthcare systems security mandates on wireless security.
Note This trend is beginning to change as the convergence of medical devices is well underway. Network
connectivity and the security around such is beginning to be a differentiator among medical device
vendors. The only problem is that the life cycle of various devices is typically in excess of 10 years.
At the present time, the golden standard for wireless security is one based on an Extensible
Authentication Protocol (EAP) based on the 802.1x framework. This approach provides the healthcare
system with an authentication model typically employing one of the following EAP types.
EAP-TTLS (Tunneled Transport Layer Security)
EAP-TLS (Transport Layer Security)
EAP-FAST (Flexible Authentication via Secure Tunnel)
EAP-PEAP (Protected EAP)
EAP-MSCHAPv2 (Microsoft Challenge Handshake Protocol)
Some smart pump vendors offer a wide array of EAP types that can be implemented. However, in most
deployments, the userid/password credential (EAP-PEAP, EAP-FAST, EAP-MSCHAPv2) is unique
only down to the implementation of the infusion pump, meaning that one common userid/password is
used across all infusion pumps.
Although both security best practices, and some would argue even HIPAA, dictate that a unique
userid/password should be used on each infusion pump, the following should be considered before
implementing this approach:

EDCS-1182127 59
Wireless Endpoints
For centralized deployments where RADIUS authentication servers are hosted only within the healthcare
systems centralized data center, WAN failures of hosts joining the network would not be able to
successfully authenticate. In such deployments, authentication of new users would depend on the static
definition of the userid/password on the controller at each location. Ciscos wireless controllers are
limited in the following two ways:
There is a finite number of user accounts that can be defined locally on the WLC.
Additional RADIUS attributes such as VLANID and others (QoS) are not returned to the
access-point during authentication request as only the basic set of RADIUS attributes are
supported. This prevents any VLAN steering when using an identity-based networking
approach for biomedical devices in a centralized architecture.
In the event that the credentials are compromised, each infusion pump needs to be reconfigured
(either manually or remotely if supported by the vendor) with a new userid/password. Before
jumping to the conclusion that this is the same approach as WPA-PSK, consider the following when
using WPA-PSK or WPA2-PSK:
All pumps need to be manually updated at one point in time if a new SSID is not created. This
is because each WPA-PSK/WPA2-PSK is unique to the SSID; therefore, once compromised, all
APs via the WLC need to be updated with a new PSK.
WPA-PSKs require significant manual configuration and change management coordination
across multiple WLC and Smart Pumps.
If smart pumps are going to be shared across hospitals within the healthcare system, in cases of
Level 1 trauma centers in overflow situations that may require to transport both patient and
biomedical devices to other facilities; the use of a common userid/password combination might be
advantageous. With shared devices between non-affiliated facilities, the added overhead of
providing each facility with the unique logon credential may be problematic.
If unique credentials are to be used on devices that may be shared between facilities, using
Ciscos Access Control Server (ACS) and implementing RADIUS replication for a given
domain would be one automated approach to provide a high level of security and at the same
time automated RADIUS authentication using replicated databases.
For deployments where the RADIUS servers are located within each hospital and not centrally located,
a unique userid/password should be implemented. In this approach, each serial number and model of
smart pump would be entered into the RADIUS user authentication database. Using Ciscos ACS, a
group for each model of smart pump should be created. Within this group, an SSID/VLAN mapping can
be specified for each userid/password combination which each map to a unique infusion pump.
Encryption for all biomedical or clinical devices should use WPA2 Enterprise, which uses the AES
cypher for optimum encryption. Because WPA2 Enterprise is a relative newcomer into the market as
compared to legacy biomedical devices, firmware upgrades on such wireless devices are not likely to
support WPA2/AES. This is because of the higher computational hardware requirements to support the
AES cypher and the underlying key management mechanisms. Therefore, unless it is a relatively new
biomedical device manufactured after 2004, it is not likely to support WPA2. (See Figure 27.)

60 EDCS-1182127
Wireless Endpoints
Figure 27 Security Design
WPA2-AES
WPA-TKIP
Relative Privacy
WPA-PSK
WEP 128
+TKIP
WEP 40 +
TKIP
WEP 128
227826
WEP 40
The problem with using lower complexity-based cryptographic technology with wireless is that it is
impossible to determine whether data is in fact being secretly captured in encrypted form. The captured
data may not be able to be decrypted today using technologies readily available, but the future may not
protect such confidentiality as higher computational capabilities as found in video-based GPUs and other
advanced mathematical techniques evolve.
For highly secure wireless transmissions,WPA2 using AES is recommended for all medical-grade
networks. Given the current computational capabilities available to the general public, the National
Institute of Standards and Technology (NIST) recommends using key lengths as follows:
Year of Encryption Minimum Key Length

2006 010 80 bits
20112030 112 bits
2031-> Future 128 bits
NIST recommendations for key management can be found in the NIST Special Publication 800-57
revision 3 (July 2012) and located at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
In the event that the data is to remain secured past that of the useful life of the recommended key, NIST
recommends that the next higher key length be used. It is recommended that AES-128 be used to provide
a level encryption to protect PHI data up to 2031. After such time, implementing AES-192 or AES-256
would be indicated and hopefully supported by the industry.
Co-Existence Issues with other Biomedical Devices
A healthcare system often has a wireless network deployed with CoWs or Workstations on Wheels
(WoW) supporting CPoE or a medication administration system. Over time, the next large-scale rollout
may have been a voice deployment using any number of VoIP wireless handset vendors. The next
challenge is typically either a large number of 802.11-based wireless infusion pumps and/or high acuity
patient monitoring.
The challenge facing many IT directors and their staff is, what will break when 500 or 1000 infusion
pumps are rolled out over the course of a few months? Will the sheer number of problems, authentication
requests, and data traffic negatively impact the existing wireless devices?

EDCS-1182127 61
Wireless Endpoints
In the reverse direction, there is often concern as to whether or not the existing devices, perhaps
generating large amounts of multicast or broadcast traffic, will impact the infusion pumps. In most if not
all cases, the deployment of a large number of smart pumps do not negatively impact the wireless
network or other wireless devices already on the network.
Most implementations of smart pumps create a unique WLAN/SSID to isolate the pumps from the other
wireless devices. Although doing so may shield the smart pump from L2 broadcasts, it would not
eliminate a performance impact because the channel itself is a shared resource.
A new trend is emerging where biomedical devices are grouped by SSID based on their security model.
Devices that can use more advanced methods of authentication and encryption are placed on one SSID
with other similarly capable devices.
Medical devices that cannot use such advanced methods of authentication and encryption are similarly
grouped onto another common SSID for such devices. These devices are often safeguarded from
accessing the wider network through the use of firewalls and access control lists (ACLs).
Older devices that are not capable of dynamically adjusting their power output may generate co-channel
interference, especially in the 2.4 GHz band. However, note that smart pumps do not generate large
amounts of data during their use. Only during formulary and firmware updates does their data usage
typically spike. These spikes can last a few minutes at most in a typical environment.
During this time, however, if a wireless network was designed with cells of varying sizes, a smart pump
that is not capable of matching the APs transmit power levels would remain at a constant transmit power
level. In the smaller pico cells, the condition might arise where the pumps signal reaches a cell one hop
removed that shares the same channel, generating co-channel interference.
Because many biomedical devices cannot adjust their power as directed by the AP, it is recommended
that the use of pico cells on patient floors be avoided to reduce the likelihood of co-channel interference.
Traffic Patterns
Highlighted earlier in this section were the typical end systems with which smart pumps need to
communicate. From a data throughput standpoint, both formulary and firmware updates are at the top of
the list. In one observed formulary update, data transmissions bursted to about 40 kbps for a duration of
approximately two minutes. (See Figure 28.)
Figure 28 Traffic Typically Generated When a Clinician Initiates the Delivery of Medication

62 EDCS-1182127
Wireless Endpoints
The smart pump communicates the delivery of new medication, dose rates, and alarm events to the EHR
through their information center application. During this time, the data sent is a relatively small amount
of data, as shown in Figure 29.
Figure 29 Data Transfer
In the event that connectivity between the smart pump and the vendors information center application
is disrupted, the pump locally alarms for events requiring immediate attention, and locally caches the
other events until connectivity is restored.
Vendor SLA Requirements
The following are vendor service-level agreement (SLA) requirements:

Offline mode support
Impacts during connectivity loss
Impacts from outside interference
HIPAA / FDA Concerns
With regard to patient privacy, some vendors smart pumps contain information that would be classified
as PHI and as such, all data transmissions between these smart pumps and the specific vendors
information center application should be encrypted as directed above.
Because there are so many vendors and models of smart pumps available on the market, it is difficult to
provide guidance that is 100 percent accurate for all devices. Some of the areas of investigation should
be as follows:
Remote management of the device for firmware updates
Remote management of the device for drug/formulary library updates
Remote management of the device that could affect patient treatment (dose change, stop/start, and
so on)

EDCS-1182127 63
Wireless Endpoints
Operation in protected mode when offline because of a wireless network outage

Impact to clinical workflow and patient treatment during times of network interruption
Patient Monitors
A patient monitoring system provides real-time monitoring of physiological vital signs data from
patients. Typical types of physiological data are the following:
Blood pressure
Pulse oximetry
Respiration rates
ECG
Cardiac output
These systems provide mission-critical real-time data and must operate continuously without
interruption. Residing on the wired medical IT network are patient bedside devices and central stations,
which are used by the care team to monitor patients. On the wireless side, there may be bedside devices
that are in transition while the patient is being moved along with patient-worn telemetry devices.
In most cases, the bedside devices have sufficient computational capabilities to run in an offline mode,
alerting staff with an audible alarm when a specific subset of conditions are detected. When these devices
re-join the network, data displayed during the offline period is typically not uploaded for historical
purposes, but this capability varies between vendors.
Patient-worn telemetry monitors, with the exception of two products currently on the market, do not
typically have the computational capabilities to analyze the waveforms that indicate threatening
physiological conditions. All analysis of the waveforms are performed by a central station, which means
that the criticality of this subset of patient-worn devices is extremely high. Any network outage or
impairment prevents the central station from accurately monitoring the patient condition. With a few
exceptions, healthcare facilities within the United States use the licensed Wireless Medical Telemetry
Service (WMTS) band, which operates in the 608614, 13951400, and 14271432 MHz range.
Note Cisco does not manufacture or sell WMTS-based products.
In summary, patient monitors require continuous connectivity to the network, unlike infusion pumps,
because the data is considered mission-critical. (See Figure 30.)
Figure 30 Bedside and Patient-Worn Monitors
Many medical devices are considered embedded systems and are tightly controlled by the device
manufacturer. A key design principle for medical devices is to keep them as reliable as possible by
reducing the number of unnecessary variables. By implementing only those features that are required by
the product, a higher degree of product stability can be achieved. Because of this philosophy, some

64 EDCS-1182127
Wireless Endpoints
medical device vendors require network segmentation for their products to function within their
guidelines on a converged campus medical IT network. This often results in special requirements where
a particular device platform may require Layer 2 adjacencies to all of their devices on the network to
function properly.
Note Always consult the medical device manufacturer regarding their guidelines for approved operation in a
converged medical IT-based deployment.
If the healthcare delivery organization is adopting the IEC-80001 standard for risk management, this
ongoing validation would be within the scope of responsibility of the risk manager.
Generally, device life cycles are long (710 years), and some networked medical device systems include
software that was designed to operate on these L2 private networks. However, some patient monitor
vendors today support L3 routing and advanced multicast features that make it possible for devices to
co-exist on a converged IP network.
Some of the main vendors and products in the patient monitoring space include Philips Intellivue, GE
Dash, Draeger Infinity, Spacelabs, and Welch Allyn Propaq. These vendors support both wireless and
wired deployments as part of their overall architecture.
A typical patient monitor system consists of the following components:
Bedside monitors
Patient monitor central station
Database server
Patient/Bedside Monitors
Family of devices that enable review of vital patient data and clinical decision support. Most vendors in
this space support wired Ethernet, wireless 802.11, and WMTS connections.
Patient Monitor Central Stations
Central monitoring stations provide multi-patient waveform and parameter displays, alarm
announcements, and analysis from the patient monitors connected to it.
Database Server
The database server provides short-term data storage for patient monitors. Data for monitored or
telemetered patients can be stored, managed, and transferred via database servers.
Patient Monitoring Operations
As mentioned previously, the standard implementation of patient monitor systems differs greatly
depending on the particular vendor implementation. Vendors tend to fall into 3 basic types of
implementation.
Layer 2 isolated networkBroadcast
Patient monitors and centralized stations reside on their own Layer 2 subnet. Patient monitors
associate to a central station using broadcast methods and do not allow routing between subnets. In
some cases, the vendor also requires that the network be completely dedicated for the patient
monitoring application. This reduces the risk of system performance interruptions caused by other
devices residing outside the subnet.

