-
Business white paper
Bring your own device in healthcareHP BYOD in Healthcare
Healthcare providers can use tablets, smartphones, and other personal mobile devices to access vital resources with strong confidence in security and control.
-
Table of contents
4 Executive summary
4 Healthcare is mobile
4 Bring it from home
5 Mitigate the risks of BYOD
5 Changing the rules of networking
6 No-fuss network access control
6 Authentication and authorization with IMC/SNAC
7 Ensure endpoint integrity
7 Maintain security compliance
7 Prevent wireless threats
7 Monitor the WLAN
7 Go ahead, bring your own
8 Additional resources
8 Conclusion
Who should read this paper?Healthcare administrators, IT directors, security managers, and network managers should read this white paper to learn how HP Networking solutions simplifies security and network access control to help healthcare providers make the most of bring your own device (BYOD) initiatives.
-
4
Executive summaryMany healthcare providers are enticed by the idea of allowing caregivers, administrators, and patients to use their own tablet computers, notebooks, and smartphones to access healthcare resources. However, they are concerned about the security risksand the impact on IT operations.
HP Networking is helping healthcare providers realize the potential of BYOD initiatives by allowing caregivers and administrators to use their own mobile devices in a way that is secure and operationally efficient. HP Intelligent Management Center IMC provides a simple way to enforce network access control that is ideal for BYOD.
Healthcare is mobileHealthcare is inherently a mobile work environment. And putting the most up-to-date information into a clinicians fingertips throughout all stages of the healthcare delivery process saves time, reduces error, and ultimately improves health outcomes.
Physicians in particular have embraced the idea of using tablets and other mobile devices in their daily routines. The ability to view patients medical records, test results and scans is a huge time saver. And the ability to quickly check medical and drug-interaction databases can literally be the difference between life and death.
In addition to physicians, healthcare workers and even billing professionals have taken to the efficiency of using tablets, notebooks, and other mobile devices.
Bring it from homeMany healthcare professionals, for example physicians who work in multiple hospitals, want the convenience of using their personal devices to access hospital applications. Patients, too, often want to use their own devices, whether they are waiting for their appointment or during an extended hospital stay. And if network access isnt officially sanctioned, patients and healthcare providers alike are probably trying to figure out how to sneak their mobile devices into the organizations network anyway.
If Corporate America is any indication of the BYOD phenomenon, the idea of using personally owned tablets, smartphones, and notebooks is catching on fast. In fact, 72 percent of corporations allowed the use of personally owned mobile devices for business purposes, according to Aberdeen Group.1
Healthcare providers must consider how they will effectively manage and secure personally owned mobile devices. BYOD devices cannot easily be identified, and therefore managed, by the IT department. When a physician, nurse, or administrator brings in their own devices, IT has no control over where it has been or what applications the user has downloaded. The health of the device is unknown, and its virtually impossible for IT to enforce security policies and remediate compromised computers. And that creates a big risk when the mobile device connects to the healthcare providers network and accesses vital applications and information.
In todays healthcare environment, more and more people are bringing their Wi-Fi devices into the hospitals infrastructure. This presents a unique challenge to the hospital IT administrator. This paper discusses the challenges and solutions on how HP addresses the security and management of multiple Wi-Fi devices being introduced into the wireless/wired network.
1 Prepare Your WLAN for the BYOD Invasion, Aberdeen Group, July 2011
-
5
Mitigate the risks of BYODSecurity is a top priority at healthcare organizations, where patient privacy is paramount. At the same time, medical information can be a treasure trove of Social Security numbers, credit card details, and other valuable data for cyber-criminals.
Internet threats are rising, and security attacks have never been more threateningand damaging. Some of the biggest data breaches in history were reported in 2011, and three of the six biggest breaches involved protected health information, according to the Privacy Rights Clearinghouse.2
Security breaches can tarnish a healthcare providers reputation and cost immeasurable goodwill. It could also put the organization at risk of running afoul of regulations in the Health Information Portability and Accountability Act (HIPAA). Credit and debit card transactions must also be protected under the Payment Card Industry Data Security Standards (PCI DSS) requirements.
Security is not the only challenge of successfully implementing a BYOD initiative. The influx of 802.11n Wi-Fi devices can place increased demands on a hospitals network, necessitating design changes. A recent Gartner paper notes: When enterprises are designing wireless networks, the best practice for allocation of mobile devices is to move those devices that are 5 GHz-capable to the 5 GHz frequency using band steering. The goal is to separate devices capable of performing at higher speeds and move them to 5 GHz, because the additional frequencies allow a better use of the 802.11n standard using bonded channels, which effectively doubles the potential throughput needed for applications such as video. This also leaves the 2.4 GHz band for legacy devices that are not capable of taking advantage of the advanced features of 802.11n, and does not impede the devices that are 802.11n-capable with the additional protocol overhead to maintain backward-compatibility with 802.11g radios.3
While BYOD can help healthcare providers reduce CAPEX, administrators must help ensure that BYOD doesnt cause OPEX to rise sharply. IT needs a way to enforce consistent network access and manage personally owned mobile devices as well as those devices owned by the healthcare organization, no matter where the user goes on the wired or wireless network.
