NAS Wireless’ Cisco Integrated
Solution Enables
Higher Level of Patient Care at
UCSF Medical Center
The installation of a wireless local area network (WLAN) featuring Cisco Aironet® 1200 Series access points at the UCSF Medical Center gives caregivers greater flexibility in discharging essential tasks. The result is more time available with patients and a higher degree of care. The underlying architecture includes Cisco Catalyst® 6500 Series and Cisco Catalyst 3550 Intelligent Ethernet switches.
Background
UCSF Medical Center is part of the University of California, San Francisco, the only campus in the University of California system dedicated exclusively to graduate and professional study in the health sciences. UCSF Medical Center is ranked one of the top 10 hospitals in the United States, according to U.S. News & World Report. UCSF Children’s Hospital, a “hospital within a hospital,” received the magazine’s top rating among children’s hospitals in California.
Challenge
As part of its continuing effort to provide world-class health care, UCSF Medical Center developed plans to provide wireless “hot spots” at patient beds, offering access to the Internet and enabling patients and family to email loved ones before an operation and during recovery. The Medical Center also sought the mobility and productivity gains that wireless can provide, which can further enhance patient care by facilitating caregiver operations.
NAS Wireless CEO Jim Bradfield was engaged in late 2000 by UCSF Medical Center as part of a consulting effort to design an integrated wireless network for all UCSF Medical Center buildings. The initial design included Cisco Aironet Model 350 Access Points, and Cisco Catalyst switches and routers. Early in 2001, UCSF Medical Center issued a request for proposal (RFP) for wireless solutions. The RFP process extended for almost two years, and requirements were continually revised as new wireless management technology emerged.
During 2001, NAS Wireless teamed with SBC DataComm to capitalize on SBC’s contract to sell Cisco products at a deep discount to UCSF.
A precondition of the RFP was to install a pilot project of 60 days to test individual wireless solutions in a real-world hospital environment. Each vendor responding to the RFP was assigned an area within the Moffitt/Long facility. This pilot extended to a period of 14 months.
UCSF also hired a third-party consultant to test the wireless network for security risks and the ability to detect unauthorized intrusion during the pilot.
“The security and privacy of patient information are of the utmost importance to us,” says Binh Nguyen, manager of network security for the medical center, “We felt that hiring a third party to test the network security would help us ensure that we were going to satisfy HIPAA standards.”
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates changes in federal regulations governing the provision of health benefits, the delivery and payment of health care services, and the security and confidentiality of patient health information.
Solution
NAS Wireless conducted a comprehensive site survey and coverage test of all UCSF Medical Center buildings, approximately 4 million square feet, in the Mt. Zion, Mission Street, and Moffit/Long campuses during the pilot period. NAS provided, configured and installed Cisco Aironet Model 350 access points, Cisco Catalyst switches and a Cisco Works Secure Access Control Server (ACS) for authentication in its part of the WLAN in the emergency department, or ER. NAS provided, configured and installed Cisco Aironet 350 Series client adapter cards into several UCSF clients assigned to the ER. NAS also configured the ACS server and switches, and worked with the UCSF network team to integrate the pilot hardware and software into the UCSF Medical Center Network.
“When the professional security consultant ran its ‘sniffer’ tools over the wireless network, the encrypted sessions were never compromised and completely met HIPAA requirements,” says Archie Hart, UCSF network analyst. “With the other two competing solutions, the consultants were able to identify the IP package, indicating the traffic was not secure. This was clearly not up to HIPAA compliance. Traffic moving across the Cisco equipment, by contrast, was completely encrypted. The consultants therefore recommended Cisco Aironet as the most secure solution,” Hart says.
During the period of the trial, Cisco enhanced its wireless product line by introducing its 1200 series Access Points and its A/B/G client adapters, which support the IEEE 802.11/a/b/g standard, as well as its signature IOS operating system. The Cisco Aironet 1200 Series Access Point is field-upgradeable, permitting configuration changes as requirements and technologies evolve.
The Cisco Aironet 1200 Series addresses security with the Cisco Wireless Security Suite, based on the IEEE 802.1X standard and its Extensible Authentication Protocol (EAP). The Cisco Aironet 1200 Series supports all IEEE 802.1X authentication types, including Cisco Extensible Authentication Protocol (Cisco LEAP) Wireless. When coupled with a RADIUS that supports the same authentication types, such as the Cisco ACS, the result is a scalable, centrally managed security solution. This provides mutual authentication to help ensure that only legitimate clients associate with legitimate and authorized wireless access points. Dynamic per-user, per-session encryption keys can be set to automatically change on a regular basis to protect the privacy of transmitted data.
Cisco Aironet A/B/G Series wireless LAN client adapters provide an Ethernet-like data rate of up to 54 megabits per second (Mbps) and are IEEE 802.11a/b/g-compliant. They also support Cisco LEAP. “Because we are so firmly committed to safeguarding patient information, the exceptional performance of Cisco LEAP during the pilot period was one of the key factors in UCSF’s decision to adopt Cisco Aironet as our wireless platform,” Binh Nguyen says.
One of the stipulations of the Medical Center’s RFP was the provision of inline power, a stipulation that the Cisco Aironet 1200 Series access point meets. The Cisco Aironet 1200 Series supports inline power over both Ethernet and local power. “This saves us the expenditures we would otherwise have had to make for power or cable installation throughout each facility,” Nguyen explains.
“When we looked at the big picture, the security architecture and inline power were major factors in favor of the Cisco Aironet solution,” he says. “We were inclined before the pilot to adopt the Cisco wireless system because we have had a long, positive experience with Cisco. The features and performance of the 1200 access point simply made our decision easier. The bottom line is, you cannot put a price tag on patient care and patient confidentiality. The flexibility and mobility that our staff gets from wireless translates directly toward better attention to patient needs.”