EDCS-1182127 65
Wireless Endpoints
Layer 3 networkMulticast
Patient monitors and centralized stations operate over a Layer 3 routed network. Patient monitors
associate to a central station using multicast methods which allows for allow routing between
subnets.
Multicast is used for Internet Group Management Protocol (IGMP) joins and Layer 3 waveform
distribution and general topology, and care group association used for overview functions. The
overview session is a window displayed at the bedside that shows the real-time waves,
measurements, alerts, and so on, for another patient. A user can request an overview session or can
permanently configure an overview session.
Unicast traffic can also be used for connection messages for device type, serial numbers, and
equipment labeling.
Multicast for IGMP joins and Layer 3 waveform distribution and general topology, and care group
association used for overview session:
Hybrid Layer 2 and Layer 3Limited form of multicast combined with unicast
Devices may operate within a simple routed environment but may have limited multicast
functionality or have central stations or database servers that may not be routable. Also, the devices
may use a combination of multicast and unicast to operate properly on the network. For example,
multicast may be used by the patient monitor to discover the central server, and use unicast to send
the wave data to the central station.
Traffic Patterns
Discussed earlier in this section were the typical end systems with which patient monitors need to
communicate. As noted, patient monitors typically communicate to the centralized information
centers/servers and/or multicast out to other patient monitors. It is important to understand the basic
functionality of patient monitors traffic patterns and initialization sequences and to understand this
impact on wireless connectivity.
IP Addresses
Patient monitor devices use either DHCP, BOOTP, or static address as methods to IP address assignment.
Initialization Central Server Discovery

If a central station is required in the vendors patient monitoring system, the bedside monitors are
required to execute a central station discovery process. This process involves the patient monitoring
sending information about the device (that is, MAC address, station ID, and so on) over a multicast
address or broadcast address. When the central station receives this information, an acknowledgement
message is sent back to the new device, and included in the central station group association.
Steady State Operation

After the device is associated with the group, steady state operation is achieved. During this time, there
are two basic methods that the majority of patient monitors use to advertise their patient data:
Centralized server
Patient monitoring devices communicate directly to a centralized server. Patient monitors send
patient vital signs data directly to the server. The server hosts this vital signs data for distribution to
other patient monitors that can view patient data within the care group. Devices are typically
managed in association groups that have been defined at the central station. The concept allows any
bedside monitor within the association group to view other monitors also in that group,

66 EDCS-1182127
Wireless Endpoints
Multicast is typically used to distribute this data. Each patient is assigned a multicast address and
the vital signs are multicast over that address. Devices that want to view that patient monitors
information issue an IGMP join to that address.
Peer-to-peer
Individual patient monitors act as both multicast receivers and senders to view data of other patient
monitors.
Figure 31 shows a sample exchange for a centralized server vendor implementation, including the flow
exchange between a bedside patient monitor endpoint and the central station over a router.
Figure 31 Centralized Server Implementation Example
Patient
Monitors Central Station
LWAPP
IGMP join .63

DHCP Request
DHCP Response
Group Association over Multicast
Central Station Identification
Wave Data, Vital Signs, Alarms
Other Patient Monitors Data

Join other Multicast Groups for other over Multicast
Patient Monitors Data
292848
As described previously, roaming is always the responsibility of the 802.11 wireless client device and is
driven by the radio firmware. If the 802.11-based patient monitor is sticky and clings to an access
point, data rates are typically decreased dynamically to maintain connectivity. During this time, if the
wireless client has a significant amount of data to send or receive, performance of the service area is
decreased for all wireless clients within the cell sharing the same 802.11 band. This is because of longer
transmission times at the lower data rates resulting in blocking the ability of other wireless clients to
access the channel. It is recommended to investigate the use of the Cisco ClientLink capabilities to
improve data rates across all wireless devices.
Patient monitor power level and SNR recommendations vary from vendor to vendor. Generally speaking,
vendor recommendations match the requirements shown in Table 5.
Table 5 Patient Monitor Power-Level Recommendations
Power level of access points Min 15 dBm (31.6 mW)

Minimum received signal strength indicator -70 dBm

EDCS-1182127 67
Wireless Endpoints
Table 5 Patient Monitor Power-Level Recommendations (continued)
Maximum noise floor -85dBm

Minimum signal-to-noise ratio 21 -25 dB
As previously discussed, consider the characteristics on newer laptops when performing site surveys.
The RF characteristics of newer laptops or external wireless cards may be significantly different than
that of some biomedical devices. Using a laptop with 802.11n to perform the site survey may yield
different results for legacy 802.11b/g/a devices.
Additional RF considerations regarding shared spectrum should be noted. Some vendors allow the use
of 802.11a VoIP devices to coexist in the 802.11a patient monitor devices. A particular vendor may only
allow the 802.11a (5 GHz spectrum), which aligns to Ciscos recommendation to move critical services
to the 5 GHz band. Because the allocation of RF channels is controlled by country-specific regulations,
the 5 GHz spectrum is defined as all the channels available to 802.11a devices for the WLAN
infrastructures given location.
Deployment entails operating in the unlicensed spectrum with other wireless devices in a
non-deterministic contention environment. Careful deployment of 802.11 client devices within the RF
space and proper configuration of the WLAN (WLC, switches, APs) must be made to ensure that patient
monitors have continuous secure access.
The 802.11a spectrum has more capacity by means of a higher number of channels relative to the
2.4 GHz ISM band, typically less co-channel interference, and fewer client devices.
Note Cisco recommends that medical devices and mission-critical devices be deployed in the 802.11a 5 GHz band,
and general purpose data and guest wireless device can be deployed in the 2.4 GHz. It is also recommended
to deploy 802.11n access points along with ClientLink for optimum performance of all wireless devices.
RF Site Survey
Complete an RF site survey before deploying wireless patient monitors. A complete new site survey in
the 5 GHz spectrum across the bands (one measurement in each channel is required) ensures that the
parametric requirements are met across the desired coverage area,
RF Spectrum Analysis
Using an Cisco CleanAir along with Cisco Spectrum Expert for RF spectrum management is a basic
requirement of all wireless networks providing mission-critical wireless services. The Cisco Spectrum
Expert can be used to verify that the RF bands within the targeted coverage area are clean and free of
interference. Verify that no interference exist across multiple channels. No interference is defined as any
narrow or wide-band signals in the pass-band that are not 3 db above the measured noise floor. A
minimum of three measurements should be taken across the entire band.
Signal Strength
Vendors differ in the minimum signal strength required within the RF coverage area. Some vendors
require a signal strength of -67 dBm as measured across the entire 5 GHz UNII band. If adopting the
IEC-80001 voluntary standard, it is recommended that the risk manager verify initially and on an
ongoing basis that the channels and bands used are within the recommended guidelines set forth by all
the medical device vendors sharing the wireless deployment.

68 EDCS-1182127
Wireless Endpoints
SSID Considerations
Most vendors advocate the use of a dedicated SSID mapped to dedicated VLANs. The ESSID used for
802.11 wireless devices generally should be broadcast, but may be set to not broadcast if desired.
Note Setting an WLAN SSID to not broadcast or advertise does not provide a level of security through being
hidden. There are many publicly available wireless utilities that can detect and capture wireless traffic
on WLANs that are hidden.
Most implementations of patient monitors create a unique WLAN/SSID to isolate the monitors from the
other wireless devices. Figure 32 shows a sample vendor implementation that supports Layer 2
connectivity only. Two independent subnets for two separate patient monitor networks with no routing
are used. A common wireless infrastructure is used, but patient monitors must be on their own Layer 2
segment.
Figure 32 Sample SSID Assignment Using two Subnets
SSID 10: VLAN10 Vendor A
LWAPP VLAN10
LWAPP
Central Station
SSID 20: VLAN30

VLAN30
LWAPP
LWAPP
Central Station
292842
Vendor B
In another example, a common wireless infrastructure is used, and patient monitors are being routed,
which allows the monitors to be on different subnets. The routers are used to route unicast and multicast
traffic between the bedside subnet and the rest of the patient monitor network. All the other segment
devices still need to be on the same subnet, as shown in Figure 33.

EDCS-1182127 69
Wireless Endpoints
Figure 33 Common Wireless Infrastructure
SSID 10: VLAN10
LWAPP VLAN20
Vendor A
LWAPP
Central Station
SSID 30: VLAN30

VLAN40
LWAPP
Vendor B
LWAPP Central Station
292843
Co-Channel and Multifloor Separation
The 802.11 infrastructure should generally be greater than 25dB of co-channel separation between apps
on the same channel. When deploying the WLAN across multiple floors, floor-to-floor separation is
required. Configured channels should be staggered across adjacent floors such that the same channels
are not configured for use on adjacent floors and the required co-channel separation is maintained.
IP Address Changes
For most vendor implementations, patient monitors support use of Dynamic Host Configuration Protocol
(DHCP) for obtaining an IP address.
In a Cisco WLC deployment, client IP addresses do not change when they roam within the same mobility
group. WLC deployments support client roaming across APs managed by one or more WLCs in the same
mobility group on the same or different subnets. This roaming is transparent to the client because the
session is sustained and a tunnel between the WLCs allows the client to continue using the same
DHCP-assigned or client-assigned IP address as long as the session remains active.
Note It is never recommended to use the IP address to determine the location of a wireless medical device and
cause the overall system to base decisions on the location, such as the care where an infusion pumps
safeguards are based on the IP/network address between a neonatal intensive care unit (NICU) and/or
step-down unit.