Changing the rules of networkingMobility can drive new levels of patient care, but when legacy networks are pushed to the limit, they become fragile, difficult to manage, vulnerable, and expensive to operate. Healthcare providers whose networks are at this breaking point risk missing the next wave of opportunity.
Healthcare providers that deploy HP Networking solutions, based on the HP FlexNetwork Architecture, benefit from an open and standards-based solution that can scale across three dimensions: security, agility, and consistency. With HP FlexNetwork Architecture, healthcare providers can support users requirements for mobility in a way that is consistent, secure, and flexible.
HP FlexCampus, a building block of the FlexNetwork architecture, allows healthcare providers to converge and secure wired and wireless LANs to deliver consistent, identity-based network access that is ideal for bandwidth-intensive medical applications and media-rich collaboration applications. And FlexManagement, another building block of FlexNetwork, converges network management and orchestration, across the campus and data center.
2 Data Breaches: A Year in Review, Privacy Rights Clearinghouse, December 16, 2011. https://www.privacyrights.org/top-data-breach-list-2011
3 Without Proper Planning, Enterprises Deploying iPads Will Need 300% More Wi-Fi, Gartner, October 2011
https://www.privacyrights.org/top-data-breach-list-2011
-
6
No-fuss network access control Healthcare organizations can leverage IMC for protection of both internally owned and employee-liable mobile devices. Administrators can specify the appropriate network access rules, policies, and endpoint health posture requirements to meet the providers own security policies as well as industry compliance requirements. With IMC, administrators know who own the unmanaged devices on the network and control what theyre doing.
IMC provides authentication based on user identity, device, location, time, and endpoint posture. Users can be assigned automatically into the appropriate VLAN based on a variety of parameters, including identity, device type, device posture, and even time of day. Access rights can also be enforced based on a particular application or service, such as VoIP, Microsoft Exchange, or Internet. Users can also be granted access to network resources based on their devices IP or MAC addresses, which is particularly useful for printers, IP phones, and barcode scanners.
IMC fully supports the IEEE 802.1X standard for network access control; however, when supporting a BYOD initiative, many healthcare organizations may opt for IMCs new Simple Network Access Control (IMC/SNAC). SNAC allows healthcare providers to support BYOD more quickly and easily than a traditional 802.1X deployment, which requires deploying client software as well as integration with a RADIUS or Microsoft Active Directory server.
IMC/SNAC leverages HP device fingerprinting technology to automatically identify users mobile devices. HP device fingerprinting technology uses the vendors Organizationally Unique Identifier (OUI), a unique number thats assigned to mobile device manufacturers, to automatically identify the device type. HP Networking has conducted extensive interoperability testing to verify the accuracy of device fingerprinting and is continuing to add fingerprinting capabilities.
Authentication and authorization with IMC/SNACHeres an example of how authentication and authorization works with IMC/SNAC. The administrator creates access policy groups, such as Caregivers or Billing in IMC. The administrator also creates an access policy group called Apple Devices for iPhones and iPads. The administrator can sync with Active Directory, and then import the information into IMC. Users will then be populated into the appropriate access groups.
The Apple Devices access policy group captures all of the Apple devices requesting access to the network. The administrator can then specify the resources or other actions that should be taken with this special group of users or devices. The same is true for the Caregivers and Billing access policies groups.
Healthcare providers can add another layer of security by using different Service Set Identifiers (SSIDs) for mobile devices issued by the provider and those which are personally owned. For example, physicians devices could use secure 802.1X authentication on a caregivers SSID with full access to healthcare resources. Users with personally owned mobile devices could use device fingerprinting or self-registration on a dedicated SSID that has more restricted access and tighter security. Another SSID could be used for open guest access that permits access only to the external Internet. The flexibility of IMC allows IT managers to define the appropriate policies based on their specific organizational requirements.
IT managers can deploy IMC/SNAC to quickly and easily support BYOD today. They may also choose to migrate to a full 802.1X network access control solution over time. Or they may choose to maintain a hybrid solution, in which 802.1X is used for organization-owned PCs and tablets, and device-fingerprinting with vendor OUI is used for personal devices.
-
7
Ensure endpoint integrity IMC allows administrators to control endpoint admission based on the devices identity and posture. If an endpoint is not compliant with the established policies, access to the network can be isolated for remediation or blocked to protect network assets. IMC security policy component also provides non-intrusive actions to proactively secure the network edge including endpoint monitoring and notification.
Maintain security complianceIMC also allows healthcare providers to maintain security and regulatory compliance. Administrators can centrally monitor and keep records on all users and devices that access the network, including personally owned devices. Administrators can use rich reporting to assist in documenting compliance.
