Beruflich Dokumente
Kultur Dokumente
0
Wireless Architectures
Last Updated: August 4, 2012
EDCS-1182127
About the Authors
Introduction 8
Protected 8
Responsive 9
Interactive 10
Resilient 10
Summary 11
Wireless Overview in Healthcare 12
Importance of Wireless in Healthcare 12
Mobile Nature of Caregiver 12
Mobile Nature of Bio-Medical Devices 13
Voice Services 14
Location-Based Services 15
Privacy Concerns 17
HIPAA Compliance 17
IEC 80001-1:2010Application of Risk Management for IT Networks Incorporating Medical
Devices 18
HITRUST Alliance 19
Other Regulatory Bodies 20
Strong Authentication and Encryption 20
Wireless Uses in Healthcare 21
Biomedical Devices 21
Voice 22
Cisco Location-Based Services 22
Security 27
Guest Access Services 27
Clinical Access 28
Wireless Architecture Overview 29
Access Point 31
Indoor Cisco Access Points 31
Wireless LAN Controller (WLC) 33
Design Considerations 35
Authentication 36
Wireless Control System (WCS) 37
Cisco Prime NCS 37
3
Contents
4
Contents
RF Design Considerations 88
Security 90
Co-Existence issues with other Biomedical Devices 91
Traffic Patterns 91
HIPAA/FDA Concerns 92
Wireless Guest Services 93
Healthcare Guest Access Services 93
WLAN Controller Guest Access Option 94
Supported Platforms 94
Auto-Anchor Mobility to Support Wireless Guest Access 95
Visiting Physicians 95
Contractors 96
Patients and Guests 96
Environmental and Physical Considerations 96
JCAHO and Infectious Control Risk Assessment (ICRA) Requirements 96
PoE Switches and Console Cables 97
Distributed Antenna Systems (DAS) Design and Deployment Considerations for Healthcare 97
DAS Benefits 99
Wi-Fi over DAS Considerations 100
Cisco Recommendations when Working with DAS Vendor 101
5
Cisco Medical-Grade Network (MGN)
2.0Wireless Architectures
Introduction
The Cisco Medical-Grade Network (MGN) architecture is based on the set of best practices that apply
to each foundational network technology. The definition of the term medical-grade often varies
according to individual expectations. To properly frame the context in which the Cisco MGN 2.0
architectures are based, this guide defines the attributes used to describe a Cisco MGN.
In general, a Cisco MGN has the following basic attributes or characteristics:
Protected
Responsive
Interactive
Resilient
Protected
Healthcare networks world-wide comprise the transmission of data regarding patients ongoing care,
diagnosis, treatment, and financial aspects. From a clinically-focused regulatory perspective, the Health
Insurance Portability Accountability Act (HIPAA) in the United States and the Personal Information
Protection and Electronic Documents Act (PIPEDA) in Canada are usually the first thought in these respective
geographies. In other parts of the world, similar standards exist with much the same intent as HIPAA and
PIPEDA but with varying degrees of specificity.
It is generally accepted that all clinically-focused networks provide a level of security and protection for
information that is either at rest or in-motion. Cisco has a number of security best practices that can be
directly applied to meet the regulatory compliance required by the healthcare organization. There is no
singular way in which networks can be designed to meet the security requirements of organizations.
Therefore, do not assume that this document or any of Cisco's MGN architectures dictate the only
approved method of providing such security measures. This document simply highlights the unique
challenges that medical networks face. An excellent starting point is to examine the best practices found
on Cisco's Design Zone website at http://www.cisco.com/go/designzone.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
A protected medical network is not simply comprised of a set of firewalls at the perimeter of the network,
and it does not end when the information is written to disk or tape. An MGN is considered protected
when the industry best practices are applied to the entire healthcare environment.
Wireless examples that are often overlooked include clinical-workstation client security, not only on the
patient floor but offsite, as is the case with remote clinicians. The methods used for both wireless
network authentication and clinical application/system authentication can be based on a centralized
authentication directory. For mobile wireless devices such as smartphones and tablets, a security policy
must extend beyond the borders of the healthcare network and campus, with specific consideration given
to loss or theft of the device.
Because of the wide scope that security practices play in the healthcare environment, this document
relies on the established set of best practices related to wireless security found on Ciscos Design Zone
website: http://www.cisco.com/go/designzone. Unique considerations above and beyond these best
practices are described throughout this document.
Responsive
The term responsive as it relates to Ciscos MGN is often misunderstood as simply a network latency or
bandwidth-related concern. Although an MGN must exhibit attributes related to high performance, the
term responsive is not applied in that manner.
Instead, the term responsive refers to the set of architectural attributes or characteristics that the network
must exhibit to expand and respond to the changing clinical requirements. These changes are often
driven by new clinical applications such as network-enabled modalities, or new regulatory requirements
such as Medical Device Data Systems (MDDS). In either case, the network must have built-in elasticity
so that it can better respond to new requirements without major redesign, thereby minimizing downtime.
A wireless network that meets all the current requirements placed on it and built using the best practices
found on Cisco's Design Zone is much more likely to be elastic.
For example, when a self-service kiosk is installed in the outpatient area to facilitate self-service
admissions, a credit card is used to identify the patient and begin the intake process. For security, the
network (both wired and wireless) and the data center where the self-service admission, discharge,
transfer (ADT)-based application is hosted must be compliant with Payment Card Industry (PCI)
standards. To be medical-grade, the network must be built so that it can adapt to the PCI requirements.
This requires the wireless network to support Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access 2 (WPA2) using an approved Extensible Authentication Protocol (EAP) method for
authentication. Furthermore, the use of intrusion detection and prevention (IDS)-based systems would
need to be implemented (if not already) in such a way as to detect and alert the network operator during
the early stages of a wireless attack.
From a pure bandwidth and latency perspective, the network must be built to support the implementation
of new applications or modalities. In the example of a 256-slice computed tomography (CT) scanner, the
network should not require a forklift upgrade, but rather provide the ability to expand capacity through
a number of well understood and implemented techniques, as described in the best practices found on
the Cisco Design Zone website (http://www.cisco.com/go/designzone).
In all cases, the ability for the network to be responsive to the new demands placed on it is critical to
maintaining uptime, serviceability, and adherence to regulatory changes. Network designs that do not
take into consideration such techniques do not serve the best interest of the healthcare community and
are therefore not medical-grade as defined by Cisco.
Interactive
Care providers interact with patients and clinical staff every minute of the day in any number of settings.
The interactive attribute as it is applied to Ciscos MGN relates to the ability of the care provider to
seamlessly interact with the network and its related resources. Various technologies exist to extend the
network into one without borders, and can include technologies such as wireless (Wi-Fi, 4G/LTE, 3G,
Bluetooth, and Zigbee). Combining these transport technologies with virtual private networks (VPN) as
well as security and virtual desktop infrastructure (VDI) architectures enables a bring-your-own-device
(BYOD) collaborative-based solution.
The use of wireless technologies is an obvious choice within the healthcare industry as the care provider
is often not tied to a fixed central location. Being able to interact with the clinical resources while mobile
both inside and outside of the hospitals borders is key in providing this interactive characteristic.
For the healthcare provider, primary devices that facilitate efficient patient care include wireless
computers on wheels, wireless 802.11, and dual-mode smartphones and tablets. A wireless network
designed specifically for data-only services does little to provide reliable voice, video, and biomedical
services.
Ciscos best practices with respect to BYOD, wireless, VPN, remote access, wireless, voice over
wireless, video and so on are available on the Cisco Design Zone website:
http://www.cisco.com/go/designzone.
Resilient
Perhaps one of the most well-known attributes of Cisco's MGN is that of resiliency. For the network
engineer, this term typically relates to high availability architectures. Indeed, this is exactly what is
required by the industry for any MGN. Such networks are said to be six sigma compliant, or capable of
achieving 99.999 percent of availability. Achieving such high availability from the perspective of the
care provider is sometimes a significant challenge as it equates to approximately five minutes of
downtime per year. While such availability targets are noble pursuits, from the perspective of the clinical
user they are seldom if ever realized.
Within a healthcare-focused data center, such availability at the network layer can indeed be achieved.
In many cases, however, the applications used to support the clinical user are simply not built to achieve
this level of availability, and often result in scheduled downtimes. These service disruptions are often
because of software upgrades or patches being applied. Other commonly encountered service disruptions
that are often not considered are systems that are outside the administrative control of the hospital IT
staff, such as eligibility applications within the payer space or external clinical laboratory systems.
In the 802.11 wireless world, however, a number of complicating factors make designing a network with
99.999 percent availability even more challenging. The 802.11 bands comprising both the 2.4 GHz and
5 GHz spectrum are unregulated RF domains. The FCC stipulates that for users of unlicensed bands
including the 802.11, each device must expect and accept interference that may affect reliability. This
means that each wireless network deployed will encounter many sources of interference, and must be
designed to identify their sources and mitigate the effects. With effective spectrum management through
Cisco Clean Air, the network administrator has the tools necessary to improve availability through
dynamic mitigation technologies. Cisco Clean Air can be used to rapidly locate and identify sources of
interference, resulting in improved wireless availability.
However, even with the best wireless network design, it may not be possible to build a wireless network
that achieves six sigma availability. Simply put, the RF spectrum is a shared medium and as such, there
is always the chance of outside RF influences, otherwise known as interference. Because hospitals are
public spaces, it is simply not possible to strictly regulate and prevent sources of interference from
entering the environment.
Adding to the problem is the increasing popularity of consumer-class devices such as Wi-Fi (personal
802.11 to 3G/4G/LTE bridges) and Bluetooth devices, which bring what are essentially interference
generators into the clinical workspace. In the case of Wi-Fi, because of the lack of 3G/4G/LTE integrated
into laptops and other personal computing devices, it is expected to see this technology expanded to new
generations of cell phones, which will further increase the potential for interference. Therefore, it is
Cisco's best practice and recommendation to move all critical clinical applications and voice services to
the 802.11a or 5 GHz band.
Even in the unregulated 5 GHz space, there is always a chance of interference generated by other
wireless clients (for example, visitors and patients) or even radar sweeps from local airports or weather
monitoring stations. Many of these interference generators are typically transient in nature, but can
significantly interfere with the workflow of the care provider.
Perhaps the most discussed aspect of wireless reliability involves life safety and patient
monitoring-based systems. In the case of patient monitors, the reliability of the physiological data being
streamed to a central logging/display and archiving system is crucial. These devices are often mandated
in the vendors FDA filing as having to respond to physiological changes with a very small window of
time. For most vendors in this space, the analysis of the telemetry is performed with the use of wireless
connectivity. Resulting alarms are therefore generated and announced locally by the device itself, while
the telemetry information is being streamed to a central station for use by the telemetry nurse. In these
systems, some level of burden must be placed on the wireless devices themselves with respect to
reliability. Unfortunately many such devices have lagged behind the industry in terms of Wi-Fi-based
technological advances, resulting in non-optimal reliability.
Taking into consideration the shortcomings found in some legacy-based biomedical devices, an 802.11
wireless MGN is one that is designed and implemented using the best possible techniques and resulting
architectures. With respect to wireless as compared to wired, such architectures will remain a topic of
further discussion within the industry. At the present, however, the reliability of the overall wireless
network design, excluding outside RF interference generators, is what Cisco considers medical-grade.
Over time, biomedical devices will be improved along with that of the 802.11 or other wireless standards
available. To the industry, however, the best currently available products and deployment architectures
represent the Cisco MGN as it relates to the uniquely challenging wireless network.
Summary
In conclusion, it is important to reflect on the point that the term medical-grade network (MGN)
generates a great deal of discussion, as it should. Given the fact that there are no formal network-specific
standards or metrics that can be applied to determine what constitutes an MGN, the reader should
understand that the best known industry practices when applied properly can achieve what Cisco terms
an MGN.
Such network architectures often comprise the set of attributes as defined in the proceeding section, but
what makes an MGN different from other network architectures is the use of biomedical devices, federal
regulations, and the criticality of systems involved in life safety.
Additionally, technologies evolve, and the underlying techniques used to achieve these standards will
therefore also change. The network architect and engineering teams responsible for the deployment of
medical networks (wired or wireless) must consider the attributes and concerns described above to
provide the best possible service available with the current state of technology, thereby resulting in what
is considered a Cisco MGN.
This document is intended to augment where appropriate and to highlight challenges that must be taken
into consideration that are not described in the set of best practices found at the Cisco Design Zone
website (http://www.cisco.com/go/designzone).
Use of
BYOD devices
Screening
3G/4G services
Portable
connected via VPN
Prevention Diagnosis ultrasound
technologies to aid
wireless
in increased prevention
Cisco
Medical-Grade
Wireless Network Wireless infusion pump
video in ED, Surveillance Treatment delivering monitored
Postop, Recovery treatment regiments
Management
Wireless biomedical
292828
devices providing continuous
patient management
Voice Services
Providing easy to use and reliable voice services to the mobile care provider is yet another means to
improve clinical workflow and ultimately patient care. In a recent Joint Commission on Accreditation of
Healthcare Organizations (JCAHO) study, 84 percent of healthcare providers cited a breakdown in
communication as the number one cause of sentinel events leading to patient injury or death. Many of
these events were caused by delay of treatment or a breakdown in communication among staff members.
A care provider often realizes that something is seriously wrong with a patient, but has difficulty in
locating the staff necessary. These delays can unfortunately result in poor patient care and at the same
time reduce the job satisfaction among caregivers.
Creatively applying voice communications in its many different formats can provide the missing link
that is too often encountered in todays dynamic clinical environments. Adding wireless mobility to
voice communications allows these services to be available to the caregiver no matter where they may
be within the healthcare enterprise. Services include traditional on-net and off-net dialing, voice mail,
adhoc-based group paging, patient and biomedical-based alarms and conference calling, as well as
group-based push-to-talk, all available to the caregiver within seconds.
By enabling rapid communication among caregivers using a variety of formats and extending that reach
regardless of their physical location, is a powerful tool in achieving both higher workflow efficiencies
and better overall patient care.
Given the fact that many healthcare providers have existing 802.11-based wireless networks in place,
adding voice services and leveraging a common infrastructure is a trend that is increasingly popular
within healthcare environments worldwide. One recent healthcare study found that 40 percent of all
cellular minutes used by staff were between care providers within the same building. By leveraging the
dual-mode capabilities of smartphones or incorporating voice within BYOD tablet devices, the care
provider can be provided reliable voice services, further leveraging the 802.11 network. Not only does
this approach reduce costs, but it also extends other information such as presence and access to clinical
systems that otherwise could not be used.
Location-Based Services
In healthcare, being able to efficiently locate a medical asset or another care provider not only saves
money, but in some cases can contribute significantly to the quality of patient care. A recent report
published by the BBC for the UK not-for-profit data standards group GS1 found that 37 percent of the
nurses surveyed spent over two hours per-shift searching for missing items. For details, refer to the
following URL:
http://news.bbc.co.uk/2/hi/health/7881807.stm
The most common items lost were IV pumps, drip stands, thermometers, pharmaceutical storage keys,
and mattresses. For the UKs National Health System (NHS), this accounted for up to 900m or $1.4
billion dollars in wasted wages annually. This is only one healthcare system, and one can argue the
accuracy of the statistics, but ask any care provider about their personal stories of trying to locate
something on a patient floor and in a timely manner and you will quickly conclude the necessity of a
location-based system within all acute healthcare environments.
Note Location-based services can be broken down into various technologies. This document addresses only
active 802.11-based RFID; other RFID solutions based on passive or infrared technologies are not
discussed.
Several methods can be used to provide location-based tracking. The first and simplest is called cell
origin. In this approach, an asset can be tracked to the area serviced by a single access point. In some
environments, this can range from 2500 to 5000 square feet and may be sufficient for inventory
control-based deployments. The cell origin strategy is highly efficient, because it does not need to apply
any complex mathematical formulas to triangulate the position. For inventory control, the accuracy is
sufficient if the goal is to determine at a glance that all particular items are located within the floor. This
approach is also used to track the location of a care provider, allowing others to determine in which
floor/wing/building a physician or ancillary department employee is located. (See Figure 3.)
Depending on the RFID requirements, this approach may meet the requirements of the healthcare
organization. In most healthcare environments, however, such granularity may not be adequate, and
therefore is not considered a best practice for a Cisco MGN architecture.
Distance and RF fingerprinting techniques are the next commonly deployed methods to determine the
location of an asset with much greater accuracy over that of the cell origin-based approach described
above.
To provide near medical-grade location services, it is necessary to triangulate the position of an asset in
two dimensions (X and Y) by recording the receive signal strength indication (RSSI) of an asset by three
or more access points in a single horizontal plane. By using RSSI, tracking is simply a matter of
recording the signal strength of the device by three or more access points and applying a path loss (signal
loss) algorithm to each recorded sample. This sampling information is collected by a location-processing
engine such as that found in the Cisco Mobility Solution Engine (MSE).
In a perfect world, RSSI-based systems would provide reasonable accuracy, but the world is not perfect
and neither is RSSI. This means that as you move away from an access point in one direction and at a
consistent rate, the signal level will in most cases not drop at an equal and linear rate. These signal
fluctuations are caused by obstructions such as walls (open today, closed tomorrow), doors, dietary food
carts, med carts, gurneys, and even human beings.
To combat these issues, a technique called RF Fingerprinting can be applied to the RSSI-based system.
This technique records the RF patterns that exist as a tracked object moves around in the RF
environment. By recording these patterns and applying them to the RF patterns received in real-time,
accuracy can be increased significantly.
For example, to locate and record the RF patterns that exist on a patient floor, the system must be taught
about the patterns. This process is called calibration and requires the recording and physical movement
of a test subject such as an RFID tag, 802.11 wireless phone, or computer on wheels (CoW). Once
collected, the RF pattern information is normalized and statistically groomed to provide accurate path
loss models that can be applied to the location algorithms. The Cisco MSE provides RF
Fingerprint-based location services and if properly calibrated can often provide room-level accuracy.