70 EDCS-1182127
Wireless Endpoints
Security
The security model for most patient monitors varies widely, with newer models supporting a wider
variety of authentication and encryption mechanisms. However, legacy patient monitors and other
medical devices are limited; for example, the oldest devices support only static WEP. This presents a
dilemma for the medical IT network risk manager, who may be required by the IT department to
implement a security policy that cannot be implemented. Again, the first requirement for all medical
devices is to comply with the requirements and recommendations set forth by the medical device vendor.
In cases where the medical device cannot be configured to support the security model set forth for the
healthcare organization, options such as the following might be used:
Deploy the device using the most robust security mechanisms available.
Isolate the devices from the remaining network through Layer 2 VLAN isolation and implement
ACLs on either the Layer 3 VLANs or within the distribution layer. The use of a pair of Cisco
Adaptive Security Appliance (ASA) firewalls that are allocated to the support of mission-critical
clinical applications to inspect and allow communication to the various backend servers. Use a
multilayer security approach including MAC authentication and intrusion detection services, and
enable Management Frame Protection (MFP) if supported by the medical device vendor.
Build a parallel network for those devices, isolating them from the rest of the network.
Although this addresses the security policy requirements of the IT staff, it does not add additional
security for the medical devices or the parallel network. verify that MFP is supported by the medical
device vendor(s).
Note In 802.11, management frames such as (de)authentication, (dis)association, beacons, and probes are
always unauthenticated and unencrypted. In other words, 802.11 management frames are always sent in
an unsecured manner, unlike the data traffic, which are encrypted with protocols such as WPA, WPA2,
or, at least, WEP, and so forth.
Authentication
Currently the golden standard for wireless security is one based on an EAP based on the 802.1x
framework. Many legacy patient monitors do not support this authentication model, with many newer
models supporting a variety of EAP types.
Encryption
Some patient monitors use WPA-Personal, which is based on a WEP/RC4 cypher with TKIP and a Message
Integrity Check (MIC) to rotate the key and detect frame tampering. The main reason for this is because of
the lower computational requirements to support the RC4 cypher engine. These limitations are typically
hardware factors, which make it highly unlikely that a simple firmware update will support the more robust
WPA2/AES encryption model. Newer products entering the market do support WPA2 using AES 128-bit keys
for encryption. The recommend encryption level if available is WPA2 Enterprise.
Most patient monitor implementations recommend a separate SSID for each type of vendor biomedical
device, In this case, a unique WLAN/SSID isolates patient monitors from other wireless devices. This
does shield patient monitors from Layer 2 broadcasts, but does not eliminate a performance impact if
one existed because the channel itself is often shared. It is recommended that a risk manager verify the
network compatibility of each medical device type placed on the wireless network. In organizations
adopting the IEC-80001 standard, this responsibility falls on the risk manager and should be performed
without regard to the adoption of IEC-80001.

EDCS-1182127 71
Wireless Endpoints
Vendor SLA Requirements
Latency and Jitter

A reasonable packet latency time and jitter is expected and should be kept to a minimum across the
network. Latency times in excess of 25 to 100 ms may cause application performance degradation or
unpredictable behavior. Generally, jitter should be no greater than 5%. Latency and jitter times should
be measured on an ongoing basis and under various network load conditions to ensure correct application
performance. The risk manager should determine from the medical device vendors the acceptable
operating parameters with regard to latency and jitter.
Impact During Connectivity Loss

In many vendor implementations, the patient monitors must stay in communication with the database
and central servers. If the patient monitors lose communication with the backend servers for longer than
the defined parameter (i.e., 15 to 30 seconds) the central servers may timeout and revert to local
monitoring mode. This will mean loss of monitoring at the central stations and loss of possibly valuable
information.
Impacts from Outside Interference

During deployment of the WLAN across adjacent floors, floor-to-floor channel separation is required.
Configured channels should be staggered across adjacent floors such that the same channel is not
configured for use on adjacent floors and the required co-channel separation is maintained to 25 db or
more.
To maintain the high level of network access that is required for patient monitoring, it is important that
IT administrators over-provision the network capacity in the areas where patient monitoring is wirelessly
connected to the network. These areas should have additional APs deployed to provide added capacity
such that instances where a high number of devices contend for the WLAN and experience a significant
reduction in performance are eliminated.
HIPAA / FDA Considerations
Medical device systems are made up of the system functionality and application software and are
regulated by the FDA. Vendors must follow the regulatory specifications when designing those products,
which include the software and computers as part of the regulated medical device. In some cases, the
network may be included in the devices FDA filing. Hospitals may not deploy devices on a network that
differs from the devices network specifications. Check the device manufacturers design specifications
for details on the wireless network requirements.
Any PHI-Related Data
Protected health information (PHI) is any information that can be used to identify an individual and that
was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or
treatment. Electronic PHI uses the same definition but is applied to such data when it is in electronic
form. The 18 identifiers of PHI are as follows:
1. Names
2. All geographic subdivisions smaller than a state, including: street address, city, county, precinct, ZIP
code, and their equivalent geographical codes, except for the initial three digits of a ZIP code,
according to the current publicly available data from the Bureau of the Census.

72 EDCS-1182127
Wireless Endpoints
3. All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and elements may be aggregated into
a single category of age 90 or older.
4. Telephone number
5. Fax number
6. E-mail address
7. Social Security number
8. Medical record number
9. Health plan beneficiary number
10. Account numbers
11. Certificate/license number
12. Vehicle identifiers and serial numbers (including license plates)
13. Device identifiers and serial numbers
14. URL address
15. IP address
16. Biometric identifiers, such as fingerprints and voiceprints
17. Full-face photos and any comparable images
18. Any other unique identifying number, characteristic, or code
Older non-integrated patient monitors do not normally associate a patients name, social security number, or
other PHI information in the data stream. However, newer products that have recently entered the market do
link the waveform and telemetry information to a patients name and other information obtained from the
EHRs ADT system. These newer systems perform a patient census from the EHRs ADT system. The data
is then used to map the collected alarms and waveforms for storage within the EHR or other supporting
systems. In these cases, adherence to local regulations regarding patient privacy must be designed into the
end-to-end system.
Mobile Radiology
Although 802.11 wireless connectivity is available for portable diagnostic medical equipment, it has not
been widely deployed because of the large file size of studies. This has changed as 802.11n has become
less common and newer 802.11n-capable portable modalities enter the market place. The advantage is
to allow various studies to be uploaded to backend PACS or cardiology systems for archival and/or
diagnostic purposes. This improves the workflow of the mobile clinician, allowing the studies acquired
in the patient room or within a long-term care environment to be offloaded from the device as the
technologist is executing the examination.
In the case of portable digital X-ray machines, a single image does not typically exceed 10MB. However,
an exam may consist of a number of separate images, resulting in a complete study exceeding 100MB.
Transferring this to a backend PACS system over a wireless network while the technologist is roaming
both horizontally and vertically (elevator) can sometimes be challenging. In addition to the normal
challenges with roaming, limited DHCP support in existing modalities aggravates the problem.
Long-term care environments should implement a WLAN for contracted imaging service companies,
which provide onsite imaging services. This SSID can be mapped such that connectivity can be
established to the remote radiology service through the use of a VPN connection. The implementation

EDCS-1182127 73
Wireless Endpoints
of this wireless service offering has been shown to reduce the time to diagnose because it eliminates the
delays encountered in uploading the images acquired during the day, greatly shortening the time to
diagnose. The overall result is improved patient care and an increase in positive outcomes.
Medical-Grade Traffic Patterns
From a pure traffic perspective, DICOM-based traffic is typically treated as best effort. The studies must
therefore contend with other wireless traffic generated in a given 802.11 service area. This is because
many portable device vendors do not mark their traffic as mission-critical data and therefore remain
unmarked from a QoS perspective. As Figure 34 shows, traffic spikes in excess of 2.5 MB can result as
the acquired study is transmitted to the backend PACS system.
Figure 34 Portable Digital X-Ray Wireless Bandwidth UsageSpikes in Excess of 2.5 MB
As stated, because most medical devices today transmit their data as best effort using non-802.11n
technology, it is not unreasonable to assume that a poorly designed 802.11b/g/a wireless network may
encounter network congestion and negatively affect other applications that may be critical to patient
care. This may be aggravated by the device transmitting at a low speed (1 Mbps) because of signal
strength or quality. In general, uploads should be treated identically to a batch file transfer and therefore
receive best effort service. Implementing Cisco ClientLink improves overall signal strength and quality,
resulting in higher throughput for all wireless devices connected to the shared media.
The rate-limiting characteristics of TCP such as slow start and congestion avoidance mechanisms are
native to TCP/IP and effectively rate limit the transfers. Situations that cause the transfer to stop and
restart during momentary disruptions in wireless connectivity cause TCP/IP to reduce its window size
and therefore negatively affect performance. It is important to note that some more critical wireless
applications, such as patient monitors that do not support WMM or QoS, may be contending for network
resources. This serves as a reminder that an MGN requires advanced planning and consideration.

74 EDCS-1182127
Wireless Endpoints
Barcode Scanners
Bar codes enable quick, accurate data entry. This improves accuracy by reducing the likelihood of human
error from manual entry. It also reduces the ink that is used to write vital signs on the palms of the nursing
staff when doing spot checks or rounds. When a barcode scanner is combined with the appropriate hardware
and software, clinical efficiency and accuracy is dramatically improved. Barcode scanners are used for a
variety of applications within the healthcare environment. Applications can be grouped into the following
categories:
Supply logistics and material management coordination
Document management
Process logistics
Point-of-care patient safety and clinical care delivery
The first three categories include applications such as patient records, billing systems, claim systems,
maintenance systems, asset tracking, and logistics. The first three categories are used in manufacturing,
retail, and other industries to improve accuracy, timeliness, and productivity to reduce costs. The last
category is unique to the healthcare environment and not only results in cost savings, but improves
patient safety and the quality of patient care. Scanning barcodes before patient treatment can alert
caregivers to potential errors before they occur, preventing the error and avoiding patient harm. Clinical
applications for barcoding include blood transfusion verification, prescription entry, ordering medical
tests, specimen tracking, prescription drug tracking, patient identification, and dietary management. One
of the most impactful and widely deployed applications is medication administration verification. This
application is used to confirm patient identity, the correct drug, correct dose, correct time, and correct
caregiver (trained to administer and monitor for side effects).
Scanners may be categorized as: tethered, cordless, and integrated into handheld mobile computers and
PDAs. Barcode readers have been used in healthcare since the 1980s, so legacy technology spans those
used for barcode readers over that period. For standalone barcode scanners, there is a significant base of
legacy 2.4 GHz frequency hopping and Bluetooth (also a frequency hopping protocol) used to connect
the device to the CoW running the pharmacy application.
Note Care must be taken when any device is introduced into the wireless environment with regard to interference.
There have been documented cases where dedicated in-room Bluetooth scanners have impacted patient-worn
telemetry devices when the CoW is moved out of range. In these cases, the firmware in the BT scanner
aggressively and continuously sought to re-connect to its paired workstation, which generated enough
interference to cause telemetry dropouts.
Bluetooth and personal Wi-Fi devices may interfere with a wireless network. Their signature can be
observed using a spectrum analyzer such as the Cisco Spectrum Expert as well as Cisco
CleanAir-enabled access points. Figure 35 and Figure 36 show examples of spectrum analysis recorded
in hospitals.