Prevent wireless threatsHealthcare providers can use HP Mobility Security IDS/IPS System Series to detect and prevent wireless threats with automated policy-based security and location-tracking capabilities for all 802.11 WLAN networks. It uses patented automatic classification and mitigation techniques to block unauthorized wireless traffic without disrupting the performance of authorized wireless devices. It also includes reporting for HIPAA.
Monitor the WLAN Healthcare providers can also leverage IMC Wireless Service Manager (WSM) module to monitor wireless networks, aid in RF visualization, and manage the wireless devices and clients. It integrates with IMC base platform to protect and control access to wireless services. Administrators can use IMC WSM to monitor SSID status, view RF heat maps, as well as performance graphs, status views, and performance and inventory reporting.
Go ahead, bring your ownHealthcare providers can leverage HP suite of intelligent wireless networking solutions as part of an integrated wired/wireless infrastructure and enjoy a low cost of operation and strong, consistent security. Simplified network access control allows healthcare providers to easily and securely support mobile devices on the campus network for caregivers, administrators, and guests while holding the line on operational expenses. With HP, mobility is simple to deploy, easy to manage, and based on industry standards.
Remote Offices and Branches
DataCenter/Cloud
Ensure only authorized devices and users access network Endpoint health Visibility and control of traffic
Unified Network Security Mgmt and Policy Console
Edge
Virtual Machines
Internet
Campus LAN
Core
WAN
WirelessLAN
Remote Users
Ensure only authorized devices and users get on network Guest management Endpoint health Visibility and control of traffic Uniform wired/wireless experience
2.
1.
Figure 1. Access control solutiondeployment scenarios and benefits
Healthcare providers can use HP IMC to help ensure that only authorized devices get access to the networkand to support BYOD initiatives in a way that mitigates risk and is operationally efficient.
-
Get connected hp.com/go/getconnected
Get the insider view on tech trends, support alerts, and HP solutions.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft is a U.S. registered trademark of Microsoft Corporation.
4AA3-9250ENW, Created March 2012; Updated May 2012, Rev. 1
ASAN Medical Center boosts efficiency for staff and patients with new WLANASAN Medical Center, based in Seoul, is the largest hospital in both Korea and Asia. The main medical center is a massive complex that treats 9,600 outpatients and 285 emergency patients on an average day.
The medical center wanted to boost staff productivity and efficiency for patients by upgrading to a reliable, costeffective WLAN and VoIP smartphones for faster access to electronic health records. ASAN Medical Center also wanted to provide Fixed Mobile Convergence (FMC) for staff and Real time Locating Systems (RTLS) for tracing medical equipment on site.
ASAN Medical Center rolled out HP Networking WLAN infrastructure over two years. Weve had great local technical support from HP Korea, and we have seen big improvements since using this new solution, said Cheon-Gueon Kim, IT Manager, ASAN Medical Center. With most employees using Wi-Fi phones, laptops, and smartphones, we can access patient data much faster and diagnose treatments than ever before.
With HP, ASAN Medical Center has highquality voice over WiFi. The network also provides fast transfer of data, including images, as well as groupware collaboration. The solution is costeffective, and provides staff and patients with higher quality care and services with access to patients historical health records.
The staff is more productive because they can access key information via smartphones and laptops. And diagnosis and problem solving is as much as two or three times faster than before the WLAN was in place.
Additional resourcesFor more information on HP Networking, visit hp.com/go/networking.
Intelligent Management Center Unified Access Manager (IMC/UAM)
Intelligent Management Center Endpoint Defense (IMC/EAD)
Intelligent Management Center Wireless Service Manager (IMC/WSM)
HP FlexNetwork Architecture
h17007.www1.hp.com/us/en/solutions/flexnetwork/index.aspx
ConclusionWhen considering how you are going to handle the influx of wireless client devices penetrating your network, you need to consider what security policies you will enforce, how granular do you want to control what network access you may or may not allow. HP FlexNetwork architecture with, FlexManagement provides single pane-of-glass, core-to-edge network control, security, and much more.
Simplify the IT experience
Visit http://h17007.www1.hp.com/us/en/solutions/mobility/index.aspx to understand what Bring Your Own Device can do for your organizationASAN Medical Center boosts efficiency for staff and patients with new WLAN
http://hp.com/go/getconnectedwww.hp.com/go/networkingh17007.www1.hp.com/us/en/solutions/flexnetwork/index.aspxhttp://h17007.www1.hp.com/us/en/solutions/mobility/index.aspxhttp://h17007.www1.hp.com/us/en/solutions/mobility/index.aspx
Executive summaryHealthcare is mobileBring it from homeMitigate the risks of BYODChanging the rules of networkingNo-fuss network access control Authentication and authorization with IMC/SNACEnsure endpoint integrity Maintain security compliancePrevent wireless threatsMonitor the WLAN Go ahead, bring your ownAdditional resourcesConclusion