The value of location-based services is clear, but perhaps the use cases are not. Vendors such as
Aeroscout (acquired by Stanley Black and Decker) produce active RFID tags that can be not only used
to provide location information as described above, but can provide other useful metrics. The Aeroscout
T5b and T5c tags provide external temperature probes that can be used to monitor hospital refrigerators
and freezers that store vaccines, pharmaceuticals, blood, food, patient test results, and other items. The
tags send temperature readings in intervals specified by the administrator (128ms to 3.5 hours)) via the
802.11b/g wireless network. Likewise, the T5h tag provides both real time temperature and humidity
monitoring. When a threshold is exceeded, alarm events can be generated to inform the appropriate
support group within the hospital that an environmental event is occurring.
By taking quick action to such alarm events can prevent the loss of many expensive pharmaceuticals as
well as other precious biomedical items such as blood/plasma and, in some cases, donor organs.
For other assets such as wheelchairs, patient monitors, and even patients, the T4 RFID tag from
Aeroscout features a motion sensor providing real-time updates not only to the location but also whether
the tag is in motion. For wheelchairs and other items, having access to its location and utilization is not
only important to the care provider, but it can provide some useful information that is often overlooked.
To receive federal or state grant monies, healthcare institutions may need to provide positive
confirmation that a certain percentage of the asset in question is used. By monitoring the level of usage
of each asset in question, a healthcare institution can easily provide the asset-tracking report needed to
apply for the grant, while at the same time reducing asset loss because of theft or misplacement.
One final example of location-based services is in providing performance metrics for ancillary
departments throughout the hospital. By data mining, the location of gurneys and wheelchairs, choke
points within the OR, ED, Radiology and so on, can be monitored. Wait times in pre-operation,
post-operation, and Radiology can be tracked, providing highly useful trending data over time as to the
performance and utilization of key areas within the hospital. (See Figure 4.)
Figure 4 AeroScout 802.11 Active RFID Tags with and without Temperature Sensors
There are many other use cases for medical-grade location-based services within the acute healthcare
environment. By using location-based services in both obvious and creative ways, the healthcare
organization can leverage the installed infrastructure while at the same time improve clinical workflow
and patient care.
Privacy Concerns
Although information security is a top priority for any organization, healthcare providers must be
especially diligent in protecting confidential patient data. In addition to the evolving threat posed by
hackers and other intruders, government regulations such as HIPAA establish privacy requirements for
protected health information (PHI).
Network-based applications have transformed virtually every industry, and healthcare is no exception.
Solutions that allow access to EMRs, medical management systems, imaging, biomedical information,
material management, patient accounting, admitting information, and online claims submissions are
becoming commonplace in wireless, wired, and mobile scenarios.
Because the overall network security is only as strong as its weakest link, providers need to be as certain
as possible that wireless LANs (WLANs) are providing the same level of access control and privacy as
wired LANs. In contrast to a wired LAN, in which a physical connection controls access to the network,
WLANs broadcast data through the air. Any wireless-enabled device in the area, such as a patients
laptop in a waiting room or a wireless PDA in a neighboring office, presents a potential security threat.
Special security considerations should be made to meet the requirements established by U.S. and
international regulatory bodies and organizations including HIPAA, HITRUST, Data Security Standards
(DSS) and PIPEDA.
HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted to safeguard
PHI by mandating procedures and controls to assure the public that critical and private information is
controlled from loss of confidentiality, integrity, or availability.
An organization is subject to HIPAA if it exchanges data related to the healthcare profession. Improper
release of private information has become frequent. News stories often highlight serious infractions such
as public posting of diagnosis and patient information or inadvertent release or loss of personal records.
This law requires that all data on patients be kept secure and private. Wireless security becomes a very
significant part of any healthcare facilitys overall security strategy. Generally, a combination of standard
wireless security standards on clients should be considered to meet HIPAA requirements.
HIPAA audits of hospitals by the U.S. Department of Health and Human Services are becoming more
frequent and increasingly focused on the protection of electronic PHI (ePHI). This is raising awareness
in the healthcare industry about the prospect of more enforcement actions related to the data security
requirements of the federal HIPAA legislation.
The audits being conducted assume that data privacy mandates are already in place in a healthcare
facility. The security rules require organizations that handle electronic health data to implement
measures for controlling access to confidential medical information and protecting it against
compromise and misuse.
More information about HIPAA can be found at the following URL http://www.hhs.gov/ocr/privacy/
IEC/TR 80001-2-2:2012Guidance for the communication of medical device security needs, risks
and controls
IEC/TR 80001-2-3:2012Guidance for wireless networks
Cisco provides consultative services that assist healthcare organizations in all aspects of the MGN
architecture. This includes preparation, planning, design, implementation, operation, and optimization.
By carefully applying a disciplined approach to operating medical networks, healthcare organizations
can be better prepared to operate such networks while reducing risk and improving care. (See Figure 5.)
227931
excellence through through day-to-day technology
ongoing improvements operations
More information about Cisco's consultative services can be found at the following URL:
http://www.cisco.com/go/advancedservices
HITRUST Alliance
Perhaps no other industry can lay more claim to the necessity of wireless technology than that of modern
healthcare. The Health Information Trust Alliance (HITRUST) exists to ensure that information security
becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems
and exchanges. For more information, see the following URL: http://www.hitrustalliance.net/
Information security is critical to the broad adoption of, use of, and confidence in health information
systems, medical technologies, and electronic exchanges of health information. The main goals of
HITRUST are to enable the following:
Collaboration with healthcare, business, technology, and information security leaders to standardize
on a higher level of security to build greater trust
Certifiable framework that any and all organizations in the healthcare industry can implement and
be certified against
The foundation of all HITRUST programs and services is the HITRUST Common Security Framework
(CSF), a certifiable framework that provides organizations with the needed structure, detail, and clarity
relating to information security tailored to the healthcare industry. HITRUST is enhancing and
simplifying security and compliance by delivering cost efficiencies to the healthcare industry by
establishing common, acceptable practices through the CSF, and other collaborative community
initiatives. In addition, HITRUST strives to provide education and guidance, and facilitates
organizations towards meeting the requirements of the CSF.
The HITRUST Alliance is led by a seasoned management team and governed by an executive council
made up of leaders from across the healthcare industry and its supporters. These leaders represent the
governance of the organization, but other founders also compromise the leadership to ensure the
framework meets the short and long term needs of the entire industry. Members of the executive council
can be found at the following URL: http://www.hitrustalliance.net/council.php
Key Distribution One time, Derived from Derived from PMK Derived from PMK
Manual Pair-wise Master
Key (PMK)
Initialization Vector Plain text, Plain text, Extended Initialization Vector 48-bit Packet Number
24-bits 24-bits (IV)-65-bits with (PN)
selection/sequencing
Algorithm RC4 RC4 RC4 AES
Key Strength 64/128-bit 64/128-bit 128-bit 128-bit
Supporting None RADIUS RADIUS RADIUS
infrastructure
Medical-Grade No No Yes1 Yes
1. WPA uses the RC4 encryption algorithm and augments a Temporal Key Integrity Protocol to aid in improving the strength of the encryption
mechanism. Recently, there have been reports that Computer Scientists in Japan have found a way to compromise the encryption.
Biomedical Devices
Biomedical devices such as patient monitors, smart infusion pumps, personal ultrasound, portable x-ray,
and ventilators are the fastest growing population of networked-connected devices in a clinical
environment. Most of the main vendors in this space support 802.11-based wireless LAN capabilities to
provide network access for patient monitors and smart infusion or IV pumps. Vendors must develop risk
analysis-based performance metrics for alarm delivery times, and then design a system to meet those
requirements.
Smart infusion pumps in an acute-care setting usually comprise a relatively large number of wireless
devices. These types of devices are the most mobile in nature because they are in close proximity to the
patient under care. Security involving these devices and the methods available for authentication and
encryption are an important aspect of the deployment of the MGN.
Patient monitors comprise the second largest percentage of biomedical devices in a hospital setting.
Patient monitoring systems are designed to monitor the physiological conditions of a patient using
different metrics. Monitors generally send the vital signs information about patients to a backend central
server on a continuous basis. Unicast or sometimes multicast/broadcast traffic of small but very frequent
intervals (that is, 300 byte, 4x/sec) is used to communicate patient telemetry and alarm data.
The life-critical requirements used for continuous patient monitoring are more critical than smart
infusion pumps, and as a result, network connectivity needs to be engineered appropriately.
Voice
As stated previously, healthcare providers are a highly mobile group of people. Providing these
caregivers with reliable mobile communications by itself dramatically increases productivity by making
the caregivers instantly available for communications, decreasing the time spent tracking down other
caregivers and resources. Integrating these mobile devices with the appropriate clinical applications can
further improve workflow and productivity. One example of the possibilities is nurse call.
In a traditional nurse call system, when a patient pushes a nurse call button, a light is lit outside the
patient's room at a central nursing station. The charge nurse at the central nursing station has to call the
patient and identify the problem. The charge nurse then pages, via an overhead or room pager, to find an
available resource. The nurse must stop whatever he or she is doing and respond to the request. Finally,
the nurse can return to what he or she is doing before being interrupted. By integrating the nurse call
system with mobile communications, when a patient presses the nurse call button, the nurse assigned to
the room is alerted with a message on the phone. The nurse may then press a single button and talk with
the patient to determine the request, and either respond immediately if it is urgent or respond later if it
is not urgent.
Another more specific nurse call example is a code blue alert. Typically, when a code blue is initiated, a
page is sent to all the members of the code blue team. Provided the location of the code blue emergency,
they then begin the response protocol. By integrating wireless phones, collaboration applications, and
code blue alerts, a conference call can be automatically set up between the code blue team members and
nurse call patient device. This provides immediate collaboration with team members who are not present
on the floor in question so as to provide guidance and be aware of the situation prior to attending to the
patient. This can lead to improved patient care by reducing treatment delays.
These are just a few examples of how integrating mobile wireless communications and unified
communications can improve caregiver efficiency and patient care. Others within an acute care setting
include dietary, housekeeping, transportation, security, and various others.
Note Starting in Release 6.0 of the Cisco MSE Context-Aware Engine for tags, non-Cisco compatible
extensions (CCX) compatible tags are not supported.
An LBS system comprises the following items, which are subsequently discussed in further detail:
Wireless Control Server (WCS)
Wireless LAN Controllers (WLC)
Mobility Services Engine 3300
Properly designed RF Network for optimal location resolution
802.11-based wireless devices or active 802.11 RFID tags compliant with the Cisco-compatible
extensions for Wi-Fi tags specification
In healthcare environments, room-level accuracy is the goal, with bed-level accuracy being the
desired golden standard. With location-based technology based on RSSI coupled with RF
Fingerprint capabilities, room level accuracy can be achieved, provided that one of the following
two approaches are used and properly executed:
Exciter-based RFID tagsThese are also referred to as chokepoint triggers and are typically
used at the entrance of a room. When an Exciter-based RFID tag passes near or under a trigger
point, the tag location is communicated back to the MSE. Each Exciter is configured for its
specific location, so location accuracy is greatly improved.
Proper access point placement to achieve three or preferably four access points providing path
loss information to the RFID tag or 802.11-based device with at least -75dBm of signal to the
device being tracked. By creating an AP perimeter that encircles the covered area, accuracy can
be dramatically increased. This technique creates what is called a convex hull and is discussed
in detail in the supporting Location-Based Services Design Guide found on the Design Zone
website at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/wifich5.html#wp1051949
Note Placing APs within patient rooms is acceptable by many healthcare organizations in most cases.
Some healthcare environments serving the mental health and incarcerated communities may not
find a surface mounted AP acceptable. In such settings, using a locking enclosure or locating the
AP above the ceiling tile enclosed within an enclosure is recommended. Integrated ceiling tile
antennas may not be supported by the Cisco TAC, and have been found to produce less than
optimal location accuracy.
Historically, hospital wireless access point placement was commonly performed with the sole objective
of providing wireless data and voice services. As such, the goal of the RF engineer who performed the
site survey was to build an RF environment that provides adequate data and voice coverage in the
required areas. Many times, however, location-based service requirements were not taken into account
at the onset of the project.
This can be commonly seen when access points are placed in a straight line down the hallway of a patient
floor, and no perimeter AP placement is implemented. When this approach is taken, the ability of the
MSE to create a highly accurate RF path loss profile is significantly reduced. As the distance from the
AP is increased, the level of accuracy increases significantly.
Take for example the traditional AP placement strategy shown in Figure 6. In this illustration, the access
points are placed down the hallway in a single axis, and the absence of a convex hull exists because
the lack of an established AP perimeter results.
1 PL
PL 2
LWAPP LWAPP LWAPP Single
PL PL3 Axis
1 2
PL
292829
Note how the RF path loss (PL) from an asset being tracked typically does not have a significantly
different signal level to determine location with a high level of accuracy. To provide more accuracy,
additional APs on different axes must be deployed, effectively creating an AP perimeter.
Healthcare organizations are deploying 802.11n access points within the patient rooms for performance
reasons. The hidden benefit to the added performance is the increased accuracy, as shown in Figure 7.
The diagram shows the beginning of establishing an AP perimeter, but falls sort of providing one for the
entire floor, as shown in Figure 7.
Figure 7 AP Perimeter
LWAPP
Multiple
1 PL Axis
PL 2
WAPP
LWAPP LWAPP LWAPP
PL
1 2
PL
Convex Hull/AP
LWAPP Perimeter
292830
LWAPP
APP LWAPP LWAPP LWAPP
292831
Optimized Convex
Hull/AP Perimeter
Note In many wireless illustrations, APs are arranged in straight columns and rows. In actuality, it may be
preferred to stagger the APs to some degree to achieve greater accuracy.
Depending on the channel selection, in some bands the increased AP density may result in co-channel
interference. This depends on the construction materials used. Wireless clients operating on the same
channel on adjacent floors may also cause co-channel interference. To reduce the likelihood of
interference on adjacent floors, it is recommended to stagger the APs in such a way as to not stack
access points, especially on the same channel. In Figure 9, note how the APs are not stacked between
floors. This approach is recommended if there is bleed through from the adjacent floors.
LWAPP
LWAPP
LWAPP
LWAPP
292832
LBS can be used not only to provide location and utilization information, but can also be used to provide
environmental measurements. JCAHO requires healthcare organizations to provide auditing of all
environments used to contain or store temperature-sensitive medications or specimens. As such, many
healthcare organizations have protocols in place that measure the temperature in various medical
refrigerators every hour.
This time-consuming task can be automated through the use of 802.11 RFID temperature tags. The
measurement data is collected on a configurable time frame and reported back to the MSE for later
reporting. Alternately, alerts can be generated if the measurement falls outside of a configured range.
Server and storage system faults or sometimes even failures have been directly tied to that of ambient
temperature. Enabling an MGN not only relies on the basic networking and IT aspects, but also extends
to all aspects of operation. Within the data center, for example, these same tags can be used for the
collection of historical temperature monitoring, again alerting proper personnel when a fault condition
is detected.
Time differential of arrival (TDOA)-compatible systems can add improved accuracy by measuring the
time it takes for a given RF signal sent from an 802.11 device or tag to be received by two or more sensor
stations. Vendors such as Aeroscout have TDOA solutions that require the placement of TDOA-based
sensors in addition to access points. TDOA information collected is sent to the Cisco Mobility
TDOA-compatible systems and can add improved accuracy by measuring the time it takes for a given
RF signal to be received by two or more sensor stations. Vendors such as Aeroscout have TDOA
solutions that require the placement of TDOA-based sensors in addition to access points. TDOA
information collected is sent to the Cisco MSE. The MSE uses the TDOA location algorithm developed
by Aeroscout to determine the location. This provides a constant metric that is not affected by changes
in the RF environment, which is the time of arrival of a packet. In low ceiling indoor environments,
however, the use of TDOA systems may be negatively affected by multipath interference. TDOA systems
provide high level accuracy in larger indoor environments such as warehousing, or outdoor environments
where multipath interference is low.
Depending on the desired accuracy levels required, RSSI, Exciter/chokepoints should be deployed in a
healthcare environment. These techniques can be mixed or matched to achieve the requirements set forth
by the healthcare organization. For detailed information about LBS, consult Cisco's Design Zone located
at the following URL: http://www.cisco.com/go/designzone
Security
WLANs share many of the security challenges that wired networks present. Both require user
authentication, authorization, auditing, and protection from threats such as viruses and other malicious
code. WLANs also present new challenges generally related to the nature of the technology used, which
is outside the enterprises control because it is in the air. In addition, wireless networks cannot be
confined within a physical facility; anyone within transmission range can listen in, masquerade as trusted
participants, extend the network, and disrupt operations.
Note Determined users or patients within a healthcare facility that may begin to use Wi-Fi devices for
establishing wireless 802.11 communications. This can effectively result in interference to the
802.11-based infrastructures. By providing reliable guest wireless services, the use of such devices may
be reduced.
Clinical Access
Clinical systems refer to systems that support clinical workflow and decision support, including
electronic health record (EHR) and computerized physician order entry (CPOE) systems. Often these
systems include laboratory and pharmacy systems as well as imaging applications.
These clinical systems often support 802.11 wireless standards as mobile workstation or computers on
wheels, sometimes referred to as CoWs or WoWs. These carts allow caregivers to access clinical systems
at the point of care. Healthcare professionals can have real-time access to various applications in a
clinical information system (CIS) while mobile or at a patient's bedside.
One of the principal RF-based aspects of CoWs is the inclusion of an external antenna that supports all
of the 802.11 bands that will be used. Figure 10 shows the Metro Flo 1760 mobile computing
workstation. Note the inclusion of an external and predominately located multi-band antenna. Mounting
the RF radiator externally can provide significant improvements in performance. For cases where the RF
environment changes drastically, as in the case of the automatic closure of fire doors for example, such
RF considerations can become a make-or-break decision.