EDCS-1182127 75
Wireless Endpoints
Figure 35 Typical Voice Call
Figure 36 shows a spectrum of a DECT-based voice call as displayed on a Cisco Spectrum Expert. Notice
the impact to channel 6.
Figure 36 Bluetooth Pairing (Frequency Hopping)
This is typical of a Bluetooth device searching for a device with which to pair. This should be a one-time
event. As stated earlier, the actual barcode scans should be very brief, low bandwidth events but may
cause interference if the device is transmitting a high power, especially if the firmware aggressively
seeks to reconnect with its paired host.
Clinical Systems
Electronic healthcare systems have two major areas of focus: financial, or the patient accounting; and
the clinical informatics applications. Because of the global and widespread use of clinical EHR systems
on the patient floor, this section focuses on the wireless-related design characteristics of such EHR
systems.

76 EDCS-1182127
Wireless Endpoints
There are four major categories that can be used to group clinical EHR systems from the delivery system
perspective. It is important to understand that EHR systems from different vendors may use one or more
of the approaches outlined below. This is because many EHR systems are composed of many different
applications, some developed by different business units within the EHR vendor. Other components may
have been acquired through mergers and acquisitions, with common examples being middleware, PACS,
and cardiology applications.
Computerized Physician Order Entry (CPOE) software may use a thin client-based delivery system
while the medical administration component from the same vendor uses a fat client-based approach.
Table 6 provides some considerations for each of these delivery approaches, and it is important to
consider the attributes associated with each architectural approach.
Table 6 Clinical Systems
Application Delivery Architecture

Thin client (Citrix Thick client Virtual Browser-based IBM SNA
client, VMware, (custom Desktop (TN3270, LU6.2,
(HTTP-based application)
Microsoft application) Infrastructure 3270)
(Citrix Xen
Desktop,
VMware VDI)

EDCS-1182127 77
Wireless Endpoints
Table 6 Clinical Systems (continued)
Bandwidth Typically very low Typically high Low Relatively low w/ Low
Usage exception to some
Java/ActiveX applications
Chattiness Relatively Low Typically high Low Relatively low w/ High
(latency exception to some
sensitive) Java/ActiveX applications
Tolerance to Not very tolerant, Can sometimes Not very Usually Very tolerant when Low, Some
network can disconnect with cause lockups or tolerant, can custom Java/ActiveX is not GUI front
disruptions minor disruptions of resets. Some disconnect with used. Can vary with Java or ends to
service vendors tolerate minor ActiveX applications are TN3270
disruptions very disruptions of used. systems may
well while others service lock up if
do not TN3270
application is
disrupted.
Embedded Yes, SSL Not usually Yes, encryption Yes, SSL No
application available is available
level from most
security vendors
Facilitates Some Usually not unless Yes, user can Some implementations will Dependent
Attributes
single sign implementations vendor supplies rapidly move allow user to maintain state upon
on will allow user to custom Single desktop from between application
maintain state Signon one machine to machines/browsers vendor
between application another
machines/browsers
PDA/Smart Yes, in some vendor Usually not, but Both Citrix and Yes, in some vendor No
Phone implementations some vendors VMware have implementations
accessible have PDA smart phone
versions of CPOE support in
or Medical development
Administration
ported to
PDA/smartphones
Laptop PC Yes Yes Yes Yes Yes, via
accessible terminal
(CoW or emulator
WoW) (Rumba,
TN3270)
Tablet PC Yes Yes Yes Yes Yes, via
accessible terminal
emulator
(Rumba,
TN3270)
Note VMware VDI performance and scaling information is available at the following URL:
http://www.vmware.com/pdf/vdi_sizing_vi3.pdf

78 EDCS-1182127
Wireless Endpoints
Being familiar with the attributes of the specific EHR modules, as shown above, or the many others not
shown, is key to a smooth rollout onto a wireless network. Many EHR applications were written when
the LAN was really the only network topology available. The next phase of evolution was the WAN,
which presented a number of challenges specific to latency, bandwidth, and connectivity disruptions
because of congestion.
Typically, EHR vendors provide modules that can be hosted across a WAN or VPN and migrate very well
to a wireless infrastructure. This is primarily because of the application tuning that has been made to the
application in terms of bandwidth, chattiness, and tolerance of disruptions of service. If a wireless
network was engineered properly, and sources of interference have been reduced to a relatively low
margin, a wireless network performs as well as or better than that of a WAN.
With EHR systems that are deployed on wireless tablets, PCs, laptops, PDAs or smartphones, the overall
performance depends largely on the RF characteristics of the wireless client device itself. Many of these
devices have varying levels of RF performance, and as a result have very different outcomes depending
on the wireless hardware implemented. For example, receiver sensitivity is a major factor; a site survey
performed with a laptop to 25db of SNR may be less than 20db SNR for a smartphone. This significantly
reduces the ability of an RF receiver to detect the 802.11 signal given the wireless clients internal noise
floor because of poor RF engineering. The better the receiver sensitivity, the better the performance and
therefore overall availability and throughput.
Another factor is the implementation of the roaming algorithm. Roaming at the right time and providing
for the right level of stickiness is also key. Too sticky and the wireless client roams too late, causing the
data rates to decrease to perhaps 1MB, resulting in a non-optimal end-user experience for all associated
wireless clients. Other aspects can also affect workflow, including power conservation techniques and
QoS capabilities such as using 802.1e and/or WMM.
To achieve a medical-grade network, the set of best practices for a given wireless technology must be
employed end-to-end in compliance with the infrastructure provider and the medical device vendor. This
not only involves RF site survey aspects and the placement of access points on the patient floor, but also
wireless device design, antenna characteristics, redundancy considerations, QoS, RF Spectrum
management, authentication, and encryption mechanisms.
Roaming
The decision to roam to a new access point depends completely on the wireless client and is not
influenced by the access point or wireless LAN controller. As a result of a poorly designed wireless
network, one deployed using a salt and pepper approach, roaming between access points may result in
cross-controller roaming. Such cross-controller roaming should be minimized whenever possible to
optimize roam times.
A wireless deployment strategy that follows a salt and pepper approach is one that allows access points
to locate any wireless LAN controller that is capable of providing services. The end result for highly
mobile devices that exist on a patient floor, such as CoW/WoWs and wireless PDAs, is excessive
cross-controller roaming that results in potentially poor roam times. Many times, wireless networks
deployed in this fashion work fine for voice and clinical applications, but may in fact prove problematic
during the rollout or pilot phases of new less tolerant applications or biomedical devices.
To enhance roaming, a feature called Fast Secure Roaming, also known as Cisco Centralized Key
Management (CCKM), can be used. According to Miercom testing labs, a Cisco 5508 WLC configured
for Fast Secure Roaming averaged a baseline of 9ms. For cross-controller roams, this time increases and
can result in the clinical application failing to recover.

EDCS-1182127 79
Wireless Endpoints
Note Some EHR systems or components that use IBM SNA (TN3270) back ends and GUI-based front ends,
such as CPOE/Electronic Medication Administration and Reporting (eMAR), have been known to be
troublesome when connectivity is disrupted for as little as 350 ms.
For environments that use components of EHR systems (CPOE, medical administration, pharmacy, and
so on) that are not tolerant to such momentary drops should use a zoned controller-based approach.
When a zone-based approach is used, access points servicing a given zone are configured to use a
primary and secondary wireless controller. This approach limits inter-controller roaming, thereby
improving roam times. When crossing zones, however, cross-controller roaming occurs and may impact
some devices as described above.
Areas such as elevators and stairwells promote an interesting challenge because wireless clients typically
traverse a number of floors as they move vertically across the zoned floors. For elevators, an approach
sometimes considered by the RF engineer is to place an access point in the elevator shaft or hoistway.
In the United States, however, placement of an access point in the elevator or elevator shaft is not
permitted by the American Standard of Mechanical Engineers (ASME) code standard. In addition,
access to hoistway shafts can be made only by authorized and certified persons. These people are
typically not the same individuals who install or survey the wireless network. Exceptions to this rule may
sometimes be granted by the local fire safety authority (Fire Marshall) responsible for the area.
The ASME A17.1, Safety Code for Elevators and Escalators section 2.8.1 states as follows:
Only machinery and equipment used directly in connection with the elevator shall be permitted in
elevator hoistways, machinery spaces, machine rooms, control spaces, and control rooms.
Furthermore, sections 2.8.2.12.8.2.2 state as follows:
Installation of electrical equipment and wiring shall conform to NFPA 70 or CSA-C22.1.... Only
such electrical wiring, raceways, cables, coaxial wiring, and antennas used directly in connection with
the elevator, including wiring for signals, for communication with the car, for lighting, heating, air
conditioning, and ventilating the car, for fire detecting systems, for pit sump pumps, and for heating and
lighting the hoistway and/or the machinery space, machine room, control space, or control room shall
be permitted to be installed inside the hoistway, machinery space, machine room, control space, or
control room.
The ASME 17.1 code clearly states that devices that do not comply with the regulations cannot be placed
either in the elevator or hoistway (elevator shaft). As such, the RF engineer must ensure coverage in these
spaces. Coverage is not only a matter of signal strength and quality, but roaming across subnets and
possibly WLCs, and is common as the car moves vertically between floors.
It is not possible to characterize one standard foolproof method for ensuring coverage in elevators, as
there are many variables to consider. As such, a series of recommendations and best practices need to be
implemented until an approach is found that provides a satisfactory level of service for each unique
environment and set of wireless clients.
One common technique to provide wireless coverage in elevators is to place a diversity omni-directional
AP or antenna directly outside of the doors of the elevators just below the ceiling tiles.
In many cases, but dependent on elevator design, a closed elevator door reduces the signal inside the car
by 7 to 10 dB or more. This requires that the access point or antenna be just a few feet in front of the
elevator doors. To provide fast secure roaming between floors, it is best to have access points that service
elevators on the same WLC and to ensure that they are part of the same access point mobility group. (See
Figure 37.)

