BCHS Protects Patient Data
Print Issue: February 2016
When it comes to cybersecurity, healthcare is a prime target of attack. In the first half of 2015, cyber breaches in the industry represented 21 percent of all hacks worldwide, according to a study by security firm Gemalto.
Tim Armstrong, chief information officer at Brant Community Healthcare System (BCHS) in Ontario, Canada, is well aware of the importance of securing patient information in a hospital setting.
BCHS consists of more than 1,500 employees and 265 beds. The building’s seven wings cover approximately 19,000 square feet. BCHS’s network includes a slew of desktops, diagnostic machines, laptops, printers, and other devices that must be secured to protect patient and other private information.
The hospital also faces the challenge of accommodating a Wi-Fi signal strong enough to permeate its dated brick buildings. “Our hospital is made up of different wings that are physically different buildings, which have been cobbled together over many years,” Armstrong says. “They create significant challenges to the continuity of Wi-Fi services.”
For many years BCHS used Nortel for its wireless network services, but the system had several drawbacks. The large telecom company announced in June 2009 that it was going out of business, and BCHS knew support for the network would eventually go away. In addition, BCHS had network structures that were between 10 and 15 years old and needed replacing.
The outdated network also made system management difficult. When an employee wanted to connect a new smart device to the company Wi-Fi, IT had to go through a 20- to 60-minute process to provision that device. With 1,500 employees, that task proved a cumbersome one. “It was becoming extremely difficult for us to keep up with the provisioning requests,” Armstrong says.
Because the healthcare provider wanted to do several upgrades to its network infrastructure, it decided to search for a new wireless network provider. Being a government entity, BCHS was required to hold a competitive bidding process for a new vendor. It held a request for proposals in October 2013. Aruba Networks won the bid, and the installation of Aruba Wi-Fi began in April of 2014.
A company called Transformation Networks helped with the Aruba Wi-Fi installation. Armstrong says it was an effective partner, and there were only minor bumps in the process. With the help of Transformation Networks, BCHS doubled its number of Internet access points, to 375, and successfully integrated all of its machines onto the network.
The installation was finished in July 2014. Now that the integration is complete, “we’re pretty self-sufficient,” Armstrong notes. “The only time we might contact Transformation Networks or Aruba is if we’re going to bring a new area in that wasn’t previously on Wi-Fi, and there aren’t too many of those right now.”
Although there are some renovations going on in the hospital, Armstrong says Aruba can adapt. “We can easily meet the needs of those changes with the new network,” he explains.
With ClearPass, a security feature offered by Aruba within its wireless networks, specific devices can be easily provisioned to certain parts of the network using the company’s active directory.
“We’re able to secure them quite well with the technology we have from Aruba,” Armstrong explains. “It allows us to know which devices are coming on the network, who’s using them, and it’s all done through the ClearPass technology.”
Now whenever employees have a device they want to add to the network, they access the hospital’s Wi-Fi signal and are directed to a portal on their Internet browser. From there, it asks if the user is guest or staff. Employees enter their username and password. A certificate is then issued to their device, which gives it permission to use the Internet.
For heightened security, the IT department requires password resets every 90 days for employees. Armstrong emphasizes the criticality of such measures in a hospital setting.
“In healthcare, there’s a significant risk to the individual employee as it relates to patient privacy,” he says. “Everybody here understands how important it is to keep your username and password to yourself so that nobody can use it to access patient records in a malicious way.”
With the old Wi-Fi system, patients and patient families had to pay a fee to access the Internet, to recover the cost IT was paying to provide the service. But Armstrong says most people weren’t willing to shell out the $10 per day, “therefore we weren’t recouping our minimum charge to the company that provided the service,” he says.
To improve the overall patient experience, BCHS decided to provide Wi-Fi at no cost to patients or patient families when it moved to Aruba. With a virtual network segmentation in place, the public Internet connection is separate from the more-sensitive hospital network. “They’re segmented off in a way that there’s no risk to any of the patient information that we have within the hospital,” Armstrong notes.
Having the segmentation also means that if patients are consuming lots of bandwidth while on the Wi-Fi, it won’t affect the hospital’s Internet access and ability to provide patient care.
The IT staff carefully manages security by drilling down into individual user sessions among its employees. They have visibility into who is accessing which applications and how they are using them with Aruba’s ClearPass technology.
For example, if an employee is using social media sites during working hours, the IT staff can alert management that the network isn’t being used for proper patient care.
“With ClearPass, we can set policies to understand what type of device they’re coming onto the network with and how to best utilize that device to access the information securely in the hospital environment in a way that protects patient privacy,” he explains.
The same goes for any contract workers that need access to the hospital network. While they get the same login credentials as regular staff, Armstrong notes that “we tightly control what applications they can get based on the work they’re being asked to do.”