Externally located
802.11b/g/a/n Antenna
227932
MSE
Wireless
V Management PC
Cisco Cisco 5500 Series (Browser Based)
SRE WLC Wireless LAN Cisco
Controller MGN 2.0 Prime NCS
Campus
Cisco
Catalyst 6500
Wireless Services
Module (WiSM/
WISM2)
V
Cisco ISR Wireless
V
LAN Controller Voice and QoS
Module (WLCM) Enabled L3 Access
V Switches
V
V
SSC
292833
The wireless architecture is composed of the following components:
Access points (AP)
Wireless LAN Controllers (WLC)
Wireless Control Systems (WCS)
Mobility Services Engine (MSE)
The following sections provide an overview of these relevant components.
Access Point
Wireless Access Point (WAP) is a device that allows wireless communication devices to connect to a
wireless network using Wi-Fi, Bluetooth, or related standards. The WAP usually connects to a wired
network, and can relay data between the wireless devices (such as computers or printers) and wired
devices on the network.
Within the Cisco MGN wireless architecture, there are two categories of APs: standalone and
lightweight or CAPWAP/LWAPP. This section briefly discusses the various models of AP products
available within each category, and contrasts features, functionality, and applications.
Note Access points in the new Control and Provisioning of Wireless Access Points (CAPWAP) standard that
is based on the Cisco proprietary LWAPP standard are referred to as wireless termination points (WTPs).
More information can be found about CAPWAP in RFC-5415 at the following URL:
http://www.ietf.org/rfc/rfc5415.txt
For further information on Cisco Access Points, see the following URL:
http://www.cisco.com/en/US/products/hw/wireless/products_category_buyers_guide.html#~high-end
Termination of 802.11 traffic on a wired interface, except for the REAP and FlexConnect, which are
discussed later in this guide.
When the WLAN CAPWAP tunnel traffic reaches the WLC, it is mapped to the matching VLAN
interface configured on the WLC defined for the SSID. The wired interface ports on the 5508 WLC are
typically configured using an 802.1q trunk. This trunk then has a number of VLANs configured with
each one mapped to one or more SSIDs. To further enhance the availability, the gigabit ports also support
Link Aggregation using EtherChannel, eliminating a single uplink from becoming a single point of
failure. This high availability-based design can be taken a step further and configured using
multi-chassis EtherChannel, which means that ports can be aggregated across multiple switches to
eliminate the switch as a single point of failure.
By designing wireless networks for high availability at the onset, healthcare delivery organizations can
begin to use the IEC-80001-1-2010 standard. Cisco strongly encourages the IEC-80001-based risk
manager to work with Cisco and its partners to review network designs with the intended focus to
identify and mitigate potential areas of risk before the wireless network is deployed. Ideally, this should
involve the various medical device vendors in play along with the Cisco reseller and/or Cisco Advanced
Services.
Table 3 summarizes the various Cisco Unified Wireless WLCs and their features:
Design Considerations
Beginning in Release 5.2 of the WLC software, Control and Provisioning of Wireless Access Points
(CAPWAP) was introduced. This IETF standard is based on Cisco's proprietary Lightweight Access
Point Protocol (LWAPP) and is used to communicate between APs and the WLC. WLCs running
software prior to Release 5.2 use the LWAPP protocol for much of the same function. One of the
advantages of CAPWAP over LWAPP is the management traffic between the WLC (also known as access
controller) and the AP (also known as Wireless Termination Points or WTP) is encrypted. CAPWAP is
defined in RFC-5415 and can be found at the following URL: http://www.ietf.org/rfc/rfc5415.txt. It is
therefore recommended to ensure that all wireless deployments within healthcare environments use
version 5.2 or higher of firmware on the WLC to provide an additional layer of security for ePHI traffic.
CAPWAP provides for the configuration and management of WLAN(s), in addition to tunneling WLAN
client traffic to and from a centralized WLAN controller (WLC). Figure 12 shows a high-level diagram
of a basic centralized WLAN architecture, where lightweight APs connect to a WLC through the use of
a tunnel.
LWAPP
CA
PW
AP
LWAPP
CAPWAP
CAPWAP supported
in WLC 5.2 and higher
P
AP
LW
LWAPP
292834
Authentication
For the wireless network, user-based security is composed of authentication and encryption. Common
security mechanisms for WLAN that are considered medical grade are as follows:
Wi-Fi Protected Access (WPA PSK)Provided the PSK meets the NIST complex passphrase
recommendations and comprises a small number (<25) of devices to minimize the impact of a re-key
if the PSK becomes compromised
Wi-Fi Protected Access 2 (WPA 2 Enterprise)
Wireless networks that use Open Authentication, Wired Equivalent Privacy (WEP), or Ciscos WEP
Extension using CKIP are no longer considered medical grade because of their weak security.
Both WPA and WPA2 are defined by the Wi-Fi Alliance, which is the global Wi-Fi organization that
created the Wi-Fi brand. The Wi-Fi Alliance certifies inter-operability of IEEE 802.11 products and
promotes them as the global, wireless LAN standard across all market segments. The Wi-Fi Alliance has
instituted a test suite that defines how member products are tested to certify that they are interoperable
with other Wi-Fi Certified products.
The original 802.11 security mechanism, WEP, was a static encryption method used for securing
wireless networks. Although it applies some level of security, WEP is insufficient for securing all forms
of clinical communications. In short, WEP should not be used by any modern healthcare organization
because of the security risks that it creates. WPA is an 802.11i-based security solution from the Wi-Fi
Alliance that addresses the vulnerabilities of WEP. WPA uses Temporal Key Integrity Protocol (TKIP)
for encryption and dynamic encryption key generation by using either a pre-shared key, or
RADIUS/802.1x-based authentication. The mechanisms introduced into WPA were designed to address
the weakness of the WEP solution without requiring hardware upgrades. WPA2 is the next generation of
Wi-Fi security and is also based on the 802.11i standard. It is the approved Wi-Fi Alliance interoperable
implementation of the ratified IEEE 802.11i standard. WPA 2 offers two classes of certification:
enterprise and personal. Enterprise requires support for RADIUS/802.1x-based authentication, while
pre-shared key (personal) requires only a common key shared by the client and the AP. Although the new
Advanced Encryption Standard (AES) encryption mechanism introduced in WPA2 generally requires a
hardware upgrade from earlier versions of WLAN clients and APs, all Cisco CAPWAP and LWAPP APs
support WPA2.
The Cisco Wireless Security suite provides the user with the options to provide varying security
approaches based on the required or pre-existing authentication, privacy, and client infrastructure. The
Cisco Wireless Security Suite supports WPA and WPA2.
Integration with the Cisco Mobility Services Engine (MSE), which enables Cisco Context-Aware
Software for real-time location tracking and local services discovery, along with Cisco Adaptive
Wireless IPS (wIPS) Software for detection, containment, and location of security threats
Access
Portable
TelePresence
Ultrasound
Smart
Infusion
Pump
North Access 1 Distribution/Aggregation
NAM3
Clinical LWAPP
Workstation Stack Master
Network
Analysis Identity
Module Sevices
8o2.11n
Cisco AP Engine
South Access 1 Multi-Node Campus Core
7925G
Nx 10G
Nursing 10G
Point of Station
Sale G
10 Nx
Device 10
G
G
10
Nx
South Access 2 10
Nx
G
CT/MR 10G
CoW RFID
Tag IP
Medication
Administration Cart Patient
292835
Monitor
Most acute care environments require deployment of wireless networks on a large scale, and such
large-scale deployments must be managed centrally. In multiple WLC environments, the use of
Cisco Wireless Control System (WCS) is recommended along with Cisco Prime NCS.
The WLC is generally used in a CAPWAP, provided that the WLC is running version 5.2 or higher,
which is recommended. Association or authentication of wireless clients is done by the WLC.
Access points register themselves with a WLC and tunnel all the management and data packets to
the WLCs, which then switch the packets between wireless clients and the wired portion of the
network. All the configurations are done on the WLC. LAPs download the entire configuration from
WLCs and act as a wireless interface to the clients.
In the acute care setting, choices of WLC vary depending on overall building size, number of access
points and their location, and centralized management approach.
To facilitate the influx of BYOD devices, many healthcare organizations are deploying the Cisco
Identity Services Engine (ISE) to enable profiling of devices and streamlining the provisioning
process of these devices to authorized wired and wireless users.
Ambulatory Care
Portable
Ultrasound
Cisco Clinical
7925G Workstation
User PC with
Desktop UC
Client
To WAN Edge
at Main Campus
ISR with Integrated
Firewall, 802.11 AP
and WAE EHR
292847
Application
In larger ambulatory care facilities, an ISR G2 is generally used to provide WAN termination and VPN
backup services. The Wireless LAN Controller Module for the ISR G2 can be used to provide local WLC
functionality in the event that a centralized WLC strategy is not used. For smaller remote clinics, the use
of a centralized WLC hosted at the affiliated Healthcare Delivery Organization data center is a common
deployment strategy. As discussed previously, the LAPs by default tunnel all the traffic back to the
WLC, which in most cases is not an optimal design choice. Instead, local traffic can be locally switched
to the Ethernet port on the AP by enabling FlexConnect (called FlexConnect previous to release 7.2) on
the remote SSID/AP. This ensures that wireless traffic generated at the remote facility and destined for
a local server or printer, for example, does not traverse the WAN unnecessarily. All the advantages of a
centralized security policy along with CleanAir and intrusion services are still available. (See Figure 15.)
Note FlexConnect and FlexConnect require that the total round trip time (RTT) does not exceed 100 ms for
voice deployments and 300 ms for data-only deployments.
Cisco
Prime NCS
Local Resources
WCS
CAPWAP
WAN Control
Link
Si
Backend
Security Central Trunk or Practice
Controllers Centrally Access
Services Switched Management
Ports System
Medical Client Data
Office LWAPP LWAPP Locally
Building
Switched
Client Data
FlexConnect APs
292836
Internet User Wireless User
Rogue AP Detection
Electronic Protected Healthcare Information (ePHI) and other proprietary information traverse the
healthcare network. This information must be protected from being viewed by unauthorized individuals.
The simplest threat vendor for a hacker is a rogue access point or ad-hoc network. A rogue AP is any AP
that is not part of the enterprise infrastructure and therefore does not have the required security
mechanisms in place. Rogue APs may be intentionally introduced by a hacker plugging an AP into the
network infrastructure with no security, or security controlled by the hacker. This requires physical
access to the network infrastructure. Rogue APs or ad-hoc networks may also be unintentionally
introduced into the network when an employee plugs their own AP or enables an ad-hoc network with
the intention of sharing a wireless printer. This AP or ad-hoc network may be discovered and exploited
by a hacker, providing them with access to other protected resources.
The Cisco Unified Wireless Networking solution provides the means to locate and isolate rogue APs and
ad-hoc networks.
The first means of detection is observing/sniffing beacons and 802.11 probe responses. The system may
use the standard APs used to transport user traffic, or dedicated APs that transport no traffic but are
dedicated to scanning for rogue APs. Either model allows the capture of information on ad-hoc and rogue
clients. For more details on Air/RF detection, see the Wireless Security Design Guide at
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html.
The location feature of the WCS then uses the detected RF characteristics and known properties of the
managed RF network to provide a floor plan indicating the approximate location of a rogue AP. An
example of this is shown in Figure 16. The floor plan shows the location of all legitimate APs and
highlights the location of a rogue AP using the skull-and-crossbones icon, as shown in Figure 16.
For more information on the Cisco Unified Wireless Location features, refer to the following URL:
http://www.cisco.com/en/US/products/ps6386/index.html
In cases where the detection mechanism described above is not effective (such as in branch offices that
contain only a few APs or where accurate floor plan information is not available), the Cisco Unified
Wireless network provides several mechanisms for tracking/correlating the rogue device to the wired
network. When an unknown AP is detected, it must be determined whether the AP is a rogue or an AP
on an adjacent network. The first means of detecting this is by deploying rogue detector APs, which are
APs that have the transmit side of the radios turned off. These APs then listen to the wired network for
Address Resolution Protocol (ARP) packets that include the MAC address of the suspected rogue. When
the ARP is detected, it verifies that the suspected rogue is in fact connected to the wired network. To be
effective at capturing ARP information, the rogue AP detector should be connected to all available
broadcast domains using a Switched Port Analyzer (SPAN) port because this maximizes the likelihood
of detection.
If a rogue client resides behind a wireless router (a common home WLAN device), their ARP requests
are not seen on the wired network, so an alternative to the rogue detector AP method is needed.
Additionally, rogue detector APs may not be practical for some deployments because of the large number
of broadcast domains to be monitored (such as in the main campus network).
The Rogue Location Discovery Protocol (RLDP) option can aid in these situations. In this case, a
standard LAP, upon detecting a rogue AP, can attempt to associate with the rogue AP as a client and send
a test packet to the controller, which requires the AP to stop being an active AP and to go into client
mode. This action confirms that the rogue AP in question is actually on the network, and provides IP
address information that indicates its logical location in the network. Given the difficulties in
establishing the location data in branch offices and the likelihood of their being located in multi-tenant
buildings, rogue AP detector and RLDP are useful tools that augment location-based rogue AP detection.
Finally, a mechanism is provided to prevent clients from connecting to the rogue AP. Rogue
AP-connected clients, or rogue ad-hoc connected clients, may be contained by sending 802.11
deauthentication packets from local APs. This should be done only after steps have been taken to ensure
that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring WLAN.
To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC address
can be compared with MAC addresses collected by the AAA during 802.1X authentication. This allows
the identification of possible WLAN clients that may have been compromised or users that are not
following security policies.
Rogue AP detection, however, is not limited to that of a dedicated sensor-only rogue AP detector.
Instead, Cisco APs can channel scan during brief cycles to listen for rogue networks. During the time
when an AP is off channel scanning, associated wireless clients may transmit a frame to the AP that is
not received at that point in time. This situation is often misunderstood as resulting in a dropped frame.
In reality however, the PHY layer of the wireless NIC will retransmit the frame, ensuring that at the
upper protocol layers (IP, UDP, TCP, and so on) do not encounter a dropped packet. This is a key concept
to understand, especially when deploying certain classes of medical devices.
Note In the event that a medical device vendor requires that channel scanning be disabled, the healthcare
delivery organization must comply. To mitigate the security risk of rogue networks, the healthcare
delivery organization can mitigate that risk and remain compliant to the medical device vendor by
implementing sensor-only APs in those areas specified.
For more details on Rogue AP detection and isolation, see the Wireless Security Design Guide at
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html
Auto RF
Radio Resource Management (RRM), also known as Auto-RF, can adjust the channel (dynamic channel
assignment) and power (dynamic transmit power control) to maintain the RF coverage area. It adjusts
the power level of the AP to maintain a set baseline signal strength with neighboring APs. The default
signal strength depends on the software version, and this value is configurable. It adjusts the channel of
the AP when it notices nearby interference sources on the channel on which the AP is currently located.
It continues to optimize the RF coverage for the best reception and throughput for the wireless network.
RRM understands that the RF environment is not static. As different RF affecting variables change
(people in the room, amount of devices stored in the facility, leaves on trees for outside deployment,
interference from different RF sources, and so on), the RF coverage adjusts to these variables and
changes with them. Because these variables change continuously, monitoring for the RF coverage and
adjusting it periodically is necessary.
certain instances, also include various sources of electromagnetic interference (EMI) such as arc welders
or federal/military radar facilities. APs are constantly scanning all channels looking for major sources
of interference.
If the amount of 802.11 interference hits a predefined threshold, the WLC attempts to rearrange channel
assignments to optimize system performance in the presence of the interference. This might result in
adjacent APs being on the same channel, but logically this represents a better scenario than staying on a
channel that is otherwise totally unusable because of an interfering AP.
For example, the WLC can respond to a rogue AP on channel 11 by shifting nearby APs to channel 1 or
channel 6.
The WLC has a centralized view of client distribution across all APs. This can be used to influence where
new clients attach to the network if there are multiple good APs available. If configured, the WLC can
proactively use AP probe responses to guide clients to the most appropriate APs to improve WLAN
performance. This results in a smooth distribution of capacity across an entire wireless network. Keep
in mind that this load balancing is done at client association, not while a client is connected.
ClientLink
Although medical-grade wireless networks in healthcare have transitioned to 802.11n technology, many
networks will continue to support a mix of 802.11a/g and 802.11n wireless clients. Because these legacy
802.11a/g devices operate at lower data rates, the older clients can reduce the throughput capacity of the
entire wireless network because they are slow talkers. Cisco ClientLink technology solves this problem
by making sure that 802.11a/g clients operate at the best possible data rates, especially when they are
near cell boundaries.
Most 802.11n solutions offer improvements in the uplink communication from client to access point by
leveraging the reflected signals that bounce off of walls and other solid objects and combining them in
real time in an additive manner. Cisco ClientLink technology is unique in that it offers uplink
improvements as well as downlink communication from access point to client. By leveraging the beam
forming technology found in 802.11n MIMO APs, Cisco ClientLink is able to improve signal strength
in the downlink path (AP -> client) by taking advantage of these reflected signals. The result is an
improved downlink throughput of the legacy 802.11a/g clients, which improves the connectivity for not
only for the legacy clients, but also for all other clients on the network. The result is a more reliable
roaming experience and increased capacity of the network for all wireless clients.
Cisco has achieved this advancement by adding advanced signal processing into the Wi-Fi chipset.
Multiple transmit antennas are used to focus transmissions in the direction of the 802.11a/g client. The
result is an increase in the downlink (AP -> a/g client) signal-to-noise ratio and the data rate over range,
thereby reducing coverage holes and enhancing the overall system performance.