80 EDCS-1182127
Wireless Endpoints
Figure 37 Access Points Serving Elevators on the Same WLC
Common AP Group and L2 VLAN
227835
Radio Resource Management (RRM)
Off-channel scanning and other radio resource management (RRM) should not have an impact on
workstations and other devices that have enterprise-class wireless cards. For some medical devices,
however, the time at which an access point is off the air may in rare circumstances have a negative effect.
This is especially true for patient monitor devices that typically send a UDP-based multicast frame every
40 ms. These devices typically do not have frame loss detection mechanisms nor are they capable of
retransmitting a lost or dropped frame.
Disabling RRM is not recommended for EHR deployments because there are times when a channel
change may provide better performance and overall availability than that of not switching to a less
congested channel. Furthermore, to detect rogue APs and other security risks, disabling or altering
default settings may inadvertently reduce the effectiveness of the security capabilities of the overall
wireless network.
Note Vendors of certain biomedical devices, specifically patient monitors, may require either specific changes
made to the default RRM parameters or to disable it completely. Beginning in WLC version 6.0, there is
the ability to selectively disable channel scanning on a per SSID basis. This feature is extremely helpful
for patient monitors that are not off-channel scanning tolerant. Consult your specific vendor for
information as to their recommended best practices.
Security
Wireless security for EHR systems that are commonly based on a Windows operating system should
employ an 802.1x EAP-based authentication mechanism as follows:
EAP-TTLS (Tunneled Transport Layer Security)
EAP-TLS (Transport Layer Security)
EAP-FAST (Flexible Authentication via Secure Tunnel)

EDCS-1182127 81
Wireless Endpoints
EAP-PEAP (Protected EAP)

EAP-MSCHAPv2 (Microsoft Challenge Handshake Protocol)
To comply with global regulations regarding ePHI, it is recommended that each clinical user is assigned
a unique userid/password as a logon credential to the EHR system, and it is strongly recommended to
extend this same recommendation to the users on the wireless network. By using a central directory
services repository for userid/password credentials such as Microsoft Active Directory or an LDAP
complaint directory service, access to the various systems containing PHI-related data can be controlled.
Some healthcare facilities use EAP-TLS implementations with PKI enabled smart cards embedded into
the employee badges. By using PKI-enabled smart cards to logon a laptop or workstation, the user can
also gain access to the same wireless network using the same physical card. EAP-TLS may however be
more costly to roll out because of the added operational costs related to a certificate authority.
Note It is possible to implement a physically-based security interface to door card readers that enables an
account within Cisco ACS when someone enters the building and disables the account when they clock
out or leave for the day. This approach improves wireless security significantly because it reduces the
likelihood of a stolen or lost device that has not yet been reported being used to access the network.
Encryption of EHR Systems
For ePHI-protected data in motion, as is the case with any wireless network, AES-based wireless
encryption is required. A minimum key size of 112 bits or greater (WPA2 AES uses 128) should be used
in order to ensure that the data encrypted stays private for a duration of time in keeping with local
regulatory standards. As previously mentioned, National Institute for Standards and Technology (NIST)
recommends that data which should remain private until the year 2030 should be encrypted using the
AES protocol with a key length of not less than 112 bits.
Note NIST Recommendation for Key Management Reference NIST Special Publication 800-57 Revision 3
(July 2012) and can be found at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
For a Cisco Unified Wireless infrastructure, this equates to the use of WPA2 Enterprise standard, which
employs AES with 128-bit keys.
Enhanced security is required for all users of PHI information, equating to an enterprise-class security
and protection model. The use of WPA or WPA2 pre-shared keys (WPA2-PSK) is simply not sufficient
for the protection of PHI information. This means that all acute and ambulatory environments implement
WPA2 AES-128 or better using dynamic per-user, per-session encryption keys.
A wireless Cisco MGN includes the following security attributes:
802.1X for strong supporting ePHI mandated requirements including unique userid/password
mandate, providing mutual authentication (user to network, and network to user) and dynamic
per-user, per-session encryption keys
AES-128 for highly secure data encryption meeting NIST recommendations for data privacy. At
present, WPA2 Enterprise supports only AES-128
Integration with the Cisco Identity Service Engine (ISE)
Wireless Intrusion Prevention System (wIPS) capabilities
Management Frame Protection (MFP) for strong cryptographic authentication of the clinical
network

82 EDCS-1182127
Wireless Endpoints
Cisco CleanAir and Cisco Spectrum Expert

Cisco ASA firewall appliance to isolate and inspect real-time traffic of legacy non-security
compliant wireless devices
Cisco ACS Appliance for end-user and device authentication
Cisco Prime NCS for single pane of glass end-user management of wired and wireless users
Telephony and Voice Services

Voice communication devices are essential in all medical environments to maintain communication and
receive current information. Because the staff in a medical environment is highly mobile by nature,
support for voice communication devices over a Cisco Unified Wireless Network solution keeps
everyone connected, maximizing workflow efficiency. Voice communication devices can cover a broad
range, including data devices such as a wireless PC or a wireless PDA running voice applications. The
focus of this section is to provide further information on wireless devices that enable VoIP
communication within the medical environment. Table 7 provides the common VoIP communication
devices that are seen in a hospital environment. It does not include 802.11-enabled cellular phones that
may primarily be used for data access.
Table 7 VoIP Devices in Hospital Environments
Type of Device Users Description

Cisco 7921G Caregivers, The Cisco Unified Wireless IP Phone 7921G is an easy-to-use 802.11a/b/g wireless IP
physicians, phone that provides comprehensive voice communications. The phone supports a host of
and support calling features and voice-quality enhancements using WMM.
staff
Cisco 7925G Caregivers, The Best in KLAS award was given to the Cisco Unified Wireless IP Phone 7925G. An
physicians and easy-to-use 802.11a/b/g wireless IP phone that provides comprehensive voice
support staff communications. The phone supports a host of calling features and voice-quality
enhancements including G.722 and 802.1e/WMM. The 7926G offers 240 hours of
standby time and 13 hours of talk time.The 7925G is CCX v4.0 compatible. Support for
Vocera voice driven workflow is supported using the Vocera Connect product. See
http://www.vocera.com/index.php/voice/applications/cisco for more information.
Cisco 7926 Caregivers, The best in KLAS award was given to the Cisco Unified Wireless IP Phone 7926G. An
Bar Code Enabled physicians and easy-to-use 802.11a/b/g wireless IP phone that incorporates a bar code scanner while
Handset support staff providing comprehensive voice communications. The phone supports a host of calling
features and voice-quality enhancements including G.722 and 802.1e/WMM. The 7926G
offers 240 hours of standby time and 13 hours of talk time. The 7926G is CCX 4.0
compatible. Support for Vocera voice driven workflow is supported using the Vocera
Connect product. See http://www.vocera.com/index.php/voice/applications/cisco for
more information.
Vocera B1000A/ Caregivers, The Vocera communications badges are lightweight, wearable, voice controlled
B2000 physicians and communications devices using 802.11b/g. The B2000 supports WMM.
support staff

EDCS-1182127 83
Wireless Endpoints
Table 7 VoIP Devices in Hospital Environments (continued)
Vocera B3000 Caregivers, The Vocera communications badges support 802.11b/g and are lightweight, wearable,
physicians and voice-controlled communications devices using 802.11b/g. The B3000 provides three
support staff hours of talk time and 45 hours of standby time.
Cisco Jabber Physicians/ Turn your PC, Mac, iPhone, iPad, Android, Nokia, and Blackberry device into a
For PC, Mac, nurses/visiting full-featured Cisco Unified IP Phone. Cisco Jabber delivers enterprise telephony calling
iPhone, iPad, nurses features and corporate directory lookup directly from the native screens and interface
Android, Nokia, and found on the device. Easy access to presence, IM, voice and video, voice messages,
Blackberry desktop sharing, and conferencing is supported. See http://www.cisco.com/go/jabber
Figure 38 Cisco 7921G Phone in Charger and 7925G and 7926G Phone
The use and variety of wireless-enabled devices continues to grow because of a variety of drivers,
including:
Hospital staff (caregivers, physicians, and support staff) are naturally mobile.
WLAN technology and the expansion in health care settings is providing ubiquitous coverage.
The support of higher CPU-capable mobile devices and the widespread adoption of 802.11-based
technology at home, office, and while traveling
Decreased dependency on voice-based cellular plans and an increasing tendency for data-only
cellular plans (802.11/3G/4G LTE tables, for example)
The emerging adoption of hotspot 2.0 by carriers to offload their cellular networks.
(http://www.cisco.com/en/US/solutions/collateral/ns341/ns524/ns673/white_paper_c11-649337.ht
ml)
Affordability of these devices is making it more economical for everyone to have including staff,
patients, and guests.
For the professional the convenience of having single number reachability made possible through
Cisco Unified Mobility.
Given the large variation of devices seen in the hospital environment, some key network considerations
must be addressed. Finding a common framework to support variation is a challenge as devices may and
will behave differently.
Quality-of-Service (QoS)
In the past, WLANs were mainly used to transport low-bandwidth, data-application traffic. With the
expansion of WLANs into verticals such as healthcare, WLANs are used to transport high-bandwidth
data applications, in conjunction with time-sensitive multimedia applications.

84 EDCS-1182127
Wireless Endpoints
Because of the sensitivity of VoIP traffic to factors such as packet loss, jitter, and delay, the Cisco Unified
Wireless Network suite of products supports Wi-Fi MultiMedia (WMM) standards as the framework for
the QoS designs. As a range of other wireless devices will also be introduced in the hospital network to
support voice, determining the compliance of these devices to the WMM standards helps to create a more
stable environment to deliver voice.
Wi-Fi Multimedia
Wi-Fi Multimedia (WMM) has been published by the Wi-Fi Alliance and is based on IEEE 802.11e and.
WMM provides for QoS, Power Save, and admission control. Some of the key functions of WMM are
as follows:
ClassificationWMM uses the 802.1P classification scheme developed by the IEEE to classify
data.
QueuesThis classification is used to assign packets to queues. Each queue uses different
parameters for the Random Backoff Window in case of a collision. If more than one frame from
different access categories collides internally, the frame with the higher priority is sent and the lower
priority frame adjusts its backoff parameters as though it had collided with a frame externally. This
system is called enhanced distributed coordination function (EDCF). (See Figure 39.)
Figure 39 WMM Queues
Guest Access
EHR/Clinical
Location RFID TeleMedicine Telemetry
Applications
Tags
Background Best effort Video Voice

227879
Traffic Specification (TSPEC)An 802.11e admission control model that allows an 802.11e client
to signal its traffic requirements for prioritized access to the AP through the use of two variables,
the EDCF option and the controlled access options provided by the transmission opportunity
(TXOP).
Enhanced Distributed Channel Access (EDCA)A method that allows high-priority traffic a higher
chance than low priority traffic to wait less before sending a packet. This model requires the TSPEC
parameters defined on the endpoint. For voice traffic, this feature allows voice packets to be
delivered with less delay and jitter.
QoS Basic Service Set (QBSS)Information elements that are advertised in beacons by the AP and
the parameters are used by the 7921G, 7925G, and 7926G phones to determine the best AP with
which to associate.

EDCS-1182127 85
Wireless Endpoints
Unscheduled automatic power-save delivery (U-APSD)A feature that allows the voice client to
synchronize the transmission and reception of voice frames with the AP, which allows the client to
enter power-save mode between the transmission/reception of each voice frame tuple. Another
added benefit is to increase call capacity because of efficiencies gained by the AP.
For more information on Wireless QoS, refer to the Voice over Wireless LAN Design Guide at the
following URL: http://www.cisco.com/go/designzone.
There are many different classifications of wireless clients as discussed previously in this chapter.
Because these devices have very different traffic patterns and assumed levels of reliability and
predictability, it is important to discuss outside influencers which can negatively affect the reliability of
some wireless-based medical devices.
One common example is that of voice traffic. Within a healthcare environment it is critical because of
the mobile nature of caregivers and their ever increasing reliance on connectivity throughout the entire
healthcare facility. As such, it is critical that the VoWLAN network be architected end-to-end so that
high availability can be achieved within the hospital and associated outlying buildings. To provide
guidance in the proper deployment of VoWLAN solutions, Cisco has published a design guide that
covers 7921G, 7925G, and Vocera endpoints. This Unified Communication Cisco Validated Design
document as well many others can be found at http://www.cisco.com/go/designzone.
Cisco further recommends that wireless systems be integrated in accordance with the US FDA
document, Draft Guidelines for Industry and FDA Staff Radio Frequency Wireless Technology in
Medical Devices at the following URL:
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077210.htm
Proper coverage for voice dictates that there is a 20 percent (2.4 GHz) and approximately 1520 percent
(5 GHz), which is above and beyond WLAN data design guidelines. In addition, the optimal VoWLAN
cell boundary recommendation is -67dBm, and the separation of cell should be 19 dBM. For voice
traffic, a unique SSID should be dedicated for VoIP traffic. Proper site survey is essential to plan for any
site deploying voice. In addition to these basic factors, additional considerations include:
Coverage models to support elevators, stairwells, parking lots, and outside zones because a large
campus may need to support staff in all these locations for reachability. Assessment tools such as
A2Q (assessment to quality) and site surveys should be strictly followed.
Use the tools offered in WLC to collect statistics for troubleshooting, such as AP delay, packet loss,
radio statistics of the overall RF environment, because they can be helpful in finding trouble spots.
WCS also provides historical reports that correlate user issues with network issues that find potential
capacity issues. To provide an overall view of WLAN health, the WCS provides reports of the AP
power and channel changes over time.
(See Figure 40.)