This technology essentially learns the optimum way to combine the signal received from a client, and
then uses that information to send packets in an optimum way back to the client. This technique is also
referred to as multiple-input multiple-output (MIMO) beamforming, transmit beamforming, or
cophasing, and it is the only enterprise-class solution on the market that does not require expensive
antenna arrays. Independent testing of Cisco ClientLink by Miercom labs has shown that the technology
increases throughput by up to 65 percent for existing 802.11a/g client devices connecting to a Cisco
802.11n network. The solution also increases the total available channel capacity by up to 27 percent
because of the resulting increase in throughput speed for 802.11a/g client devices.
The use of ClientLink therefore improves the overall availability and performance of the wireless
network. For converged medical IT-based wireless networks, ClientLink is a medical-grade tool that can
be used mitigate the risk associated with poor coverage areas, or areas temporarily affected by
interference. Healthcare organizations are encouraged to implement ClientLink whenever possible to
improve overall availability and reduce possible risk associated with poor coverage or oversubscribed
mixed environments.
Band Select
The Cisco best practice recommendation for clinical data is to migrate clinical users to the 5 GHz
spectrum. This recommendation is the same for all mission-critical services inclusive of voice. The
strategy for this recommendation is sound and centers around a number of considerations including the
lower noise levels encountered because of the lack of consumer-based devices within this space, the
large number of channels resulting in lower probability of co-channel interference, and so on.
With the advent of BYOD devices into the healthcare environment, the problem of dual-mode (2.4 and
5 GHz) devices prefer the 2.4 GHz space. Unless each device is manually configured to disable the 2.4
GHz radio, or the SSID is made available only on the 5 GHz band, chances are high that they will
associate to the 2.4 GHz space. This is because a dual-mode radio (2.4/5 GHz) sends two discovery
probes searching for wireless services being offered. An access point with Band Select disabled responds
with a probe response on both the 2.4 and 5 GHz band as soon as they are received. If the 2.4 GHz probe
request is sent out first by the wireless client, it is likely to receive a probe response from the 2.4 GHz
side of the AP first.
Band Select if enabled delays the 2.4 GHz response by a few milliseconds and allows the 5 GHz response
to be received by the wireless client first. This induced delay allows the wireless client to associate to
the 5 GHz side of the AP, reaping all the benefits of the 5 GHz spectrum with the network administrator
needing to manually configure each device.
It is recommended to enable Band Select to further enhance the wireless connectivity afforded in the 5
GHz band. Enabling the feature does not disable the 2.4 GHz probe responses, nor does it negatively
impact legacy 2.4 GHz only devices.
Healthcare Caveats
Although there are many benefits to Radio Resource Management (RRM), care should be taken when
deploying RRM in the healthcare environment. For example, the client-side support for Dynamic
Transmit Power Control (DTPC) requires a minimum of CCX 2.0 for the wireless client to effectively
participate in DTPC. Because most medical devices typically have a very long life cycles, they may have
limited wireless functionality in this area. If enabled, RRM may modify the characteristics of the
network and could result in the endpoint being able to receive but have insufficient power to
communicate with the access point. (See Figure 17.)
In all cases, the healthcare delivery organization is encouraged to identify the supported configuration
for wireless operation from the medical device vendor. By collecting this information during the
planning phases of a wireless network or wireless medical device deployment project, the healthcare
delivery origination can be assured that their wireless infrastructure will meet the requirements set forth
by the medical device vendor.
LWAPP
292837
100mW 5mW
RF Spectrum Management
In the healthcare environment, wireless interference may come from a range of unintentional sources,
from Bluetooth headsets to microwave ovens, wireless phone, wireless cameras, personal Wi-Fi devices,
or intentional interference from jammers. A few documented instances include 2.4 GHz wireless DECT
phones installed by nurses who did not like the wireless communications device the hospital provided,
medical devices using 802.11FH that needed code updates, and 2.4 GHz security cameras installed in a
hospital without notifying IT. Figure 18 shows examples of interference.
The snapshots shown in Figure 18 show examples of common RF-based interference. The
Cisco CleanAir and Spectrum Expert technologies intelligently identify the type of interference
(microwave oven, DECT phone, Bluetooth, and so on) and allow the network administrator to locate and
isolate the source of interference in the unlicensed 2.4-GHz and 5-GHz bands.
Cisco CleanAir technology is embedded in the Cisco 3500 and 3600 lightweight access points and
accessible from the WLC, Cisco Wireless Control System (WCS), and Cisco Prime NCS.
The Cisco Spectrum Expert Wi-Fi (see Figure 19) includes the following components:
Cisco Spectrum Expert Wi-Fi sensor
Cisco Spectrum Expert software
Cisco Spectrum Expert antenna
The Cisco Spectrum Expert Wi-Fi sensor is a sensor in CardBus card form factor for notebooks. It is
supported on Microsoft Windows-based laptops and delivers comprehensive spectrum intelligence. It is an
excellent tool when used in conjunction with Cisco CleanAir and allows the wireless network administrator
to further diagnose and locate illusive sources of interference. Using Spectrum Expert in conjunction with
Cisco CleanAir, the network administrators can streamline wireless network troubleshooting with better
visibility into the RF spectrum.
Figure 19 Cisco Spectrum Expert Wi-Fi Application and Cardbus Product (Laptop not included)
The Cisco Spectrum Expert provides a wide range of information on the RF Spectrum under analysis
including channel utilization, interference power, graphs of active devices, real time FFT, FFT duty
cycle, sweep spectrograms, and information on the interfering device. The Cisco Spectrum Expert
product may be used standalone or integrated with Cisco WCS in addition to Cisco CleanAir. (See
Figure 20). Information from multiple Cisco Spectrum Expert Sensors and CleanAir enabled APs may
be combined in this solution to provide a complete view of spectrum usage.
Note Cisco Spectrum Expert is typically used as a spot check utility and is extremely useful tool in the overall
troubleshooting phase. For complete RF spectrum management in a medical-grade wireless network, the
deployment of CleanAir-based access points that provide continuous monitoring and reporting of the
overall RF spectrum is strongly suggested.
Cisco Wireless
Control System
(WCS)
LAN/WAN Wireless/Wired
Network Network
Cisco
Access Points Cisco Spectrum
with CleanAir Expert Sensors
292838
Cisco Detected Incompatible, Interfering or Rogue Devices
In autonomous mode, each access point contains an operating system (IOS) that allows the access point
to execute the configuration stored within the access point. This configuration contains the security
mechanism for each of the WLANs (or SSIDs) configured along with power, channel, and other
operating parameters and configured.
For those clinics and physician's offices that do not have connectivity back to its parent and supporting
healthcare system, autonomous mode makes sense for deployments that contain less than five access
points. In this case, the wireless configuration must be manually managed and may occasionally require
onsite visits from the supporting staff to upgrade the IOS or implement configuration changes.
A better approach over that of autonomous mode is the OfficeExtend Access Point architecture (see
Figure 21). In this approach, the APs create an encrypted DLTS VPN tunnel between the access point
and a centralized WLC using the Internet to provide connectivity. The benefits of this approach is that it
provides centralized management without requiring each remote office to install and maintain a WLC.
DTLS VPN
Hospital Hospital
WLAN Network
LWAPP
Locally Internet
Defined Broadband
WLAN OfficeExtend Modem Wirelless LAN
Router
AP Controller
e.g. Linksys
227877
Practive Management
System, EMR, local resources
For sites that have connectivity to the supporting healthcare system either through a WAN or VPN
connection, the centralized CAPWAP or LWAPP architecture is preferred. This strategy is inclusive of
not only clinics and private practices, but may also extend into the physicians home provided that VPN
access is also managed to the healthcare system.
Security
Security is a primary concern when it comes to providing remote wireless solutions. Wireless security
should not only refer to authentication and encryption, but should also include controlling management
access to the wireless and securing the wireless client.
Because all physician practices typically involve the transmission of private patient information, the
approach to security must be taken as a serious consideration for all such deployments. In the United
States, HIPAA requires that best practices be used by all Covered Entities (CE) to safeguard what is
commonly referred to as protected health information (PHI). In other countries, various regulatory
bodies mandate similar safeguards be in place for the protection of private healthcare information.
With the U.S. Senate approval of the American Recovery and Reinvestment Act of 2009, it is widely
anticipated that the adoption of electronic health record (EHR) systems will increase dramatically. With
each of these systems deployed within private practices and clinics, the need to extend enterprise-class
security services for both wired and wireless is necessary.
To ensure that ePHI is not exposed, the use of WPA2 Enterprise should be implemented on all clinical
networks. The use of WPA-TKIP may provide adequate protection today, but it is expected to be
outdated in the near future. The use of WPA Personal or WPA2 PSK may be used provided that each
PSK is used in 25 or less devices and the passphrase used conforms to the NIST recommendations for
strong password management. The problem that many healthcare organizations have encountered with
the use of WPA/WPA2 PSK is when a PSK is compromised, either through the theft of a device or
through the loss of an employee. When this occurs in environments with a large number of medical
devices deployed, a compromise requires that each device be manually re-keyed. This process is both
extremely time consuming and may be disruptive to the set of devices using the compromised PSK.
Again, to reduce the risk it is recommended that PSK not be used on an critical deployments or in
deployments where the number of devices and/or users is < 25. WPA2 Enterprise offers a much better
solution that scales well and eliminates the need to rekey each device because each device/user has a
unique userid and password.
In addition, and generally a good practice, all web-based EHR systems should employ the use of SSL to
protect the data that traverses the wired network. Although not absolutely necessary, it does provide
another level of encryption and improves the overall security posture of the network.
Note Computer scientists in Japan have developed a mechanism in which it is claimed that WPA-TKIP can be
compromised in a few minutes. Given this possible venerability, it is recommended that all wireless
access to clinical systems employ the use of WPA2 Enterprise, which uses the AES cryptographic
algorithm and is considered highly secure. For more information, refer to the following URLs:
http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html
http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%
20on%20WPA.pdf
FlexConnect
FlexConnect, formerly Hybrid Remote Edge Access Point (FlexConnect), provides local wireless access
to network resources within a remote office such as a physician practice or clinic (see Figure 22). At the
same time, continuous remote management, configuration, and monitoring of the wireless infrastructure
is provided to a central location, providing real-time administration services.
The FlexConnect local-switching architecture provides healthcare systems that provide managed
wireless services to remote clinics and offices the ability to extend the organizations approved security
model for wireless connectivity directly to the remote location through the use of a private WAN or
VPN-based technology. In doing so, wireless users within the remote office are provided with secure
wireless access to resources that are local within the office without the need to traverse the WAN or VPN.
Examples include EHR or practice management systems operated by the practice, wireless voice
services, guest wireless, file storage, and printer resources.
Note Starting in Release 7.2 of the Wireless LAN Controller software, FlexConnect has been renamed to
FlexConnect.
Private
WAN Si
Backend
Security Central Practice
Centrally Trunk or EHR
Services Controllers Management
Switched Access
Remote Client Data Port System
Practice/
Clinic LWAPP LWAPP Locally
Switched
Client Data
FlexConnect APs
292839
Internet User Wireless User
Wireless user authentication with FlexConnect deployments operate in one of the two switching modes
and three authentication modes.
Switching Modes
The following are the switching modes:
Local switchedLocal-switched WLANs map wireless user traffic to discrete VLANs via 802.1Q
trunking, either to a router or switch. One or more WLANs can be mapped to the same local 802.1Q
VLAN. All wireless control traffic is tunneled back to the centralized controller separately via a
CAPWAP tunnel.
Central switchedCentral switched WLANs tunnel both the wireless user traffic and all control
traffic to the centralized controller where the user traffic is mapped to an interface or VLAN on the
controller.
Authentication Modes
The following are per-WLAN authentication modes:
Authentication centralThese are WLANs that require 802.1x, VPN, or web-based authentication
services. All authentication requests are sent across the CAPWAP tunnel to the central WLAN
controller and to the supporting RADIUS server for authentication services.
Authentication localIncludes WLANs that use open, static, WEP, or WPA PSK methods for
authentication. FlexConnect handles these locally, if the WAN link is down; otherwise, these are
handled by the WLC in conjunction with the RADIUS server.
Authentication down802.1x, VPN, or web authentication is unreachable because of the
FlexConnect-based AP is operating in standalone mode.
To provide access to the local resources located at the clinic or physician practices, it is recommended
that local switching mode is used on the WLAN/SSID used by authorized office staff. In this mode, all
traffic generated by the local office staff is sent to the local LAN without the need to traverse the tunnel
to the central WLAN controller. See Figure 23.
FlexConnect
Standalone 802.1x
Mode
User Data LWAPP
dot1q
VPN/Private
Local Switched User Data
Centralized
Existing CAPWAP Control
292840
WLAN Controller
User
Local Auth
Local Switched Data
CAPWAP Control
For guest users, however, it may be desirable to configure the guest services WLAN/SSID to traverse
the WLAN and use many of the guest-based authentication services. The wireless guest is often
presented with a set of acceptable use policies (AUP) that must be agreed to before permitting access to
the Internet. By using the AUP-based authentication service available on the WLC and other such
services including rate limiting, wireless guests have the same experience within the clinic as they do
within the hospital. (See Figure 24.)
Internet
Office
H-REAP
Staff dot1q
LWAPP Guest WLAN
Anchor Controller
VPN/Private
227824
Guest CAPWAP or LWAPP Tunnel
Note For data-only based FlexConnect deployments, total RTT cannot exceed 300 ms.
Voice
FlexConnect deployments are able to support Voice-over-Wireless LAN (VoWLAN) services. In many
remote offices, either a Cisco Unified Communication Manager Express (Unified CME) or Unified
Communications 500 series (UC-500) are typically deployed where up to 240 or 50 phones respectively
are required. Total RTT between the centralized WLC and the FlexConnect APs cannot exceed 100 ms
for deployments requiring voice services.
Standard RF considerations for voice must be followed, and are documented in the Cisco Unified
CallManager Express Solution Reference Network Design Guide available on at the following address:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/cmesrnd.html
Note Both the UC-500 and an ISR used for CME have the capabilities for integrated 802.11 wireless,
FlexConnect is not supported on these hardware platforms. The only supported wireless architecture
supported on these platforms is IOS autonomous mode.
Rogue access point detection is disabled when an FlexConnect access point enters standby mode. A
standby mode is when connectivity between the access point and the WLC is disrupted. Furthermore, in
standby mode, neighbor discovery, interference, channel load, path loss and coverage measurements,
rogue containment, and intrusion detection are disabled. These features are disabled because the access
point is no longer able to send these metrics to the WLC. Additional information can be found in the
Mobility Services Engine - Context Aware Mobility Solution Deployment Guide found at the following
URL: http://www.cisco.com/application/pdf/paws/107571/mse-cams-guide.pdf
Outdoor Wireless
Wireless is pervasive in our society today. Within healthcare, in-building wireless services are
commonplace to allow healthcare workers to improve their efficiency and collaboration. What is not
often considered is extending the 802.11-based wireless infrastructure to the outdoor environment.
A number of use cases can support the deployment of outdoor wireless, and healthcare delivery
organizations can adopt a phased approach in their deployment plans. One of the first steps in support
of outdoor wireless is within the campus environment. There are often a number of buildings within a
few city blocks that support the healthcare system. Physicians who are on-call or simply performing
rounds each morning often walk between various buildings and parking garages. Providing secure and
reliable 802.11-based services within this outdoor space improves their access to clinical systems as well
as the overall care team involved with their patient within their care.
Common spaces and garages are an excellent starting point to support voice and virtualized desktop
services. Expanding this coverage to more public areas such as streets that connect the buildings would
be a second logical step in providing pervasive coverage. The final step is in providing coverage within
a few miles of the healthcare system along major roads that are used by first responders and EMS care
teams. By providing coverage in these areas, care teams can improve their collaboration capabilities
raising the situational awareness of the receiving Trauma and Emergency departments.
Mesh Architecture
Physical network connectivity is often the first hurdle in providing coverage to large remote areas. Many
garage and courtyards were not designed with the intention of extending IT and/or biomedical services.
By employing outdoor mesh access points, healthcare delivery organizations can extend coverage using
wireless RF as the back haul. The Cisco outdoor wireless mesh solutions offer the following main
features:
Award-winning 802.11n technology with integrated RF intelligence for optimized performance and
RF mitigation
Exceptional levels of enterprise security with an intrusion prevention system and Cisco CleanAir
Technology
Centralized management for easy maintenance and configuration
Optimization for support of high-bandwidth applications such as voice and video
The Cisco Aironet 1550 Series Outdoor Access Point with Cisco CleanAir technology is the industry's
first enterprise and carrier-grade 802.11n access point to create a self-healing and self-optimizing
wireless network that mitigates the impact of wireless interference. It offers a flexible, secure, and
scalable mesh network for high-performance mobility across large metropolitan-sized areas, enterprise
campuses, manufacturing yards, and mining pits. The Cisco Aironet 1550 Series supports
multiple-device and multiple-network application delivery such as real-time seamless mobility, video
surveillance, 3rd Generation (3G) and 4G data offload, and public and private Wi-Fi access. Designed
to meet customer needs in a broad range of industries, the Cisco Aironet 1550 Series offers the following
benefits:
Flexible deployment optionsAccess or mesh network, extension of an Ethernet network, and
Ethernet, fiber, wireless, or cable backhaul.
Service provider supportWi-Fi for next-generation mobile data offload and personalized mobile
services.
Cisco CleanAir technologyIntegrated spectrum intelligence to detect, classify, and mitigate RF
interference from unauthorized wireless bridges or malicious devices.
High-bandwidth video surveillance over Wi-Fi without the high cost of installing cables over long
distances.
High-performance, multipurpose network with low CapEx and OpEx.
Integrated wired and wirelessThe Cisco Borderless Network Architecture provides cost savings
with end-to-end network access solutions that include wireless, switching, routing, and security.