86 EDCS-1182127
Wireless Endpoints
Figure 40 APs with 20 Percent Overlap
222947
Roaming
Another factor affecting voice quality is the amount of physical movement of mobile handset users.
Devices such as laptops may need mobility, but once in use the likelihood for movement drops
significantly. However, Cisco 7921G, 7925G, 7926G, Vocera badges, and other smartphones and tablets
are highly likely to experience movement while in use. This mobile characteristic drives the need for fast
and secure roaming. The wireless client is 100 percent responsible for determining when to roam. The
client uses factors such as data retries, RSSI, SNR, and other schemes. The network can affect the speed
in which the roaming can occur once the client begins the roaming process. Once the new AP is chosen,
there is also a need to re-authenticate with the new AP because security must be preserved after the roam
has occurred.
To facilitate fast secure roaming, a method offered is the Cisco Centralized Key Management (CCKM)
and Proactive Key Caching (PKC). These advanced roaming mechanisms allow a WLAN client to roam
to a new AP and re-establish a new session key, known as Pairwise Transient Key (PTK), without having
to perform a full 802.1X/EAP re-authentication involving the RADIUS server.
IP Address Changes
When a client roams from one AP to another, it may require a new IP address. If a client requires a new
IP address, actions that might be required by the client include:
Acquiring a valid IP address via DHCP
IP duplicate address detection
Mobile IP signaling (if required)
Virtual Private Network (VMP) Internet Key Exchange (IKE) signaling (if required)
Note It is recommended to prevent the reassignment of new IP addresses within a health care campus. This is
because of a bad practice that is emerging that middleware vendors use, mapping the IP address of a
mobile device to a user. Subsequent alarms and/or alerts are sent to the mobile device using the IP
address. Any dynamic changes to the IP address may result in an alarm or other critical alert to be sent
to the wrong device, or not delivered at all. This is an area that the IEC-80001 focused risk manager
should evaluate before deployment.

EDCS-1182127 87
Wireless Endpoints
In a Cisco WLC deployment, client IP addresses do not change when they roam within the same mobility
group. WLC deployments support client roaming across APs managed by one or more WLCs in the same
mobility group on the same or different subnets. In non-FlexConnect environments, this roaming is
transparent to the client because the session is sustained and a tunnel between the WLCs allows the client
to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains
active.
Clients roaming without a Cisco fast secure roaming protocol (CCKM or PKC), will typically send a
DHCP request asking for their current IP address. In a Cisco WLC environment, the WLC infrastructure
will ensure the client stays on the same subnet and can continue to use its old IP address. Next, the client
will typically perform duplicate address detection by pinging its own IP address and ensuring there are
no replies from WLAN clients using that same address. If a client is running mobile IP or VPN, those
protocols would run after the IP address is verified unique.
Note In environments where multiple DHCP servers provide DHCP services to wireless clients, a problem can
be encountered when the DHCP servers are configured to provide addresses out of assigned blocks of
address space within a given subnet or scope. DHCP Server A assigns 10.10.10.1127 and DHCP server
B assigns 10.10.128253. When one of the DHCP servers is offline (failure, scheduled maintenance, and
so on) and a mobile handset attempts to renew its IP address (typically at the midpoint of the DHCP
lease time), it fails. As such, the device acquires a new IP address by issuing a DHCP request and
reregisters with its call control. This is because the surviving DHCP server sees this request as a new
host on the network and assigns it a new IP address. The result for some middleware products is a failure
to deliver a critical alert or alarm because the relationship between the IP address and the intended end
user has changed.
Security
As stated many times throughout this document, in the healthcare environment, because of the nature of
the data being transported (especially PHI), security is critical. Control of the WLAN access relies on
the principles of Authentication, Authorization and Accounting (AAA), augmented by encryption to
insure privacy. For a more in depth view on wireless security focused on voice see the Voice over
Wireless LAN Design Guide. For a more thorough and system focused view of wireless security see the
Secure Wireless Design Guide and Mobility Design Guide. All of these documents can be found at
Authentication/Encryption
Authentication options:
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
EAP-Transport Layer Security (EAP-TLS)
EAP-Tunneled Transport Layer Security (EAP-TTLS)
EAP-Protected Extensible Authentication Protocol (EAP-PEAP)
EAP-Pre-Shared-Key (EAP-PSK)
Encryption options:
WPA/WPA2 Personal (uses Pre-Shared Keys)
WPA/WPA2 Enterprise (uses 802.1x and a backend RADIUS server for authentication)
WEP with Temporal Key Integrity Protocol (TKIP)
Advanced Encryption Standard (AES)

88 EDCS-1182127
Wireless Endpoints
Fast roaming protocol options

Cisco Centralized Key Management (CCKM)
There are a wide variety of devices with varying capabilities on the network that limit options, but for
Voice over WLAN, if possible, WPA is recommended for authentication and encryption with EAP-FAST
as the EAP mode and CCKM for roaming key management. Support for CCKM with EAP-FAST
requires Cisco Compatible Extensions (CCX) v3 or higher.
The LEAP, PEAP, and EAP-FAST protocols typically require each user in a network environment to be
authenticated with a unique set of credentials. However, each badge must have the same security
properties so the Vocera Server can automatically update badges when necessary. Consequently, Vocera
supports device authentication, not user authentication. All badges must present the same set of
credentials for network authentication.
Applications such as voice running on client devices require fast reassociation when they roam to a
different AP to prevent delays and gaps in conversation. Vocera badges do not support fast, secure
roaming, so to provide fast roaming and a reasonable level of authentication security and encryption,
WPA-PSK with TKIP should be used with the Vocera badge (pre-B2000).
With the release of the B2000 badges, Vocera added EAP-FAST and WPA-2 support.
Co-Existence issues with other Biomedical Devices

The traffic patterns of voice traffic are wellknown (see section below). This is constant rate traffic with
no burstiness. When designing the network, the bandwidth required for the maximum number of
concurrent calls along with the traffic generated by biomedical devices and other devices (such as guest
services) using the same access point should be taken into consideration.
Traffic Patterns
There are two sources of traffic with VoIP end devices. The first is the traffic generated by voice calls.
Cisco wireless phones have color displays that can be used to provide services on the phone. Standard
applications include extension mobility, directories, stock reports, weather reports, and other
productivity tools. In the healthcare environment, this capability allows the close coupling of the Cisco
Unified Communications system with healthcare-specific applications. One example is the Nurse
Connect application that interfaces the Rauland Responder IV nurse call system with the Cisco Unified
Communications System. This allows the nurse associated with a room to be immediately notified when
a patient pushes a call button. They can then call the patient back with a single button press. This is
accomplished using XML messages. This is the second source of traffic.
Voice Services
Traffic for VoIP calls is typically steady state, calculated based on the codec used. Two common codecs
are G.711 and G.729. Because voice samples are taken at a predefined number of milliseconds, the data
rate is constant. For example G.711 sample rates are often 20ms, and G.729A is typically 10ms. Another
factor for the overall bandwidth is the IP header.
For example, G.711 has an input bandwidth of 64 kbps with a sampling rate of 20 ms, which
translates to 50 pps (packets per second) with a payload size of 160 octets plus a 40 octet fixed size
overhead for IP/UPD/RTP headers. The bandwidth results in 80 kbps.
Using G.729a, which has an input bandwidth of 8 kpbs and sampling at 10 ms, this translates into
50 pps with a payload size of 20 octets. Adding in the IP/UDP/RTP header, the resulting bandwidth
is 24 kbps. These per call bandwidth settings should be used in the overall bandwidth sizing effort.

EDCS-1182127 89
Wireless Endpoints
Another important parameter in VoWLAN planning is call capacity, which is the number of
simultaneous VoWLAN calls that can be supported in an area. This value can vary depending upon
the RF environment, the VoWLAN handset features, and the WLAN system features. For example,
the VoWLAN maximum capacity for a Cisco Unified IP Phone 7921G using a WLAN that provides
optimized WLAN services (such as the Cisco Unified Wireless Network). Details on call capacity
planning on current releases can be found in the Voice over Wireless LAN Design Guide at
Figure 41 Typical VoIP Call
Application Services
The application traffic consists of HTTP XML messages between the application server and the phone.
These messages are typically short and sporadic. This traffic is encrypted at the WLC with the encryption
mechanism defined on the WLC. Traffic should be minimal, and provide minimum impact on the
wireless network.
HIPAA/FDA Concerns
Patient information that could potentially be classified as PHI may be discussed over voice channels and
could be included in information exchanged by applications running on the phone. Both voice and XML
traffic exchanged with the phone are encrypted with the method configured on the WLC. As always,
there are tradeoffs. For example it was stated earlier in this document that data which should remain
private until the year 2030 should be encrypted using the AES protocol with a key length of not less than
112 bits. WPA2 uses 128-bit keys. WPA2 with AES encryption prevents secure fast roaming. Then it
comes down to the importance of protecting data for a very long time or possibly dropping calls.

90 EDCS-1182127
Wireless Endpoints
Wireless Guest Services

The implementation of a wireless guest network uses a hospitals existing wireless infrastructure as
possible to avoid the cost and complexity of building a physical overlay network. Additional elements
and functions are needed:
A dedicated guest WLAN/SSIDImplemented throughout the campus wireless network wherever
guest access is required.
Guest traffic segregationRequires implementing Layer 2 or Layer 3 techniques across the campus
network to restrict where guests are allowed to go.
Access controlInvolves using embedded access control functionality within the campus network
or implementing an external platform to control guest access to the Internet from the enterprise
network.
Guest user credential managementA process by which a sponsor or lobby administrator can
dynamically create and assign unique guest accounts for wireless guest users.
Healthcare Guest Access Services

Typically, wireless guest access is enabled by using Ethernet in IP (RFC3378) within the centralized
architecture. Ethernet in IP is used to create a tunnel across a Layer 3 topology between two WLC
endpoints. The benefit of this approach is that there are no additional protocols or segmentation
techniques that must be implemented to isolate guest traffic from the enterprise. Figure 42 shows an
example of guest access topology using a centralized WLAN architecture.