The mesh architecture allows for easier deployments that do not require that each access point have
hard-wired connectivity to the hospital systems network. Instead, the mesh protocols used determine the
best neighbor AP to use to create a completely converged outdoor wireless environment, as shown in
Figure 25.
MAP MAP
LAN
MAP MAP
Building 1
148446
Each Root AP as noted by a RAP provides physical connectivity to the network. Root APs can be
connected to the network using Gigabit Ethernet over copper or fiber. Mesh access points (MAPs) form
their connectivity to their parent using 802.11-based RF. Both RAPs and MAPs provide wireless client
access all from the same centrally managed WLC already in use within the healthcare system. The same
tools for configuration (WCS and Cisco Prime NCS) are used in the support and operation of the mesh
and non-mesh wireless environment. This reduces the expense of deploying because the network
administrator can leverage the same tools in the design, rollout and operation of the mesh wireless
network.
Cisco Aironet 1552E Cisco Aironet 1552H Cisco Aironet 1552C Cisco Aironet 1552I
Product Image
Cisco outdoor mesh reference material and design guides can be found at the following URLs:
http://www.cisco.com/en/US/products/ps8368/index.html
http://www.cisco.com/en/US/products/ps6366/products_white_paper09186a0080b34501.shtml
Wireless Endpoints
RF Design Considerations
As stated earlier, a smart infusion pump does not stop working when it loses connectivity to the wireless
network. Having said this, the objective of all wireless networks is to maintain connectivity throughout
the environment in which the wireless client operates.
From an RF design perspective, smart infusion pumps are relatively non-demanding devices. Their
ability to tolerate slow roams, IP address changes, and off-channel scanning usually helps ensure proper
operation.
With regard to roaming, the decision to roam to a better access point is always the responsibility of
the 802.11 wireless clients. This has led to various roaming algorithms, yielding wildly different results
when compared to other wireless devices. The term stickiness refers to the tendency of a wireless client
to cling to and remain associated to an access point beyond a point that other wireless clients would
have implemented a roam.
When a wireless client clings to an access point longer than it should, data rates are automatically
decreased to maintain connectivity. During this time, if the wireless client has a significant amount of
data to send or receive, performance of the service area or cell is decreased for all wireless clients within
the cell sharing the same 802.11 band. This is because of longer transmission times at the lower data
rates, resulting in blocking the ability of other wireless clients from accessing the channel.
As a general rule of thumb, the objective should be to provide 25 dbm of SNR in all areas that an infusion
pump operates or is stored. One caveat is that many times the site survey is performed using a laptop
with internal or external wireless cards. The RF characteristics of newer laptops with 802.11n or external
wireless cards may be significantly different than that of legacy wireless clients and often biomedical
devices. In the case of 802.11n, beamforming and other techniques may show a higher signal level then
would be expected from a legacy b/g/a device. Another consideration is due in part to the physical design
characteristics affecting the RF aspects of the device. Because of poor antenna placement or lower
receiver sensitivity, an area surveyed and considered within the norms of standard best practices may for
certain devices not meet the requirements set forth by the vendor.
One recommendation is that after the sight survey is completed using standard best practices and RF
survey techniques, each biomedical device that is slated to be used in the area be introduced and tested
in the environment where it will be used. This includes not only the patient room (shown in yellow in
Figure 26) but also within the bathroom (shown in blue in Figure 26) with all doors closed to create a
worse case test. Note that the bathroom shown on the right in Figure 26 would typically have reduced
signal strength because of the additional distance from the hallway than that of the left patient room.
Again, the goal is to striving for 25dbm of SNR in all areas where a device would be used.
227825
Ciscos Radio Resource Management feature adds additional RF intelligence into the wireless network
by allowing the access point to periodically sample other channels, look for rogue APs, and to take RF
path loss measurements of adjacent access points. This information is compiled and passed to the
wireless controller, which recommends and implements certain dynamic changes to the wireless
network. During the sampling of other channels (typically 50 ms per channel with 10 ms for channel
change), the access point is effectively off the air and no longer communicates to the wireless clients
which it serves. This results in an performance reduction of approximately 1.5 percent.
Note A commonly misunderstood aspect of channel scanning is that traffic is lost if the AP is off channel when
a wireless client attempts to transmit a frame. The PHY layer firmware automatically retransmits the
frame when it does not receive an acknowledgement from the AP. Because this is at the PHY layer, the
upper layer protocols (IP, UDP, TCP, and so on) are not aware of this physical layer retransmission.
Therefore, from the perspective of the application running on the wireless client, little or no impact is
presented to the wireless client.
For infusion pumps, the channel scanning interval is not of sufficient duration to cause any connectivity
or throughput issues. In areas where Ciscos wireless phones such as the 7921G, 7925G, or 7926G are
in use (during active voice calls), the associated AP does not channel scan. If you suspect that RRM
channel scanning is impacting the performance of your smart pump, it is recommended to either disable
RRM; or use a Cisco 7921G, 7925G, or 7926G phone that is in an active call as a troubleshooting step.
It is also recommended to confirm with the medical device vendor the supported configuration of the
wireless infrastructure.
Security
The security model for most biomedical devices varies widely as a majority of device vendors focus their
engineering efforts upon the clinical and biomedical capabilities of their devices. These clinical
capabilities are typically those that are the main factors in the purchasing decision; and rightfully so.
Because of this fact, the wireless and security characteristics of the devices often lag behind the industry
best practices. Many times, the biomedical or IT staff responsible for the wireless network are not
included in the purchasing decision because it is often made based solely by the clinical team.
This approach often results in the wireless engineering team responding after the fact and implementing
the best security mechanisms available by the vendor. The optimal approach often does not meet the
healthcare systems security mandates on wireless security.
Note This trend is beginning to change as the convergence of medical devices is well underway. Network
connectivity and the security around such is beginning to be a differentiator among medical device
vendors. The only problem is that the life cycle of various devices is typically in excess of 10 years.
At the present time, the golden standard for wireless security is one based on an Extensible
Authentication Protocol (EAP) based on the 802.1x framework. This approach provides the healthcare
system with an authentication model typically employing one of the following EAP types.
EAP-TTLS (Tunneled Transport Layer Security)
EAP-TLS (Transport Layer Security)
EAP-FAST (Flexible Authentication via Secure Tunnel)
EAP-PEAP (Protected EAP)
EAP-MSCHAPv2 (Microsoft Challenge Handshake Protocol)
Some smart pump vendors offer a wide array of EAP types that can be implemented. However, in most
deployments, the userid/password credential (EAP-PEAP, EAP-FAST, EAP-MSCHAPv2) is unique
only down to the implementation of the infusion pump, meaning that one common userid/password is
used across all infusion pumps.
Although both security best practices, and some would argue even HIPAA, dictate that a unique
userid/password should be used on each infusion pump, the following should be considered before
implementing this approach:
For centralized deployments where RADIUS authentication servers are hosted only within the healthcare
systems centralized data center, WAN failures of hosts joining the network would not be able to
successfully authenticate. In such deployments, authentication of new users would depend on the static
definition of the userid/password on the controller at each location. Ciscos wireless controllers are
limited in the following two ways:
There is a finite number of user accounts that can be defined locally on the WLC.
Additional RADIUS attributes such as VLANID and others (QoS) are not returned to the
access-point during authentication request as only the basic set of RADIUS attributes are
supported. This prevents any VLAN steering when using an identity-based networking
approach for biomedical devices in a centralized architecture.
In the event that the credentials are compromised, each infusion pump needs to be reconfigured
(either manually or remotely if supported by the vendor) with a new userid/password. Before
jumping to the conclusion that this is the same approach as WPA-PSK, consider the following when
using WPA-PSK or WPA2-PSK:
All pumps need to be manually updated at one point in time if a new SSID is not created. This
is because each WPA-PSK/WPA2-PSK is unique to the SSID; therefore, once compromised, all
APs via the WLC need to be updated with a new PSK.
WPA-PSKs require significant manual configuration and change management coordination
across multiple WLC and Smart Pumps.
If smart pumps are going to be shared across hospitals within the healthcare system, in cases of
Level 1 trauma centers in overflow situations that may require to transport both patient and
biomedical devices to other facilities; the use of a common userid/password combination might be
advantageous. With shared devices between non-affiliated facilities, the added overhead of
providing each facility with the unique logon credential may be problematic.
If unique credentials are to be used on devices that may be shared between facilities, using
Ciscos Access Control Server (ACS) and implementing RADIUS replication for a given
domain would be one automated approach to provide a high level of security and at the same
time automated RADIUS authentication using replicated databases.
For deployments where the RADIUS servers are located within each hospital and not centrally located,
a unique userid/password should be implemented. In this approach, each serial number and model of
smart pump would be entered into the RADIUS user authentication database. Using Ciscos ACS, a
group for each model of smart pump should be created. Within this group, an SSID/VLAN mapping can
be specified for each userid/password combination which each map to a unique infusion pump.
Encryption for all biomedical or clinical devices should use WPA2 Enterprise, which uses the AES
cypher for optimum encryption. Because WPA2 Enterprise is a relative newcomer into the market as
compared to legacy biomedical devices, firmware upgrades on such wireless devices are not likely to
support WPA2/AES. This is because of the higher computational hardware requirements to support the
AES cypher and the underlying key management mechanisms. Therefore, unless it is a relatively new
biomedical device manufactured after 2004, it is not likely to support WPA2. (See Figure 27.)
WPA2-AES
WPA-TKIP
Relative Privacy
WPA-PSK
WEP 128
+TKIP
WEP 40 +
TKIP
WEP 128
227826
WEP 40
The problem with using lower complexity-based cryptographic technology with wireless is that it is
impossible to determine whether data is in fact being secretly captured in encrypted form. The captured
data may not be able to be decrypted today using technologies readily available, but the future may not
protect such confidentiality as higher computational capabilities as found in video-based GPUs and other
advanced mathematical techniques evolve.
For highly secure wireless transmissions,WPA2 using AES is recommended for all medical-grade
networks. Given the current computational capabilities available to the general public, the National
Institute of Standards and Technology (NIST) recommends using key lengths as follows:
NIST recommendations for key management can be found in the NIST Special Publication 800-57
revision 3 (July 2012) and located at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
In the event that the data is to remain secured past that of the useful life of the recommended key, NIST
recommends that the next higher key length be used. It is recommended that AES-128 be used to provide
a level encryption to protect PHI data up to 2031. After such time, implementing AES-192 or AES-256
would be indicated and hopefully supported by the industry.
A healthcare system often has a wireless network deployed with CoWs or Workstations on Wheels
(WoW) supporting CPoE or a medication administration system. Over time, the next large-scale rollout
may have been a voice deployment using any number of VoIP wireless handset vendors. The next
challenge is typically either a large number of 802.11-based wireless infusion pumps and/or high acuity
patient monitoring.
The challenge facing many IT directors and their staff is, what will break when 500 or 1000 infusion
pumps are rolled out over the course of a few months? Will the sheer number of problems, authentication
requests, and data traffic negatively impact the existing wireless devices?
In the reverse direction, there is often concern as to whether or not the existing devices, perhaps
generating large amounts of multicast or broadcast traffic, will impact the infusion pumps. In most if not
all cases, the deployment of a large number of smart pumps do not negatively impact the wireless
network or other wireless devices already on the network.
Most implementations of smart pumps create a unique WLAN/SSID to isolate the pumps from the other
wireless devices. Although doing so may shield the smart pump from L2 broadcasts, it would not
eliminate a performance impact because the channel itself is a shared resource.
A new trend is emerging where biomedical devices are grouped by SSID based on their security model.
Devices that can use more advanced methods of authentication and encryption are placed on one SSID
with other similarly capable devices.
Medical devices that cannot use such advanced methods of authentication and encryption are similarly
grouped onto another common SSID for such devices. These devices are often safeguarded from
accessing the wider network through the use of firewalls and access control lists (ACLs).
Older devices that are not capable of dynamically adjusting their power output may generate co-channel
interference, especially in the 2.4 GHz band. However, note that smart pumps do not generate large
amounts of data during their use. Only during formulary and firmware updates does their data usage
typically spike. These spikes can last a few minutes at most in a typical environment.
During this time, however, if a wireless network was designed with cells of varying sizes, a smart pump
that is not capable of matching the APs transmit power levels would remain at a constant transmit power
level. In the smaller pico cells, the condition might arise where the pumps signal reaches a cell one hop
removed that shares the same channel, generating co-channel interference.
Because many biomedical devices cannot adjust their power as directed by the AP, it is recommended
that the use of pico cells on patient floors be avoided to reduce the likelihood of co-channel interference.
Traffic Patterns
Highlighted earlier in this section were the typical end systems with which smart pumps need to
communicate. From a data throughput standpoint, both formulary and firmware updates are at the top of
the list. In one observed formulary update, data transmissions bursted to about 40 kbps for a duration of
approximately two minutes. (See Figure 28.)
Figure 28 Traffic Typically Generated When a Clinician Initiates the Delivery of Medication
The smart pump communicates the delivery of new medication, dose rates, and alarm events to the EHR
through their information center application. During this time, the data sent is a relatively small amount
of data, as shown in Figure 29.
In the event that connectivity between the smart pump and the vendors information center application
is disrupted, the pump locally alarms for events requiring immediate attention, and locally caches the
other events until connectivity is restored.
With regard to patient privacy, some vendors smart pumps contain information that would be classified
as PHI and as such, all data transmissions between these smart pumps and the specific vendors
information center application should be encrypted as directed above.
Because there are so many vendors and models of smart pumps available on the market, it is difficult to
provide guidance that is 100 percent accurate for all devices. Some of the areas of investigation should
be as follows:
Remote management of the device for firmware updates
Remote management of the device for drug/formulary library updates
Remote management of the device that could affect patient treatment (dose change, stop/start, and
so on)
Patient Monitors
A patient monitoring system provides real-time monitoring of physiological vital signs data from
patients. Typical types of physiological data are the following:
Blood pressure
Pulse oximetry
Respiration rates
ECG
Cardiac output
These systems provide mission-critical real-time data and must operate continuously without
interruption. Residing on the wired medical IT network are patient bedside devices and central stations,
which are used by the care team to monitor patients. On the wireless side, there may be bedside devices
that are in transition while the patient is being moved along with patient-worn telemetry devices.
In most cases, the bedside devices have sufficient computational capabilities to run in an offline mode,
alerting staff with an audible alarm when a specific subset of conditions are detected. When these devices
re-join the network, data displayed during the offline period is typically not uploaded for historical
purposes, but this capability varies between vendors.
Patient-worn telemetry monitors, with the exception of two products currently on the market, do not
typically have the computational capabilities to analyze the waveforms that indicate threatening
physiological conditions. All analysis of the waveforms are performed by a central station, which means
that the criticality of this subset of patient-worn devices is extremely high. Any network outage or
impairment prevents the central station from accurately monitoring the patient condition. With a few
exceptions, healthcare facilities within the United States use the licensed Wireless Medical Telemetry
Service (WMTS) band, which operates in the 608614, 13951400, and 14271432 MHz range.
In summary, patient monitors require continuous connectivity to the network, unlike infusion pumps,
because the data is considered mission-critical. (See Figure 30.)
Many medical devices are considered embedded systems and are tightly controlled by the device
manufacturer. A key design principle for medical devices is to keep them as reliable as possible by
reducing the number of unnecessary variables. By implementing only those features that are required by
the product, a higher degree of product stability can be achieved. Because of this philosophy, some
medical device vendors require network segmentation for their products to function within their
guidelines on a converged campus medical IT network. This often results in special requirements where
a particular device platform may require Layer 2 adjacencies to all of their devices on the network to
function properly.
Note Always consult the medical device manufacturer regarding their guidelines for approved operation in a
converged medical IT-based deployment.
If the healthcare delivery organization is adopting the IEC-80001 standard for risk management, this
ongoing validation would be within the scope of responsibility of the risk manager.
Generally, device life cycles are long (710 years), and some networked medical device systems include
software that was designed to operate on these L2 private networks. However, some patient monitor
vendors today support L3 routing and advanced multicast features that make it possible for devices to
co-exist on a converged IP network.
Some of the main vendors and products in the patient monitoring space include Philips Intellivue, GE
Dash, Draeger Infinity, Spacelabs, and Welch Allyn Propaq. These vendors support both wireless and
wired deployments as part of their overall architecture.
A typical patient monitor system consists of the following components:
Bedside monitors
Patient monitor central station
Database server
Patient/Bedside Monitors
Family of devices that enable review of vital patient data and clinical decision support. Most vendors in
this space support wired Ethernet, wireless 802.11, and WMTS connections.
Central monitoring stations provide multi-patient waveform and parameter displays, alarm
announcements, and analysis from the patient monitors connected to it.
Database Server
The database server provides short-term data storage for patient monitors. Data for monitored or
telemetered patients can be stored, managed, and transferred via database servers.
As mentioned previously, the standard implementation of patient monitor systems differs greatly
depending on the particular vendor implementation. Vendors tend to fall into 3 basic types of
implementation.
Layer 2 isolated networkBroadcast
Patient monitors and centralized stations reside on their own Layer 2 subnet. Patient monitors
associate to a central station using broadcast methods and do not allow routing between subnets. In
some cases, the vendor also requires that the network be completely dedicated for the patient
monitoring application. This reduces the risk of system performance interruptions caused by other
devices residing outside the subnet.
Layer 3 networkMulticast
Patient monitors and centralized stations operate over a Layer 3 routed network. Patient monitors
associate to a central station using multicast methods which allows for allow routing between
subnets.
Multicast is used for Internet Group Management Protocol (IGMP) joins and Layer 3 waveform
distribution and general topology, and care group association used for overview functions. The
overview session is a window displayed at the bedside that shows the real-time waves,
measurements, alerts, and so on, for another patient. A user can request an overview session or can
permanently configure an overview session.