EDCS-1182127 91
Wireless Endpoints
Figure 42 Centralized Controller Guest Access
Internet
Cisco Identity
Prime Sevices
NCS WCS Engine
WLC Anchor
DNS WEB
Controller
Clinical
Systems
Campus
WISM2/
Foreign WLC
LWAPP LWAPP
292845
Guest WLAN
Medical IT WLAN
A WLC is located in the hospital data centers DMZ where it performs an anchor function. This anchor
controller is responsible for terminating EoIP tunnels that originate from other hospital WLCs
throughout the network. These foreign controllers are responsible for termination, management, and
standard operation of the various WLANs provisioned throughout the hospital, including one or more
guest WLANs. Guest WLANs, instead of being switched locally to a corresponding VLAN, are instead
transported via an EoIP tunnel to the anchor controller. Specifically, guest WLAN data frames are
encapsulated using CAPWAP from the AP to the foreign controller and then encapsulated in EoIP from
the foreign WLC to a guest VLAN defined on the anchor WLC. In this way, guest user traffic is
forwarded to the Internet transparently, with no visibility by, or interaction with, other traffic in the
healthcare network.
WLAN Controller Guest Access Option

The Cisco WLC Guest Access solution is self-contained and does not require any external platforms to
perform access control, web portal, or AAA services. All these functions are configured and run within
the anchor controller. However, the option exists to implement one or all of these functions externally.
Supported Platforms
The anchor function, which includes tunnel termination, web authentication, and access control is
supported on the following WLC platforms (using WLC firmware version 4.0 and later):
Cisco 5500 Series

92 EDCS-1182127
Wireless Endpoints
Cisco 6500 Series (WiSM)
Auto-Anchor Mobility to Support Wireless Guest Access

Auto-anchor mobility, or guest WLAN mobility, is a key feature of the Cisco Unified Wireless solution.
It offers the ability to map a provisioned guest WLAN to one or more (anchor) WLCs by using an EoIP
tunnel. Auto-anchor mobility allows a guest WLAN and all associated guest traffic to be transported
transparently across an enterprise network to an anchor controller that resides in the Internet DMZ. (See
Figure 43.)
Figure 43 Auto-Anchor EoIP Tunnels
Internet
Cisco Identity
Prime Sevices
NCS WCS Engine
WLC Anchor
DNS WEB
Controller
Clinical
Systems
Campus
WISM2/
Foreign WLC
LWAPP LWAPP 292846
Guest WLAN Traffic CAPWAP or LWAPP WLANs

EoIP Tunnels
Visiting Physicians
In the simplest model, visiting physicians are given internet access through an assignment of a dedicated
visiting physician SSID. This SSID is mapped directly to either a restricted VLAN for campus L2/L3
networks or to a dedicated VRF for MPLS environments. Access to clinical resources is typically limited
based on this VLAN/VRF model. VPN access to their home office or affiliated healthcare organization
is often granted in addition to general Internet services.
Authentication for this set of users should be one of the EAP types discussed earlier. If using a
centralized LDAP based user directory, the visiting physician should use their assigned userid/password.
These accounts can be created in the LDAP server directly (with an account expiration date specified).
Encryption should once again follow the recommended encryption standard for a medical-grade network

EDCS-1182127 93
Environmental and Physical Considerations
because it is assumed that the physician will be interacting with clinical systems and patient information.
In these cases, WPA2 Enterprise would be the recommended level of encryption coupled with an
EAP-FAST for example.
Contractors
Likewise, contractors and vendors are given internet access through an assignment of a dedicated
contractor SSID in many cases. This SSID is mapped directly to either a restricted VLAN for campus
networks or to a dedicated VRF for MPLS environments. Resources are limited based on this
VLAN/VRF model.
Most times, temporary contractors will only require access to their home office, internet services
including SMTP based E-mail, and perhaps a limited set of local resources such as network attached
printers. Open authentication can be used for these users and guest accounts created on the WLC or ACS
servers. If the contractors are involved with the handling of clinical information, their security model
would need to be mirrored to that of the Visiting Physician described above. This is to ensure proper
authentication, logging and encryption is used.
Patients and Guests

Patients and guests will generally fall into a Friends and Family access plan. Most implementations
offers a built-in portal that is used to solicit guest credentials for authentications and offers localization
branding capabilities. Acceptable use policy (AUP) information and disclaimers are also displayed.
A network administrator can create can create a limited privilege account with the WCS that permits a
hospital lobby ambassador access for the purpose of creating guest credentials. Configuration options
available through the WCS include Username, Password and SSID. The SSID is mapped directly to the
family and friends VLAN.
Environmental and Physical Considerations
JCAHO and Infectious Control Risk Assessment (ICRA) Requirements

In the United States, Medicare no longer reimburses healthcare organizations for hospital-acquired
patient infections such as MRSA or other such infections. As a result, many hospitals are enforcing the
use of Infectious Control Risk Assessment protocols in an attempt to reduce the spread of infections
during construction. The installation of cabling and/or access points in many cases falls into the category
of construction.
The Joint Commission requires that the Infections Control Risk Assessment documentation be followed
for construction projects that include the removal or cutting of ceiling tiles. This documentation
(http://www.jcrinc.com/common/Documents/OnlineExtras/PDC09%20Extras/Figure_3-6.doc) requires
that certain pre-cautions be used whenever a ceiling tile is being removed.
To prevent the removal of ceiling tiles, the acute-care facility may employ the use of wireless enclosures
which effectively eliminate the need to remove a ceiling tile when an AP is being replaced or serviced.
Such enclosures should be manufactured to the UL-60601-01 (US) or CSA-C22.2 (Canada) standards
which ensures compliance with biomedical safety standards. The enclosures not only provide infectious
disease control, but can also provide physical security for the wireless access point. (See Figure 44.)

94 EDCS-1182127
Distributed Antenna Systems (DAS) Design and Deployment Considerations for Healthcare
Figure 44 Metro Flo 7.4802.11b/g/a/n Enclosure
The Metro Flo 7.4 enclosure shown above provides support for Cisco's 1240 and 1250 Series access
points supporting 802.11b/g/a/n though the use of a multiband antenna. Other antenna's from such
companies as Cisco and TerraWave and others are also supported by Metro. More information about
these enclosures can be found at http://www.metro.com/flo.
One often overlooked aspect of the use of ceiling enclosures is the added physical security. Many
enclosures, include Metro's Flo 7.4 are lockable, preventing unauthorized access to the AP. This can be
especially useful in secluded public areas where physical security is a concern.
PoE Switches and Console Cables

The use of Power-over-Ethernet (PoE) switches as opposed to power injectors have an added benefit of
providing remote power cycling of an access point. This is accomplished by changing the port on the
PoE switch to an administratively down state, effectively removing power from the AP. Using PoE
switches to remotely power cycle a problem access point during troubleshooting or during redundancy
testing is an excellent method preventing room intrusion and eliminating the need for ceiling tile
removal.
Distributed Antenna Systems (DAS) Design and Deployment

Considerations for Healthcare
Distributed Antenna Systems (DAS) are used to converge multiple RF systems into a common RF
antenna radiator, while at the same time extending the coverage area throughout the building. A primary
driving factor for DAS continues to be extending cellular coverage indoors to connect patients, visitors,
and staff within buildings. For example, cellular phone coverage within the healthcare facility, often
times within patient rooms coverage, is ample as the location is near the windows. Other areas of the
hospital, underground walkways between buildings, for example, would not have adequate coverage.
This problem is extended across many RF-based communication systems including patient telemetry,
pager, and two-way communication systems, to mention a few.

EDCS-1182127 95
DAS benefits include not needing to mount various antenna subsystems and separate cabling in the
ceilings and having a common infrastructure on which the different networks coexist. This leads to
savings on the operational aspects of mounting and cabling particularly in areas where labor is
expensive. In addition, the reduced likelihood of removing ceiling tiles to replace an RF transmitter (RF
transmitters, access points, telemetry transmitter/repeater, cellular phone transmitter, etc.) addresses
JHACO environment of care standard focused around the containment of infectious disease such as
Methicillin Resistant Staphylococcus Aureus (MRSA) per the AIA guidelines and ICRA standard.
DAS systems can be categorized into two basic flavors: passive and active DAS. Passive DAS systems
do not place any amplifiers or electronic signal conversions between the RF signal source (the access
point) and the client device (handset, laptop, etc.). Active systems do place amplifiers and other
electronics in the DAS between the RF signal source and the client devices. Both passive and active DAS
are driven by the active electronics of the RF signal source.
Passive DAS systems can be fairly simple or quite involved. They can consist of an elongated RF radiator
in the form of a leaky coax, or they can use a shielded coax system with multiband antennas attached
to each coax. The purposely designed leaky coax cable approach permits RF radiation to escape from
the length of coax run and effectively provides a constant RF coverage area where it has been deployed,
such as an underground walkway. In leaky coax systems, the antenna is the coax cable. Another
approach is to attach a multiband antenna to the end of each highly shielded coax cable with enough
antennas/cables to cover a floor of patient rooms, for example. In both cases, the various RF radiators
are interconnected to form the passive system (starting from a series of wiring closets and extending
throughout the facility). This means that when an AP needs to be replaced, it can be done without
penetrating the ceiling, which is an advantage for any healthcare environment.
Active DAS systems were initially designed to provide distributed amplification throughout the DAS to
minimize the drive requirements placed on the RF signal sources (i.e., to compensate for the signal
attenuation induced in long coax cable runs). This addressed the signal loss from the AP to the client but
did not solve the signal loss from the client back to the AP. For example, a very low loss and high cost
coax cable that can achieve a 7dB loss per 100-foot at 2.4 GHz (802.11b/g) and 12dB or higher for 5.8
GHz(802.11a).
Eventually, it was necessary to move the amplifier and have it be collocated with each antenna (above
the ceiling) to compensate for the path loss incurred (in both directions) by even the lowest loss coax
cable and connectors. This means that when an amplifier needs to be replaced, it will require penetrating
the ceiling, which is a disadvantage for any healthcare environment.
With the advent of self-healing WLANs (where the controller can detect the loss of an AP and
automatically upwardly adjust the output power of adjacent APs from say 15mW to 30mW for example),
simple fixed gain RF amplifiers were not able to adapt to this technology approach as they were unable
to detect the change in input signal levels generated by the AP. The need for smarter DAS systems arose,
and over time resulted in active DAS systems that are able to dynamically adjust their output signal levels
to match the APs.
Virtually all 802.11 WLAN systems use antenna diversity to provide a means to deliver optimal coverage
to areas impacted by the cancellation of RF energy through multipath interference caused by RF
reflections. For passive DAS systems, this simply required two multiband antennas and doubled the cost
of the coax cable system. Active DAS systems, on the other hand, required duplicate RF amplifiers in
addition to the double cost of the coax and antenna system. For this reason, most active DAS systems
eliminate antenna diversity in order to reduce their cost for 802.11-based deployments. The resulting
solution change could lead to the creation of small null coverage areas that could result in one-way audio
or dropped calls.
With rapidly evolving 802.11-based technologies, and the specific RF characteristics of some 802.11
wireless clients, the use of DAS should be carefully considered, and if implemented, should be done by
a fully qualified DAS/WLAN systems integrator. Some examples of technologies or 802.11