Unicast traffic can also be used for connection messages for device type, serial numbers, and
equipment labeling.
Multicast for IGMP joins and Layer 3 waveform distribution and general topology, and care group
association used for overview session:
Hybrid Layer 2 and Layer 3Limited form of multicast combined with unicast
Devices may operate within a simple routed environment but may have limited multicast
functionality or have central stations or database servers that may not be routable. Also, the devices
may use a combination of multicast and unicast to operate properly on the network. For example,
multicast may be used by the patient monitor to discover the central server, and use unicast to send
the wave data to the central station.
Traffic Patterns
Discussed earlier in this section were the typical end systems with which patient monitors need to
communicate. As noted, patient monitors typically communicate to the centralized information
centers/servers and/or multicast out to other patient monitors. It is important to understand the basic
functionality of patient monitors traffic patterns and initialization sequences and to understand this
impact on wireless connectivity.
IP Addresses
Patient monitor devices use either DHCP, BOOTP, or static address as methods to IP address assignment.
Multicast is typically used to distribute this data. Each patient is assigned a multicast address and
the vital signs are multicast over that address. Devices that want to view that patient monitors
information issue an IGMP join to that address.
Peer-to-peer
Individual patient monitors act as both multicast receivers and senders to view data of other patient
monitors.
Figure 31 shows a sample exchange for a centralized server vendor implementation, including the flow
exchange between a bedside patient monitor endpoint and the central station over a router.
Patient
Monitors Central Station
LWAPP
DHCP Response
292848
RF Design Considerations
As described previously, roaming is always the responsibility of the 802.11 wireless client device and is
driven by the radio firmware. If the 802.11-based patient monitor is sticky and clings to an access
point, data rates are typically decreased dynamically to maintain connectivity. During this time, if the
wireless client has a significant amount of data to send or receive, performance of the service area is
decreased for all wireless clients within the cell sharing the same 802.11 band. This is because of longer
transmission times at the lower data rates resulting in blocking the ability of other wireless clients to
access the channel. It is recommended to investigate the use of the Cisco ClientLink capabilities to
improve data rates across all wireless devices.
Patient monitor power level and SNR recommendations vary from vendor to vendor. Generally speaking,
vendor recommendations match the requirements shown in Table 5.
As previously discussed, consider the characteristics on newer laptops when performing site surveys.
The RF characteristics of newer laptops or external wireless cards may be significantly different than
that of some biomedical devices. Using a laptop with 802.11n to perform the site survey may yield
different results for legacy 802.11b/g/a devices.
Additional RF considerations regarding shared spectrum should be noted. Some vendors allow the use
of 802.11a VoIP devices to coexist in the 802.11a patient monitor devices. A particular vendor may only
allow the 802.11a (5 GHz spectrum), which aligns to Ciscos recommendation to move critical services
to the 5 GHz band. Because the allocation of RF channels is controlled by country-specific regulations,
the 5 GHz spectrum is defined as all the channels available to 802.11a devices for the WLAN
infrastructures given location.
Deployment entails operating in the unlicensed spectrum with other wireless devices in a
non-deterministic contention environment. Careful deployment of 802.11 client devices within the RF
space and proper configuration of the WLAN (WLC, switches, APs) must be made to ensure that patient
monitors have continuous secure access.
The 802.11a spectrum has more capacity by means of a higher number of channels relative to the
2.4 GHz ISM band, typically less co-channel interference, and fewer client devices.
Note Cisco recommends that medical devices and mission-critical devices be deployed in the 802.11a 5 GHz band,
and general purpose data and guest wireless device can be deployed in the 2.4 GHz. It is also recommended
to deploy 802.11n access points along with ClientLink for optimum performance of all wireless devices.
RF Site Survey
Complete an RF site survey before deploying wireless patient monitors. A complete new site survey in
the 5 GHz spectrum across the bands (one measurement in each channel is required) ensures that the
parametric requirements are met across the desired coverage area,
RF Spectrum Analysis
Using an Cisco CleanAir along with Cisco Spectrum Expert for RF spectrum management is a basic
requirement of all wireless networks providing mission-critical wireless services. The Cisco Spectrum
Expert can be used to verify that the RF bands within the targeted coverage area are clean and free of
interference. Verify that no interference exist across multiple channels. No interference is defined as any
narrow or wide-band signals in the pass-band that are not 3 db above the measured noise floor. A
minimum of three measurements should be taken across the entire band.
Signal Strength
Vendors differ in the minimum signal strength required within the RF coverage area. Some vendors
require a signal strength of -67 dBm as measured across the entire 5 GHz UNII band. If adopting the
IEC-80001 voluntary standard, it is recommended that the risk manager verify initially and on an
ongoing basis that the channels and bands used are within the recommended guidelines set forth by all
the medical device vendors sharing the wireless deployment.
SSID Considerations
Most vendors advocate the use of a dedicated SSID mapped to dedicated VLANs. The ESSID used for
802.11 wireless devices generally should be broadcast, but may be set to not broadcast if desired.
Note Setting an WLAN SSID to not broadcast or advertise does not provide a level of security through being
hidden. There are many publicly available wireless utilities that can detect and capture wireless traffic
on WLANs that are hidden.
Most implementations of patient monitors create a unique WLAN/SSID to isolate the monitors from the
other wireless devices. Figure 32 shows a sample vendor implementation that supports Layer 2
connectivity only. Two independent subnets for two separate patient monitor networks with no routing
are used. A common wireless infrastructure is used, but patient monitors must be on their own Layer 2
segment.
LWAPP VLAN10
LWAPP
Central Station
LWAPP
Central Station
292842
Vendor B
In another example, a common wireless infrastructure is used, and patient monitors are being routed,
which allows the monitors to be on different subnets. The routers are used to route unicast and multicast
traffic between the bedside subnet and the rest of the patient monitor network. All the other segment
devices still need to be on the same subnet, as shown in Figure 33.
LWAPP VLAN20
Vendor A
LWAPP
Central Station
Vendor B
LWAPP Central Station
292843
Co-Channel and Multifloor Separation
The 802.11 infrastructure should generally be greater than 25dB of co-channel separation between apps
on the same channel. When deploying the WLAN across multiple floors, floor-to-floor separation is
required. Configured channels should be staggered across adjacent floors such that the same channels
are not configured for use on adjacent floors and the required co-channel separation is maintained.
IP Address Changes
For most vendor implementations, patient monitors support use of Dynamic Host Configuration Protocol
(DHCP) for obtaining an IP address.
In a Cisco WLC deployment, client IP addresses do not change when they roam within the same mobility
group. WLC deployments support client roaming across APs managed by one or more WLCs in the same
mobility group on the same or different subnets. This roaming is transparent to the client because the
session is sustained and a tunnel between the WLCs allows the client to continue using the same
DHCP-assigned or client-assigned IP address as long as the session remains active.
Note It is never recommended to use the IP address to determine the location of a wireless medical device and
cause the overall system to base decisions on the location, such as the care where an infusion pumps
safeguards are based on the IP/network address between a neonatal intensive care unit (NICU) and/or
step-down unit.
Security
The security model for most patient monitors varies widely, with newer models supporting a wider
variety of authentication and encryption mechanisms. However, legacy patient monitors and other
medical devices are limited; for example, the oldest devices support only static WEP. This presents a
dilemma for the medical IT network risk manager, who may be required by the IT department to
implement a security policy that cannot be implemented. Again, the first requirement for all medical
devices is to comply with the requirements and recommendations set forth by the medical device vendor.
In cases where the medical device cannot be configured to support the security model set forth for the
healthcare organization, options such as the following might be used:
Deploy the device using the most robust security mechanisms available.
Isolate the devices from the remaining network through Layer 2 VLAN isolation and implement
ACLs on either the Layer 3 VLANs or within the distribution layer. The use of a pair of Cisco
Adaptive Security Appliance (ASA) firewalls that are allocated to the support of mission-critical
clinical applications to inspect and allow communication to the various backend servers. Use a
multilayer security approach including MAC authentication and intrusion detection services, and
enable Management Frame Protection (MFP) if supported by the medical device vendor.
Build a parallel network for those devices, isolating them from the rest of the network.
Although this addresses the security policy requirements of the IT staff, it does not add additional
security for the medical devices or the parallel network. verify that MFP is supported by the medical
device vendor(s).
Note In 802.11, management frames such as (de)authentication, (dis)association, beacons, and probes are
always unauthenticated and unencrypted. In other words, 802.11 management frames are always sent in
an unsecured manner, unlike the data traffic, which are encrypted with protocols such as WPA, WPA2,
or, at least, WEP, and so forth.
Authentication
Currently the golden standard for wireless security is one based on an EAP based on the 802.1x
framework. Many legacy patient monitors do not support this authentication model, with many newer
models supporting a variety of EAP types.
Encryption
Some patient monitors use WPA-Personal, which is based on a WEP/RC4 cypher with TKIP and a Message
Integrity Check (MIC) to rotate the key and detect frame tampering. The main reason for this is because of
the lower computational requirements to support the RC4 cypher engine. These limitations are typically
hardware factors, which make it highly unlikely that a simple firmware update will support the more robust
WPA2/AES encryption model. Newer products entering the market do support WPA2 using AES 128-bit keys
for encryption. The recommend encryption level if available is WPA2 Enterprise.
Most patient monitor implementations recommend a separate SSID for each type of vendor biomedical
device, In this case, a unique WLAN/SSID isolates patient monitors from other wireless devices. This
does shield patient monitors from Layer 2 broadcasts, but does not eliminate a performance impact if
one existed because the channel itself is often shared. It is recommended that a risk manager verify the
network compatibility of each medical device type placed on the wireless network. In organizations
adopting the IEC-80001 standard, this responsibility falls on the risk manager and should be performed
without regard to the adoption of IEC-80001.
Medical device systems are made up of the system functionality and application software and are
regulated by the FDA. Vendors must follow the regulatory specifications when designing those products,
which include the software and computers as part of the regulated medical device. In some cases, the
network may be included in the devices FDA filing. Hospitals may not deploy devices on a network that
differs from the devices network specifications. Check the device manufacturers design specifications
for details on the wireless network requirements.
Protected health information (PHI) is any information that can be used to identify an individual and that
was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or
treatment. Electronic PHI uses the same definition but is applied to such data when it is in electronic
form. The 18 identifiers of PHI are as follows:
1. Names
2. All geographic subdivisions smaller than a state, including: street address, city, county, precinct, ZIP
code, and their equivalent geographical codes, except for the initial three digits of a ZIP code,
according to the current publicly available data from the Bureau of the Census.
3. All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and elements may be aggregated into
a single category of age 90 or older.
4. Telephone number
5. Fax number
6. E-mail address
7. Social Security number
8. Medical record number
9. Health plan beneficiary number
10. Account numbers
11. Certificate/license number
12. Vehicle identifiers and serial numbers (including license plates)
13. Device identifiers and serial numbers
14. URL address
15. IP address
16. Biometric identifiers, such as fingerprints and voiceprints
17. Full-face photos and any comparable images
18. Any other unique identifying number, characteristic, or code
Older non-integrated patient monitors do not normally associate a patients name, social security number, or
other PHI information in the data stream. However, newer products that have recently entered the market do
link the waveform and telemetry information to a patients name and other information obtained from the
EHRs ADT system. These newer systems perform a patient census from the EHRs ADT system. The data
is then used to map the collected alarms and waveforms for storage within the EHR or other supporting
systems. In these cases, adherence to local regulations regarding patient privacy must be designed into the
end-to-end system.
Mobile Radiology
Although 802.11 wireless connectivity is available for portable diagnostic medical equipment, it has not
been widely deployed because of the large file size of studies. This has changed as 802.11n has become
less common and newer 802.11n-capable portable modalities enter the market place. The advantage is
to allow various studies to be uploaded to backend PACS or cardiology systems for archival and/or
diagnostic purposes. This improves the workflow of the mobile clinician, allowing the studies acquired
in the patient room or within a long-term care environment to be offloaded from the device as the
technologist is executing the examination.
In the case of portable digital X-ray machines, a single image does not typically exceed 10MB. However,
an exam may consist of a number of separate images, resulting in a complete study exceeding 100MB.
Transferring this to a backend PACS system over a wireless network while the technologist is roaming
both horizontally and vertically (elevator) can sometimes be challenging. In addition to the normal
challenges with roaming, limited DHCP support in existing modalities aggravates the problem.
Long-term care environments should implement a WLAN for contracted imaging service companies,
which provide onsite imaging services. This SSID can be mapped such that connectivity can be
established to the remote radiology service through the use of a VPN connection. The implementation
of this wireless service offering has been shown to reduce the time to diagnose because it eliminates the
delays encountered in uploading the images acquired during the day, greatly shortening the time to
diagnose. The overall result is improved patient care and an increase in positive outcomes.
From a pure traffic perspective, DICOM-based traffic is typically treated as best effort. The studies must
therefore contend with other wireless traffic generated in a given 802.11 service area. This is because
many portable device vendors do not mark their traffic as mission-critical data and therefore remain
unmarked from a QoS perspective. As Figure 34 shows, traffic spikes in excess of 2.5 MB can result as
the acquired study is transmitted to the backend PACS system.
As stated, because most medical devices today transmit their data as best effort using non-802.11n
technology, it is not unreasonable to assume that a poorly designed 802.11b/g/a wireless network may
encounter network congestion and negatively affect other applications that may be critical to patient
care. This may be aggravated by the device transmitting at a low speed (1 Mbps) because of signal
strength or quality. In general, uploads should be treated identically to a batch file transfer and therefore
receive best effort service. Implementing Cisco ClientLink improves overall signal strength and quality,
resulting in higher throughput for all wireless devices connected to the shared media.
The rate-limiting characteristics of TCP such as slow start and congestion avoidance mechanisms are
native to TCP/IP and effectively rate limit the transfers. Situations that cause the transfer to stop and
restart during momentary disruptions in wireless connectivity cause TCP/IP to reduce its window size
and therefore negatively affect performance. It is important to note that some more critical wireless
applications, such as patient monitors that do not support WMM or QoS, may be contending for network
resources. This serves as a reminder that an MGN requires advanced planning and consideration.
Barcode Scanners
Bar codes enable quick, accurate data entry. This improves accuracy by reducing the likelihood of human
error from manual entry. It also reduces the ink that is used to write vital signs on the palms of the nursing
staff when doing spot checks or rounds. When a barcode scanner is combined with the appropriate hardware
and software, clinical efficiency and accuracy is dramatically improved. Barcode scanners are used for a
variety of applications within the healthcare environment. Applications can be grouped into the following
categories:
Supply logistics and material management coordination
Document management
Process logistics
Point-of-care patient safety and clinical care delivery
The first three categories include applications such as patient records, billing systems, claim systems,
maintenance systems, asset tracking, and logistics. The first three categories are used in manufacturing,
retail, and other industries to improve accuracy, timeliness, and productivity to reduce costs. The last
category is unique to the healthcare environment and not only results in cost savings, but improves
patient safety and the quality of patient care. Scanning barcodes before patient treatment can alert
caregivers to potential errors before they occur, preventing the error and avoiding patient harm. Clinical
applications for barcoding include blood transfusion verification, prescription entry, ordering medical
tests, specimen tracking, prescription drug tracking, patient identification, and dietary management. One
of the most impactful and widely deployed applications is medication administration verification. This
application is used to confirm patient identity, the correct drug, correct dose, correct time, and correct
caregiver (trained to administer and monitor for side effects).
Scanners may be categorized as: tethered, cordless, and integrated into handheld mobile computers and
PDAs. Barcode readers have been used in healthcare since the 1980s, so legacy technology spans those
used for barcode readers over that period. For standalone barcode scanners, there is a significant base of
legacy 2.4 GHz frequency hopping and Bluetooth (also a frequency hopping protocol) used to connect
the device to the CoW running the pharmacy application.
Note Care must be taken when any device is introduced into the wireless environment with regard to interference.
There have been documented cases where dedicated in-room Bluetooth scanners have impacted patient-worn
telemetry devices when the CoW is moved out of range. In these cases, the firmware in the BT scanner
aggressively and continuously sought to re-connect to its paired workstation, which generated enough
interference to cause telemetry dropouts.
Bluetooth and personal Wi-Fi devices may interfere with a wireless network. Their signature can be
observed using a spectrum analyzer such as the Cisco Spectrum Expert as well as Cisco
CleanAir-enabled access points. Figure 35 and Figure 36 show examples of spectrum analysis recorded
in hospitals.
Figure 36 shows a spectrum of a DECT-based voice call as displayed on a Cisco Spectrum Expert. Notice
the impact to channel 6.
This is typical of a Bluetooth device searching for a device with which to pair. This should be a one-time
event. As stated earlier, the actual barcode scans should be very brief, low bandwidth events but may
cause interference if the device is transmitting a high power, especially if the firmware aggressively
seeks to reconnect with its paired host.
Clinical Systems
Electronic healthcare systems have two major areas of focus: financial, or the patient accounting; and
the clinical informatics applications. Because of the global and widespread use of clinical EHR systems
on the patient floor, this section focuses on the wireless-related design characteristics of such EHR
systems.
There are four major categories that can be used to group clinical EHR systems from the delivery system
perspective. It is important to understand that EHR systems from different vendors may use one or more
of the approaches outlined below. This is because many EHR systems are composed of many different
applications, some developed by different business units within the EHR vendor. Other components may
have been acquired through mergers and acquisitions, with common examples being middleware, PACS,
and cardiology applications.
Computerized Physician Order Entry (CPOE) software may use a thin client-based delivery system
while the medical administration component from the same vendor uses a fat client-based approach.
Table 6 provides some considerations for each of these delivery approaches, and it is important to
consider the attributes associated with each architectural approach.