96 EDCS-1182127
characteristics that must be carefully considered include but are not limited to the following: radio
management, location-based services, 802.11n (MIMO), client roaming, VoIP, beamforming, and
increased noise floor.
Because the RF antenna system connected through a DAS to an access point covers a larger area, the
ingestion of a larger amount of RF noise from personal Wi-Fi devices, DECT, and Bluetooth results. This
ingestion of interference increases the noise floor that the AP receives. The result may be a lower SNR
of the path between the wireless client and the DAS-connected AP.
To summarize, there are some obvious benefits in using DAS solutions. Remember, DAS solutions are
not solely an 802.11-based technology and do provide obvious benefits for other RF-based systems
(telemetry, cellular, 3G coverage, pager, two-way communication systems). Some benefits are outlined
below. (See Figure 45.)
Figure 45 DAS Architecture
Active DAS (802.11, WMTS, Cellular) Passive DAS - Leakey Coax
DAS
DAS
4thFL LWAPP
LWAPP
DAS
DAS
3rdFL LWAPP
LWAPP
DAS
DAS
2ndFL LWAPP
LWAPP
DAS
DAS
1stFL LWAPP
LWAPP
DAS
DAS
Ground
227837
LWAPP
DAS Benefits
ConvergenceAbility to carry multiple wireless access technologies, allowing the building planner
to provide coverage for many diverse RF services, such as cellular phone, two-way radios, paging,
Wi-Fi, and medical telemetry systems on a single shared antenna system.
Operational savingsInformation technology, biomedical engineers, and voice communication
managers can deploy a number of wireless technologies with a single converged antenna system.
Physical security for network and RF equipmentIn the case of 802.11, the access points are
secured in a locked wiring closet rather than on ceilings near users desks; thereby reducing the
likelihood of damage or theft.
Network maintenanceEasier configuration, maintenance, and replacement of RF equipment
including access points because they are located in a single, easily accessible location.

EDCS-1182127 97
Increased compliance with the Joint Commission (JCAHO) Infection Control Risk Assessment
(ICRA) requirements during RF hardware replacement if mounted above ceiling tiles. Placing Cisco
APs above the ceiling tiles in healthcare environments is not recommend (see the Environmental
and Physical Considerations section on page 94).
As described above, there are a number of considerations in using DAS systems. Many of these benefits
apply to other (non-802.11) RF communication systems. It may make sense to deploy DAS solutions to
address coverage issues around these other technologies to provide a pervasive coverage for any number
of other services beyond 802.11.
Wi-Fi over DAS Considerations

Wi-Fi and DAS can coexist in two ways: as two independent overlay networks each with their own
cabling and antennas deployed in the ceiling or as Wi-Fi deployed over DAS (Wi-Fi access point is
placed in the closet while DAS antennas act as the extension for the Wi-Fi external antennas). In the
former case, there is no interaction between either technology because of the use of disparate networks.
In the latter case where only the DAS antennas are installed in the ceiling, the DAS must be carefully
selected; otherwise, the Wi-Fi system may suffer limitations. Details vary specific to the implementation
and models offered by the various DAS vendors:
General Performance impactsPerformance, such as client capacity and throughput, is highly
dependent on site design, AP density, RF signal level, coverage overlap, increased noise floor, and
proper WLAN controller settings. Many DAS systems require manual configuration of Wi-Fi
transmit power and may require automatic performance optimization mechanisms within radio
management to be disabled.
Performance impacts for 5 GHz (802.11a and 802.11n)With some DAS designs, performance may
be degraded unless it is possible to reuse all 5 GHz channels in order to maximize network-wide
throughput and capacity. Performance may also be degraded unless the DAS system design fully
accounts for the higher attenuation in the antenna system at 5 GHz.
Performance impacts for MIMO 802.11To support multiple spatial streams requires multiple
transmit and receive radios individually coupled to an antenna. A MIMO antenna has a radiating
element for each radio. Cisco 802.11n access points have either internal MIMO antennas or
externally mounted ports for MIMO antenna attachment. Cisco MIMO antennas are designed to
work effectively with less than a wavelength separation. If a MIMO client has a distance separation
from the AP such that the client only hears 1 element of the APs MIMO antenna then multiple
spatial streams will not work. Likewise, Ciscos ClientLink which uses beam forming from two of
the MIMO elements will not work. The 2.4 GHz and 5.8 GHz wave lengths are approximately 12.5
centimeters and 5.4 centimeters respectively. Maximum ratio combining (MRC) uses the signals
received on each element of the MIMO antenna to combine the signals at the AP to maximize
reception. Antenna elements outside the coverage of the signal of the client will not have spatial up
stream support. Some DAS vendors have implementations for supporting 802.11n MIMO.
Customers should carefully evaluate and validate that these systems meet their requirements and
perform to expectations. Reduced MIMO support will affect overall performance of the WLAN.
Radio ManagementWi-Fi over DAS solutions may require static configuration of AP channel and
transmit power levels. Dynamic radio management features, including RM, rogue AP detection, and
wireless intrusion protection should be carefully reviewed within the total WLAN solution offering
when Wi-Fi is deployed over DAS to ensure that all functionality meets their requirements. In a
dynamic RF environment as commonly found in healthcare environments, such static configuration
may or may not be acceptable to customers.

98 EDCS-1182127
Location-Based Services (LBS)In a healthcare environment, LBS over Wi-Fi is expected to

accurately locate wheelchairs, heart-pumps and other mission-critical resources. LBS systems are
designed by the manufacturer to work within the expectation of specific deployment parameters.
Customers with a requirement for LBS should carefully specify their requirements to the DAS
vendor and/or systems integrator to confirm that the design will adequately support LBS deployment
parameters. They should verify any claims to location accuracy using the Wi-Fi LBS system with a
Wi-Fi over DAS solution.
VoiceVoice over WLAN is quite popular in the healthcare environment particularly for nurses and
staff to communicate effectively. There are several attributes to confirm in relation to this:
VoWLAN QoS and overall service levels require proper signal strength and diversity antenna
support.
VoWLAN requires an appropriate density of Access Points to provide capacity (density
of phones per coverage area and signal coverage) so roaming works seamlessly.
As 802.11-based technologies evolve, so too must the DAS systems to which they are connected. DAS
vendors take different technology implementation, design, and deployment approaches in receiving and
radiating RF signals for Wi-Fi. For this reason, Cisco Technical Assistance Center (TAC) does not
support DAS systems. However, Cisco TAC does provide support for non-RF related issues in Cisco
products per the customer's support agreement with Cisco Systems.
In summary, Cisco does not certify, endorse or provide RF support for Wi-Fi deployments over any
distributed antenna system. The DAS vendor and/or systems integrator is solely responsible for the
support of the DAS products and for providing adequate RF coverage and supporting any RF-related
issues. This support includes, but is not limited to location accuracy, RF coverage, roaming issues related
to RF, multipath issues, and scalability. Additionally, the DAS vendor and/or systems integrator is
responsible for understanding that the deployed DAS system meets the requirements of all of the
customers Wi-Fi devices and applications over the DAS system; this statement includes, but is not
limited to, all VoWLAN and medical devices.
Although Cisco TAC and field teams do not provide support for RF issues that arise in a Cisco WLAN
used over a DAS, they will provide support for non-RF-related issues in Cisco products per the
customers support agreement with Cisco Systems.
Cisco Recommendations when Working with DAS Vendor

The following are Ciscos recommendations when working with a DAS vendor:
Design and deploymentWi-Fi over DAS technology requires thorough design, 802.11 WLAN,
and RF expertise. A Wi-Fi over DAS system must be professionally designed, installed, and
configured by an experienced, fully trained and qualified vendor and/or systems integrator.
Signal coverageSelect a vendor with a solution that fully supports the best practices of signal
quality and signal coverage. Carefully review the design processes that the vendor uses to ensure
that DAS antenna element density and placement will support the RF power and coverage
requirements of 802.11 applications. Customers should also take care in selecting only a fully
qualified partner for installation and systems integration when deploying Wi-Fi over DAS.
Capacity-AP to client densityCarefully review the Wi-Fi over DAS design to ensure that the DAS
channel and RF design will adequately support the traffic capacity requirements of the 802.11
devices and applications.
Client roamingCarefully review the Wi-Fi over DAS design to ensure that DAS channel and RF
design will adequately support the roaming requirements of the 802.11 applications.

EDCS-1182127 99
Location-Based Services (LBS)LBS systems are designed by the manufacturer to work within
specific deployment parameters. Customers with a requirement for LBS either at the time of the
installation or in the near future should carefully specify their requirements to the DAS vendor
and/or systems integrator to confirm that the design will adequately support LBS, and any claims to
location accuracy using the DAS antenna system with a Wi-Fi over the DAS solution.
Radio Management (RM)Wi-Fi over DAS solutions may require static configuration of AP
channel and transmit power levels. Customers choosing Wi-Fi over DAS should carefully review the
total WLAN solution offering to ensure that value added dynamic radio management features,
including RM, rogue AP detection, and wireless intrusion protection, all meet their requirements.
802.11n MIMOSome DAS vendors have implementations for supporting 802.11n MIMO.
Customers should carefully evaluate and validate that these systems meet their requirements and
perform to expectations.
For more information about Ciscos official position on DAS solutions as they pertain to 802.11-based
deployments, refer to the following URL:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/positioning_statement_c07-5654
70_ps272_Products_Data_Sheet.html

100 EDCS-1182127

MGN Wireless Arch

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MGN Wireless Arch

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco Medical-Grade Network (MGN) 2.

About the Authors

Stuart Higgins, Healthcare Enterprise Architect, Cisco Smart Business

Curt Mah, Technical Marketing Engineer, CMO ESE, Cisco Systems

2 Cisco Validated Design

Mobility Services Engine (MSE) 38

Copyright 2012 Cisco Systems, Inc. All rights reserved

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Wireless Overview in Healthcare

Importance of Wireless in Healthcare

Mobile Nature of Caregiver

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 1 MGN and the Continuum of Care

Mobile Nature of Bio-Medical Devices

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 2 Patient Mobility

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 3 Location-Based Services

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

IEC 80001-1:2010Application of Risk Management for IT Networks Incorporating Medical Devices

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 5 Cisco Lifecycle Services Approach

Prepare Plan Design

Develop a business Assess readiness to Create a detailed design

Optimize Operate Implement

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Other Regulatory Bodies

Strong Authentication and Encryption

Table 1 Authentication and Encryption Policies

WLAN Security Mechanisms

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Table 1 Authentication and Encryption Policies (continued)

Wireless Uses in Healthcare

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Location-Based Services

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 6 Traditional AP Placement

To provide an AP perimeter, deploying APs on multiple axes as well as establishing a complete AP

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 8 Establishing an AP Perimeter

LWAPP LWAPP LWAPP LWAPP

LWAPP LWAPP LWAPP

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 9 Non-Stacked Access Points

4th Floor AP Layout

LWAPP LWAPP LWAPP

3rd Floor AP Layout

LWAPP LWAPP LWAPP

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Guest Access Services

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

QoS policies placing guest access below that of clinical usage

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 10 Metro Flo 1760 Mobile Workstation

Wireless Architecture Overview

Cisco Medical-Grade Network (MGN) 2.0Wireless Architectures

Figure 11 Wireless Architecture

Third Party Integreation