Bandwidth Typically very low Typically high Low Relatively low w/ Low
Usage exception to some
Java/ActiveX applications
Chattiness Relatively Low Typically high Low Relatively low w/ High
(latency exception to some
sensitive) Java/ActiveX applications
Tolerance to Not very tolerant, Can sometimes Not very Usually Very tolerant when Low, Some
network can disconnect with cause lockups or tolerant, can custom Java/ActiveX is not GUI front
disruptions minor disruptions of resets. Some disconnect with used. Can vary with Java or ends to
service vendors tolerate minor ActiveX applications are TN3270
disruptions very disruptions of used. systems may
well while others service lock up if
do not TN3270
application is
disrupted.
Embedded Yes, SSL Not usually Yes, encryption Yes, SSL No
application available is available
level from most
security vendors
Facilitates Some Usually not unless Yes, user can Some implementations will Dependent
Attributes
single sign implementations vendor supplies rapidly move allow user to maintain state upon
on will allow user to custom Single desktop from between application
maintain state Signon one machine to machines/browsers vendor
between application another
machines/browsers
PDA/Smart Yes, in some vendor Usually not, but Both Citrix and Yes, in some vendor No
Phone implementations some vendors VMware have implementations
accessible have PDA smart phone
versions of CPOE support in
or Medical development
Administration
ported to
PDA/smartphones
Laptop PC Yes Yes Yes Yes Yes, via
accessible terminal
(CoW or emulator
WoW) (Rumba,
TN3270)
Tablet PC Yes Yes Yes Yes Yes, via
accessible terminal
emulator
(Rumba,
TN3270)
Note VMware VDI performance and scaling information is available at the following URL:
http://www.vmware.com/pdf/vdi_sizing_vi3.pdf
Being familiar with the attributes of the specific EHR modules, as shown above, or the many others not
shown, is key to a smooth rollout onto a wireless network. Many EHR applications were written when
the LAN was really the only network topology available. The next phase of evolution was the WAN,
which presented a number of challenges specific to latency, bandwidth, and connectivity disruptions
because of congestion.
Typically, EHR vendors provide modules that can be hosted across a WAN or VPN and migrate very well
to a wireless infrastructure. This is primarily because of the application tuning that has been made to the
application in terms of bandwidth, chattiness, and tolerance of disruptions of service. If a wireless
network was engineered properly, and sources of interference have been reduced to a relatively low
margin, a wireless network performs as well as or better than that of a WAN.
RF Design Considerations
With EHR systems that are deployed on wireless tablets, PCs, laptops, PDAs or smartphones, the overall
performance depends largely on the RF characteristics of the wireless client device itself. Many of these
devices have varying levels of RF performance, and as a result have very different outcomes depending
on the wireless hardware implemented. For example, receiver sensitivity is a major factor; a site survey
performed with a laptop to 25db of SNR may be less than 20db SNR for a smartphone. This significantly
reduces the ability of an RF receiver to detect the 802.11 signal given the wireless clients internal noise
floor because of poor RF engineering. The better the receiver sensitivity, the better the performance and
therefore overall availability and throughput.
Another factor is the implementation of the roaming algorithm. Roaming at the right time and providing
for the right level of stickiness is also key. Too sticky and the wireless client roams too late, causing the
data rates to decrease to perhaps 1MB, resulting in a non-optimal end-user experience for all associated
wireless clients. Other aspects can also affect workflow, including power conservation techniques and
QoS capabilities such as using 802.1e and/or WMM.
To achieve a medical-grade network, the set of best practices for a given wireless technology must be
employed end-to-end in compliance with the infrastructure provider and the medical device vendor. This
not only involves RF site survey aspects and the placement of access points on the patient floor, but also
wireless device design, antenna characteristics, redundancy considerations, QoS, RF Spectrum
management, authentication, and encryption mechanisms.
Roaming
The decision to roam to a new access point depends completely on the wireless client and is not
influenced by the access point or wireless LAN controller. As a result of a poorly designed wireless
network, one deployed using a salt and pepper approach, roaming between access points may result in
cross-controller roaming. Such cross-controller roaming should be minimized whenever possible to
optimize roam times.
A wireless deployment strategy that follows a salt and pepper approach is one that allows access points
to locate any wireless LAN controller that is capable of providing services. The end result for highly
mobile devices that exist on a patient floor, such as CoW/WoWs and wireless PDAs, is excessive
cross-controller roaming that results in potentially poor roam times. Many times, wireless networks
deployed in this fashion work fine for voice and clinical applications, but may in fact prove problematic
during the rollout or pilot phases of new less tolerant applications or biomedical devices.
To enhance roaming, a feature called Fast Secure Roaming, also known as Cisco Centralized Key
Management (CCKM), can be used. According to Miercom testing labs, a Cisco 5508 WLC configured
for Fast Secure Roaming averaged a baseline of 9ms. For cross-controller roams, this time increases and
can result in the clinical application failing to recover.
Note Some EHR systems or components that use IBM SNA (TN3270) back ends and GUI-based front ends,
such as CPOE/Electronic Medication Administration and Reporting (eMAR), have been known to be
troublesome when connectivity is disrupted for as little as 350 ms.
For environments that use components of EHR systems (CPOE, medical administration, pharmacy, and
so on) that are not tolerant to such momentary drops should use a zoned controller-based approach.
When a zone-based approach is used, access points servicing a given zone are configured to use a
primary and secondary wireless controller. This approach limits inter-controller roaming, thereby
improving roam times. When crossing zones, however, cross-controller roaming occurs and may impact
some devices as described above.
Areas such as elevators and stairwells promote an interesting challenge because wireless clients typically
traverse a number of floors as they move vertically across the zoned floors. For elevators, an approach
sometimes considered by the RF engineer is to place an access point in the elevator shaft or hoistway.
In the United States, however, placement of an access point in the elevator or elevator shaft is not
permitted by the American Standard of Mechanical Engineers (ASME) code standard. In addition,
access to hoistway shafts can be made only by authorized and certified persons. These people are
typically not the same individuals who install or survey the wireless network. Exceptions to this rule may
sometimes be granted by the local fire safety authority (Fire Marshall) responsible for the area.
The ASME A17.1, Safety Code for Elevators and Escalators section 2.8.1 states as follows:
Only machinery and equipment used directly in connection with the elevator shall be permitted in
elevator hoistways, machinery spaces, machine rooms, control spaces, and control rooms.
Furthermore, sections 2.8.2.12.8.2.2 state as follows:
Installation of electrical equipment and wiring shall conform to NFPA 70 or CSA-C22.1.... Only
such electrical wiring, raceways, cables, coaxial wiring, and antennas used directly in connection with
the elevator, including wiring for signals, for communication with the car, for lighting, heating, air
conditioning, and ventilating the car, for fire detecting systems, for pit sump pumps, and for heating and
lighting the hoistway and/or the machinery space, machine room, control space, or control room shall
be permitted to be installed inside the hoistway, machinery space, machine room, control space, or
control room.
The ASME 17.1 code clearly states that devices that do not comply with the regulations cannot be placed
either in the elevator or hoistway (elevator shaft). As such, the RF engineer must ensure coverage in these
spaces. Coverage is not only a matter of signal strength and quality, but roaming across subnets and
possibly WLCs, and is common as the car moves vertically between floors.
It is not possible to characterize one standard foolproof method for ensuring coverage in elevators, as
there are many variables to consider. As such, a series of recommendations and best practices need to be
implemented until an approach is found that provides a satisfactory level of service for each unique
environment and set of wireless clients.
One common technique to provide wireless coverage in elevators is to place a diversity omni-directional
AP or antenna directly outside of the doors of the elevators just below the ceiling tiles.
In many cases, but dependent on elevator design, a closed elevator door reduces the signal inside the car
by 7 to 10 dB or more. This requires that the access point or antenna be just a few feet in front of the
elevator doors. To provide fast secure roaming between floors, it is best to have access points that service
elevators on the same WLC and to ensure that they are part of the same access point mobility group. (See
Figure 37.)
227835
Radio Resource Management (RRM)
Off-channel scanning and other radio resource management (RRM) should not have an impact on
workstations and other devices that have enterprise-class wireless cards. For some medical devices,
however, the time at which an access point is off the air may in rare circumstances have a negative effect.
This is especially true for patient monitor devices that typically send a UDP-based multicast frame every
40 ms. These devices typically do not have frame loss detection mechanisms nor are they capable of
retransmitting a lost or dropped frame.
Disabling RRM is not recommended for EHR deployments because there are times when a channel
change may provide better performance and overall availability than that of not switching to a less
congested channel. Furthermore, to detect rogue APs and other security risks, disabling or altering
default settings may inadvertently reduce the effectiveness of the security capabilities of the overall
wireless network.
Note Vendors of certain biomedical devices, specifically patient monitors, may require either specific changes
made to the default RRM parameters or to disable it completely. Beginning in WLC version 6.0, there is
the ability to selectively disable channel scanning on a per SSID basis. This feature is extremely helpful
for patient monitors that are not off-channel scanning tolerant. Consult your specific vendor for
information as to their recommended best practices.
Security
Wireless security for EHR systems that are commonly based on a Windows operating system should
employ an 802.1x EAP-based authentication mechanism as follows:
EAP-TTLS (Tunneled Transport Layer Security)
EAP-TLS (Transport Layer Security)
EAP-FAST (Flexible Authentication via Secure Tunnel)
To comply with global regulations regarding ePHI, it is recommended that each clinical user is assigned
a unique userid/password as a logon credential to the EHR system, and it is strongly recommended to
extend this same recommendation to the users on the wireless network. By using a central directory
services repository for userid/password credentials such as Microsoft Active Directory or an LDAP
complaint directory service, access to the various systems containing PHI-related data can be controlled.
Some healthcare facilities use EAP-TLS implementations with PKI enabled smart cards embedded into
the employee badges. By using PKI-enabled smart cards to logon a laptop or workstation, the user can
also gain access to the same wireless network using the same physical card. EAP-TLS may however be
more costly to roll out because of the added operational costs related to a certificate authority.
Note It is possible to implement a physically-based security interface to door card readers that enables an
account within Cisco ACS when someone enters the building and disables the account when they clock
out or leave for the day. This approach improves wireless security significantly because it reduces the
likelihood of a stolen or lost device that has not yet been reported being used to access the network.
For ePHI-protected data in motion, as is the case with any wireless network, AES-based wireless
encryption is required. A minimum key size of 112 bits or greater (WPA2 AES uses 128) should be used
in order to ensure that the data encrypted stays private for a duration of time in keeping with local
regulatory standards. As previously mentioned, National Institute for Standards and Technology (NIST)
recommends that data which should remain private until the year 2030 should be encrypted using the
AES protocol with a key length of not less than 112 bits.
Note NIST Recommendation for Key Management Reference NIST Special Publication 800-57 Revision 3
(July 2012) and can be found at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
For a Cisco Unified Wireless infrastructure, this equates to the use of WPA2 Enterprise standard, which
employs AES with 128-bit keys.
Enhanced security is required for all users of PHI information, equating to an enterprise-class security
and protection model. The use of WPA or WPA2 pre-shared keys (WPA2-PSK) is simply not sufficient
for the protection of PHI information. This means that all acute and ambulatory environments implement
WPA2 AES-128 or better using dynamic per-user, per-session encryption keys.
A wireless Cisco MGN includes the following security attributes:
802.1X for strong supporting ePHI mandated requirements including unique userid/password
mandate, providing mutual authentication (user to network, and network to user) and dynamic
per-user, per-session encryption keys
AES-128 for highly secure data encryption meeting NIST recommendations for data privacy. At
present, WPA2 Enterprise supports only AES-128
Integration with the Cisco Identity Service Engine (ISE)
Wireless Intrusion Prevention System (wIPS) capabilities
Management Frame Protection (MFP) for strong cryptographic authentication of the clinical
network
Vocera B3000 Caregivers, The Vocera communications badges support 802.11b/g and are lightweight, wearable,
physicians and voice-controlled communications devices using 802.11b/g. The B3000 provides three
support staff hours of talk time and 45 hours of standby time.
Cisco Jabber Physicians/ Turn your PC, Mac, iPhone, iPad, Android, Nokia, and Blackberry device into a
For PC, Mac, nurses/visiting full-featured Cisco Unified IP Phone. Cisco Jabber delivers enterprise telephony calling
iPhone, iPad, nurses features and corporate directory lookup directly from the native screens and interface
Android, Nokia, and found on the device. Easy access to presence, IM, voice and video, voice messages,
Blackberry desktop sharing, and conferencing is supported. See http://www.cisco.com/go/jabber
Figure 38 Cisco 7921G Phone in Charger and 7925G and 7926G Phone
The use and variety of wireless-enabled devices continues to grow because of a variety of drivers,
including:
Hospital staff (caregivers, physicians, and support staff) are naturally mobile.
WLAN technology and the expansion in health care settings is providing ubiquitous coverage.
The support of higher CPU-capable mobile devices and the widespread adoption of 802.11-based
technology at home, office, and while traveling
Decreased dependency on voice-based cellular plans and an increasing tendency for data-only
cellular plans (802.11/3G/4G LTE tables, for example)
The emerging adoption of hotspot 2.0 by carriers to offload their cellular networks.
(http://www.cisco.com/en/US/solutions/collateral/ns341/ns524/ns673/white_paper_c11-649337.ht
ml)
Affordability of these devices is making it more economical for everyone to have including staff,
patients, and guests.
For the professional the convenience of having single number reachability made possible through
Cisco Unified Mobility.
Given the large variation of devices seen in the hospital environment, some key network considerations
must be addressed. Finding a common framework to support variation is a challenge as devices may and
will behave differently.
Quality-of-Service (QoS)
In the past, WLANs were mainly used to transport low-bandwidth, data-application traffic. With the
expansion of WLANs into verticals such as healthcare, WLANs are used to transport high-bandwidth
data applications, in conjunction with time-sensitive multimedia applications.
Because of the sensitivity of VoIP traffic to factors such as packet loss, jitter, and delay, the Cisco Unified
Wireless Network suite of products supports Wi-Fi MultiMedia (WMM) standards as the framework for
the QoS designs. As a range of other wireless devices will also be introduced in the hospital network to
support voice, determining the compliance of these devices to the WMM standards helps to create a more
stable environment to deliver voice.
Wi-Fi Multimedia
Wi-Fi Multimedia (WMM) has been published by the Wi-Fi Alliance and is based on IEEE 802.11e and.
WMM provides for QoS, Power Save, and admission control. Some of the key functions of WMM are
as follows:
ClassificationWMM uses the 802.1P classification scheme developed by the IEEE to classify
data.
QueuesThis classification is used to assign packets to queues. Each queue uses different
parameters for the Random Backoff Window in case of a collision. If more than one frame from
different access categories collides internally, the frame with the higher priority is sent and the lower
priority frame adjusts its backoff parameters as though it had collided with a frame externally. This
system is called enhanced distributed coordination function (EDCF). (See Figure 39.)
Guest Access
EHR/Clinical
Location RFID TeleMedicine Telemetry
Applications
Tags
Traffic Specification (TSPEC)An 802.11e admission control model that allows an 802.11e client
to signal its traffic requirements for prioritized access to the AP through the use of two variables,
the EDCF option and the controlled access options provided by the transmission opportunity
(TXOP).
Enhanced Distributed Channel Access (EDCA)A method that allows high-priority traffic a higher
chance than low priority traffic to wait less before sending a packet. This model requires the TSPEC
parameters defined on the endpoint. For voice traffic, this feature allows voice packets to be
delivered with less delay and jitter.
QoS Basic Service Set (QBSS)Information elements that are advertised in beacons by the AP and
the parameters are used by the 7921G, 7925G, and 7926G phones to determine the best AP with
which to associate.
Unscheduled automatic power-save delivery (U-APSD)A feature that allows the voice client to
synchronize the transmission and reception of voice frames with the AP, which allows the client to
enter power-save mode between the transmission/reception of each voice frame tuple. Another
added benefit is to increase call capacity because of efficiencies gained by the AP.
For more information on Wireless QoS, refer to the Voice over Wireless LAN Design Guide at the
following URL: http://www.cisco.com/go/designzone.
RF Design Considerations
There are many different classifications of wireless clients as discussed previously in this chapter.
Because these devices have very different traffic patterns and assumed levels of reliability and
predictability, it is important to discuss outside influencers which can negatively affect the reliability of
some wireless-based medical devices.
One common example is that of voice traffic. Within a healthcare environment it is critical because of
the mobile nature of caregivers and their ever increasing reliance on connectivity throughout the entire
healthcare facility. As such, it is critical that the VoWLAN network be architected end-to-end so that
high availability can be achieved within the hospital and associated outlying buildings. To provide
guidance in the proper deployment of VoWLAN solutions, Cisco has published a design guide that
covers 7921G, 7925G, and Vocera endpoints. This Unified Communication Cisco Validated Design
document as well many others can be found at http://www.cisco.com/go/designzone.
Cisco further recommends that wireless systems be integrated in accordance with the US FDA
document, Draft Guidelines for Industry and FDA Staff Radio Frequency Wireless Technology in
Medical Devices at the following URL:
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077210.htm
Proper coverage for voice dictates that there is a 20 percent (2.4 GHz) and approximately 1520 percent
(5 GHz), which is above and beyond WLAN data design guidelines. In addition, the optimal VoWLAN
cell boundary recommendation is -67dBm, and the separation of cell should be 19 dBM. For voice
traffic, a unique SSID should be dedicated for VoIP traffic. Proper site survey is essential to plan for any
site deploying voice. In addition to these basic factors, additional considerations include:
Coverage models to support elevators, stairwells, parking lots, and outside zones because a large
campus may need to support staff in all these locations for reachability. Assessment tools such as
A2Q (assessment to quality) and site surveys should be strictly followed.
Use the tools offered in WLC to collect statistics for troubleshooting, such as AP delay, packet loss,
radio statistics of the overall RF environment, because they can be helpful in finding trouble spots.
WCS also provides historical reports that correlate user issues with network issues that find potential
capacity issues. To provide an overall view of WLAN health, the WCS provides reports of the AP
power and channel changes over time.
(See Figure 40.)
222947
Roaming
Another factor affecting voice quality is the amount of physical movement of mobile handset users.
Devices such as laptops may need mobility, but once in use the likelihood for movement drops
significantly. However, Cisco 7921G, 7925G, 7926G, Vocera badges, and other smartphones and tablets
are highly likely to experience movement while in use. This mobile characteristic drives the need for fast
and secure roaming. The wireless client is 100 percent responsible for determining when to roam. The
client uses factors such as data retries, RSSI, SNR, and other schemes. The network can affect the speed
in which the roaming can occur once the client begins the roaming process. Once the new AP is chosen,
there is also a need to re-authenticate with the new AP because security must be preserved after the roam
has occurred.
To facilitate fast secure roaming, a method offered is the Cisco Centralized Key Management (CCKM)
and Proactive Key Caching (PKC). These advanced roaming mechanisms allow a WLAN client to roam
to a new AP and re-establish a new session key, known as Pairwise Transient Key (PTK), without having
to perform a full 802.1X/EAP re-authentication involving the RADIUS server.
IP Address Changes
When a client roams from one AP to another, it may require a new IP address. If a client requires a new
IP address, actions that might be required by the client include:
Acquiring a valid IP address via DHCP
IP duplicate address detection
Mobile IP signaling (if required)
Virtual Private Network (VMP) Internet Key Exchange (IKE) signaling (if required)
Note It is recommended to prevent the reassignment of new IP addresses within a health care campus. This is
because of a bad practice that is emerging that middleware vendors use, mapping the IP address of a
mobile device to a user. Subsequent alarms and/or alerts are sent to the mobile device using the IP
address. Any dynamic changes to the IP address may result in an alarm or other critical alert to be sent
to the wrong device, or not delivered at all. This is an area that the IEC-80001 focused risk manager
should evaluate before deployment.
In a Cisco WLC deployment, client IP addresses do not change when they roam within the same mobility
group. WLC deployments support client roaming across APs managed by one or more WLCs in the same
mobility group on the same or different subnets. In non-FlexConnect environments, this roaming is
transparent to the client because the session is sustained and a tunnel between the WLCs allows the client
to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains
active.
Clients roaming without a Cisco fast secure roaming protocol (CCKM or PKC), will typically send a
DHCP request asking for their current IP address. In a Cisco WLC environment, the WLC infrastructure
will ensure the client stays on the same subnet and can continue to use its old IP address. Next, the client
will typically perform duplicate address detection by pinging its own IP address and ensuring there are
no replies from WLAN clients using that same address. If a client is running mobile IP or VPN, those
protocols would run after the IP address is verified unique.
Note In environments where multiple DHCP servers provide DHCP services to wireless clients, a problem can
be encountered when the DHCP servers are configured to provide addresses out of assigned blocks of
address space within a given subnet or scope. DHCP Server A assigns 10.10.10.1127 and DHCP server
B assigns 10.10.128253. When one of the DHCP servers is offline (failure, scheduled maintenance, and
so on) and a mobile handset attempts to renew its IP address (typically at the midpoint of the DHCP
lease time), it fails. As such, the device acquires a new IP address by issuing a DHCP request and
reregisters with its call control. This is because the surviving DHCP server sees this request as a new
host on the network and assigns it a new IP address. The result for some middleware products is a failure
to deliver a critical alert or alarm because the relationship between the IP address and the intended end
user has changed.
Security
As stated many times throughout this document, in the healthcare environment, because of the nature of
the data being transported (especially PHI), security is critical. Control of the WLAN access relies on
the principles of Authentication, Authorization and Accounting (AAA), augmented by encryption to
insure privacy. For a more in depth view on wireless security focused on voice see the Voice over
Wireless LAN Design Guide. For a more thorough and system focused view of wireless security see the
Secure Wireless Design Guide and Mobility Design Guide. All of these documents can be found at
http://www.cisco.com/go/designzone.
Authentication/Encryption
Authentication options:
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
EAP-Transport Layer Security (EAP-TLS)
EAP-Tunneled Transport Layer Security (EAP-TTLS)
EAP-Protected Extensible Authentication Protocol (EAP-PEAP)
EAP-Pre-Shared-Key (EAP-PSK)
Encryption options:
WPA/WPA2 Personal (uses Pre-Shared Keys)
WPA/WPA2 Enterprise (uses 802.1x and a backend RADIUS server for authentication)
WEP with Temporal Key Integrity Protocol (TKIP)
Advanced Encryption Standard (AES)
Traffic Patterns
There are two sources of traffic with VoIP end devices. The first is the traffic generated by voice calls.
Cisco wireless phones have color displays that can be used to provide services on the phone. Standard
applications include extension mobility, directories, stock reports, weather reports, and other
productivity tools. In the healthcare environment, this capability allows the close coupling of the Cisco
Unified Communications system with healthcare-specific applications. One example is the Nurse
Connect application that interfaces the Rauland Responder IV nurse call system with the Cisco Unified
Communications System. This allows the nurse associated with a room to be immediately notified when
a patient pushes a call button. They can then call the patient back with a single button press. This is
accomplished using XML messages. This is the second source of traffic.
Voice Services
Traffic for VoIP calls is typically steady state, calculated based on the codec used. Two common codecs
are G.711 and G.729. Because voice samples are taken at a predefined number of milliseconds, the data
rate is constant. For example G.711 sample rates are often 20ms, and G.729A is typically 10ms. Another
factor for the overall bandwidth is the IP header.
For example, G.711 has an input bandwidth of 64 kbps with a sampling rate of 20 ms, which
translates to 50 pps (packets per second) with a payload size of 160 octets plus a 40 octet fixed size
overhead for IP/UPD/RTP headers. The bandwidth results in 80 kbps.
Using G.729a, which has an input bandwidth of 8 kpbs and sampling at 10 ms, this translates into
50 pps with a payload size of 20 octets. Adding in the IP/UDP/RTP header, the resulting bandwidth
is 24 kbps. These per call bandwidth settings should be used in the overall bandwidth sizing effort.
Another important parameter in VoWLAN planning is call capacity, which is the number of
simultaneous VoWLAN calls that can be supported in an area. This value can vary depending upon
the RF environment, the VoWLAN handset features, and the WLAN system features. For example,
the VoWLAN maximum capacity for a Cisco Unified IP Phone 7921G using a WLAN that provides
optimized WLAN services (such as the Cisco Unified Wireless Network). Details on call capacity
planning on current releases can be found in the Voice over Wireless LAN Design Guide at
http://www.cisco.com/go/designzone.
Application Services
The application traffic consists of HTTP XML messages between the application server and the phone.
These messages are typically short and sporadic. This traffic is encrypted at the WLC with the encryption
mechanism defined on the WLC. Traffic should be minimal, and provide minimum impact on the
wireless network.
HIPAA/FDA Concerns
Patient information that could potentially be classified as PHI may be discussed over voice channels and
could be included in information exchanged by applications running on the phone. Both voice and XML
traffic exchanged with the phone are encrypted with the method configured on the WLC. As always,
there are tradeoffs. For example it was stated earlier in this document that data which should remain
private until the year 2030 should be encrypted using the AES protocol with a key length of not less than
112 bits. WPA2 uses 128-bit keys. WPA2 with AES encryption prevents secure fast roaming. Then it
comes down to the importance of protecting data for a very long time or possibly dropping calls.
Internet
Cisco Identity
Prime Sevices
NCS WCS Engine
WLC Anchor
DNS WEB
Controller
Clinical
Systems
Campus
WISM2/
Foreign WLC
LWAPP LWAPP
292845
Guest WLAN
Medical IT WLAN
A WLC is located in the hospital data centers DMZ where it performs an anchor function. This anchor
controller is responsible for terminating EoIP tunnels that originate from other hospital WLCs
throughout the network. These foreign controllers are responsible for termination, management, and
standard operation of the various WLANs provisioned throughout the hospital, including one or more
guest WLANs. Guest WLANs, instead of being switched locally to a corresponding VLAN, are instead
transported via an EoIP tunnel to the anchor controller. Specifically, guest WLAN data frames are
encapsulated using CAPWAP from the AP to the foreign controller and then encapsulated in EoIP from
the foreign WLC to a guest VLAN defined on the anchor WLC. In this way, guest user traffic is
forwarded to the Internet transparently, with no visibility by, or interaction with, other traffic in the
healthcare network.
Supported Platforms
The anchor function, which includes tunnel termination, web authentication, and access control is
supported on the following WLC platforms (using WLC firmware version 4.0 and later):
Cisco 5500 Series
Internet
Cisco Identity
Prime Sevices
NCS WCS Engine
WLC Anchor
DNS WEB
Controller
Clinical
Systems
Campus
WISM2/
Foreign WLC
Visiting Physicians
In the simplest model, visiting physicians are given internet access through an assignment of a dedicated
visiting physician SSID. This SSID is mapped directly to either a restricted VLAN for campus L2/L3
networks or to a dedicated VRF for MPLS environments. Access to clinical resources is typically limited
based on this VLAN/VRF model. VPN access to their home office or affiliated healthcare organization
is often granted in addition to general Internet services.
Authentication for this set of users should be one of the EAP types discussed earlier. If using a
centralized LDAP based user directory, the visiting physician should use their assigned userid/password.
These accounts can be created in the LDAP server directly (with an account expiration date specified).
Encryption should once again follow the recommended encryption standard for a medical-grade network
because it is assumed that the physician will be interacting with clinical systems and patient information.
In these cases, WPA2 Enterprise would be the recommended level of encryption coupled with an
EAP-FAST for example.
Contractors
Likewise, contractors and vendors are given internet access through an assignment of a dedicated
contractor SSID in many cases. This SSID is mapped directly to either a restricted VLAN for campus
networks or to a dedicated VRF for MPLS environments. Resources are limited based on this
VLAN/VRF model.
Most times, temporary contractors will only require access to their home office, internet services
including SMTP based E-mail, and perhaps a limited set of local resources such as network attached
printers. Open authentication can be used for these users and guest accounts created on the WLC or ACS
servers. If the contractors are involved with the handling of clinical information, their security model
would need to be mirrored to that of the Visiting Physician described above. This is to ensure proper
authentication, logging and encryption is used.
The Metro Flo 7.4 enclosure shown above provides support for Cisco's 1240 and 1250 Series access
points supporting 802.11b/g/a/n though the use of a multiband antenna. Other antenna's from such
companies as Cisco and TerraWave and others are also supported by Metro. More information about
these enclosures can be found at http://www.metro.com/flo.
One often overlooked aspect of the use of ceiling enclosures is the added physical security. Many
enclosures, include Metro's Flo 7.4 are lockable, preventing unauthorized access to the AP. This can be
especially useful in secluded public areas where physical security is a concern.
DAS benefits include not needing to mount various antenna subsystems and separate cabling in the
ceilings and having a common infrastructure on which the different networks coexist. This leads to
savings on the operational aspects of mounting and cabling particularly in areas where labor is
expensive. In addition, the reduced likelihood of removing ceiling tiles to replace an RF transmitter (RF
transmitters, access points, telemetry transmitter/repeater, cellular phone transmitter, etc.) addresses
JHACO environment of care standard focused around the containment of infectious disease such as
Methicillin Resistant Staphylococcus Aureus (MRSA) per the AIA guidelines and ICRA standard.
DAS systems can be categorized into two basic flavors: passive and active DAS. Passive DAS systems
do not place any amplifiers or electronic signal conversions between the RF signal source (the access
point) and the client device (handset, laptop, etc.). Active systems do place amplifiers and other
electronics in the DAS between the RF signal source and the client devices. Both passive and active DAS
are driven by the active electronics of the RF signal source.
Passive DAS systems can be fairly simple or quite involved. They can consist of an elongated RF radiator
in the form of a leaky coax, or they can use a shielded coax system with multiband antennas attached
to each coax. The purposely designed leaky coax cable approach permits RF radiation to escape from
the length of coax run and effectively provides a constant RF coverage area where it has been deployed,
such as an underground walkway. In leaky coax systems, the antenna is the coax cable. Another
approach is to attach a multiband antenna to the end of each highly shielded coax cable with enough
antennas/cables to cover a floor of patient rooms, for example. In both cases, the various RF radiators
are interconnected to form the passive system (starting from a series of wiring closets and extending
throughout the facility). This means that when an AP needs to be replaced, it can be done without
penetrating the ceiling, which is an advantage for any healthcare environment.
Active DAS systems were initially designed to provide distributed amplification throughout the DAS to
minimize the drive requirements placed on the RF signal sources (i.e., to compensate for the signal
attenuation induced in long coax cable runs). This addressed the signal loss from the AP to the client but
did not solve the signal loss from the client back to the AP. For example, a very low loss and high cost
coax cable that can achieve a 7dB loss per 100-foot at 2.4 GHz (802.11b/g) and 12dB or higher for 5.8
GHz(802.11a).
Eventually, it was necessary to move the amplifier and have it be collocated with each antenna (above
the ceiling) to compensate for the path loss incurred (in both directions) by even the lowest loss coax
cable and connectors. This means that when an amplifier needs to be replaced, it will require penetrating
the ceiling, which is a disadvantage for any healthcare environment.
With the advent of self-healing WLANs (where the controller can detect the loss of an AP and
automatically upwardly adjust the output power of adjacent APs from say 15mW to 30mW for example),
simple fixed gain RF amplifiers were not able to adapt to this technology approach as they were unable
to detect the change in input signal levels generated by the AP. The need for smarter DAS systems arose,
and over time resulted in active DAS systems that are able to dynamically adjust their output signal levels
to match the APs.
Virtually all 802.11 WLAN systems use antenna diversity to provide a means to deliver optimal coverage
to areas impacted by the cancellation of RF energy through multipath interference caused by RF
reflections. For passive DAS systems, this simply required two multiband antennas and doubled the cost
of the coax cable system. Active DAS systems, on the other hand, required duplicate RF amplifiers in
addition to the double cost of the coax and antenna system. For this reason, most active DAS systems
eliminate antenna diversity in order to reduce their cost for 802.11-based deployments. The resulting
solution change could lead to the creation of small null coverage areas that could result in one-way audio
or dropped calls.
With rapidly evolving 802.11-based technologies, and the specific RF characteristics of some 802.11
wireless clients, the use of DAS should be carefully considered, and if implemented, should be done by
a fully qualified DAS/WLAN systems integrator. Some examples of technologies or 802.11
characteristics that must be carefully considered include but are not limited to the following: radio
management, location-based services, 802.11n (MIMO), client roaming, VoIP, beamforming, and
increased noise floor.
Because the RF antenna system connected through a DAS to an access point covers a larger area, the
ingestion of a larger amount of RF noise from personal Wi-Fi devices, DECT, and Bluetooth results. This
ingestion of interference increases the noise floor that the AP receives. The result may be a lower SNR
of the path between the wireless client and the DAS-connected AP.
To summarize, there are some obvious benefits in using DAS solutions. Remember, DAS solutions are
not solely an 802.11-based technology and do provide obvious benefits for other RF-based systems
(telemetry, cellular, 3G coverage, pager, two-way communication systems). Some benefits are outlined
below. (See Figure 45.)
DAS
DAS
4thFL LWAPP
LWAPP
DAS
DAS
3rdFL LWAPP
LWAPP
DAS
DAS
2ndFL LWAPP
LWAPP
DAS
DAS
1stFL LWAPP
LWAPP
DAS
DAS
Ground
227837
LWAPP
DAS Benefits
ConvergenceAbility to carry multiple wireless access technologies, allowing the building planner
to provide coverage for many diverse RF services, such as cellular phone, two-way radios, paging,
Wi-Fi, and medical telemetry systems on a single shared antenna system.
Operational savingsInformation technology, biomedical engineers, and voice communication
managers can deploy a number of wireless technologies with a single converged antenna system.
Physical security for network and RF equipmentIn the case of 802.11, the access points are
secured in a locked wiring closet rather than on ceilings near users desks; thereby reducing the
likelihood of damage or theft.
Network maintenanceEasier configuration, maintenance, and replacement of RF equipment
including access points because they are located in a single, easily accessible location.
Increased compliance with the Joint Commission (JCAHO) Infection Control Risk Assessment
(ICRA) requirements during RF hardware replacement if mounted above ceiling tiles. Placing Cisco
APs above the ceiling tiles in healthcare environments is not recommend (see the Environmental
and Physical Considerations section on page 94).
As described above, there are a number of considerations in using DAS systems. Many of these benefits
apply to other (non-802.11) RF communication systems. It may make sense to deploy DAS solutions to
address coverage issues around these other technologies to provide a pervasive coverage for any number
of other services beyond 802.11.
Location-Based Services (LBS)LBS systems are designed by the manufacturer to work within
specific deployment parameters. Customers with a requirement for LBS either at the time of the
installation or in the near future should carefully specify their requirements to the DAS vendor
and/or systems integrator to confirm that the design will adequately support LBS, and any claims to
location accuracy using the DAS antenna system with a Wi-Fi over the DAS solution.
Radio Management (RM)Wi-Fi over DAS solutions may require static configuration of AP
channel and transmit power levels. Customers choosing Wi-Fi over DAS should carefully review the
total WLAN solution offering to ensure that value added dynamic radio management features,
including RM, rogue AP detection, and wireless intrusion protection, all meet their requirements.
802.11n MIMOSome DAS vendors have implementations for supporting 802.11n MIMO.
Customers should carefully evaluate and validate that these systems meet their requirements and
perform to expectations.
For more information about Ciscos official position on DAS solutions as they pertain to 802.11-based
deployments, refer to the following URL:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/positioning_statement_c07-5654
70_ps272_Products_Data_Sheet.html