NAS Wireless Chief Technology Officer and Senior Wireless Engineer, Richard Van Derworp, worked with engineers from SBC DataComm to enhance the existing Medical Center Gigabit Fiber and Copper network infrastructure to support the additional wireless traffic between all the sites. This included upgrading the current Cisco 6509 Catalyst switches for redundancy and fiber connectivity, upgrading the existing Cisco Model 3000 VPN Concentrators to handle the additional authorized users, and the addition of 50 Cisco Catalyst 3550 in-line powered switches.
“This design and implementation was especially difficult because the Med Center required several levels of security implemented on each wireless device based on the type of user, level of authentication, and the and the type of wireless client device accessing the network,” explains Mr. Van Derworp. “The challenge was to provide secure access to super-users with laptops or workstations using full Cisco A/B/G client adapters, while at the same time providing secure access to PDA (Personal Digital Assistant) users with limited security capability, and to patients or family members with no security capability,” says Mr. Van Derworp.
NAS and SBC engineers working closely with the UCSF Medical Center network group to develop a wireless design that provided for seven different VLANs (Virtual LANs) on all devices. Each Access Point and Client Adapter was configured for seven separate VLANs, each with a separate SSID (Service Set Identifier), and each with a separate level of security access. The reason for so many different VLANs was to accommodate the different levels of users and their capabilities. The network also included four Cisco ACS authentication servers, and two Cisco Works WLSE (Wireless LAN Solution Engines) Servers. The Cisco WLSE can monitor and manage up to 2,500 IOS devices, including Access Points, routers and switches.
The full implementation by NAS included configuring and installing 50 Cisco Catalyst 3550 in-line powered switches interconnected to more than 90 Cisco Catalyst 6509 switches at the core distribution layer of the network. In addition to the Catalyst switches, NAS configured and installed two WLSEs, four ACS servers, and about 700 Cisco 1200 Access Points. These systems are installed at all the UCSF Medical Center sites. The wireless network now covers 70 floors in each of 14 buildings at all the San Francisco sites. Users can now travel from one floor to another and one location to another while enjoying uninterrupted wireless connectivity.
“The Catalyst 3550s are easy to deploy and manage,” Archie Hart says. “The functionality and features are always improving, providing UCSF with a great return on investment.” To manage the WLAN, the Medical Center purchased a Cisco Works Wireless LAN Solution Engine (WLSE). This specialized turnkey solution greatly reduces operational costs through centralized management and configuration capabilities and assisted site surveys for the entire Cisco Aironet wireless LAN infrastructure. It provides centralized, template-based configuration with user-defined groups to effectively manage a large number of access points and bridges. It monitors the Cisco LEAP authentication server, detects mis-configurations on access points and bridges, detects rogue access points, and provides proactive monitoring, troubleshooting, notification of performance degradation, and capabilities to improve capacity planning.
Results
Wireless is being used primarily in the ER, Operating Rooms (Ors) and patient rooms at the four campuses. “We have doctors and clinical staff who bring laptops or PDAs when they visit patients. With wireless, it doesn’t matter where they are—they can retrieve and input patient information and then move on to the next bed without having to locate a wired PC in between stops,” says Hart. The physicians generally carry laptops, and nurses and other clinicians typically work with wireless-enabled laptops on mobile carts.
“We also use wireless laptops for patient admitting and registration in the ER because it gives the staff great flexibility and convenience. In the hectic moments of new arrivals into the ER, wireless lets staff stay with the patient and the patient’s loved ones while gathering data instead of having to take it down by hand and run over to a PC. Wireless proves that it saves steps and time, which gives our staff more freedom to move on to other patients. Everybody benefits,” he says.
Hospital staff personnel use LastWord, a medical order-entry application from IDX. They also pair a software application from Dolphin with a wireless handheld device for placing pharmaceutical orders instantly. The same handhelds are used for wireless inventory control—a staff member can scan a bin of medicines and have the total number of each item automatically recorded in the main database via the WLAN.
The joint NAS/UCSF support team found that many hospital personnel adapted very quickly to wireless during the pilot phase. They arranged training seminars on the basics of wireless communication for many of those who were new to this system. “Richard Van Derworp, the primary system engineer on this project, worked with several key individuals, such as the nurse supervisor, and then helped to educate many of the staff nurses,” CEO Bradfield explains. “The idea is to start a training snowball, assisting some of the staff to train others so that rollouts in different parts of a hospital can be as transparent as possible”.
Unusual Challenge
The biggest challenge for the wireless implementation was to deploy the Access Points to successfully operate the wirelessly-enabled robots all over the hospital. These robots, affectionately named Elvis and Lisa Marie, operate through Wi-Fi enabled controls to travel up and down hallways to whatever location their medicines need to be dispensed. This in itself is a challenge; but, these robots also must summon the elevator, ride the elevator to its required floor, and let the elevator know when it needs to get off.
The communication between the base station and the robots, and between the robots and the elevators, is done via Wi-Fi connection. According to Richard Van Derworp, “The challenge with elevators is two-fold. Not only do the robots need to maintain a connection to the wireless network running 60+ miles per hour, but, we also need to maintain that connection while roaming between and authenticating to different Access Points outside the elevator shafts. Elevators are federally regulated, and we cannot mount any wireless devices inside the elevator shaft without a permit.”
The solution? Van Derworp and his team designed a special network of Access Points using custom antennas directly outside the doors of certain elevators. This not only kept the robots in constant communications with the wireless network, but also allowed the implementation of Cisco’s Fast Secure Roaming to enable the robots to maintain their Cisco LEAP authentication during their ride in the elevator. Fast Secure Roaming was developed because some applications running on client devices require fast reassociation when they roam to a different access point. Voice or robot communication applications, for example, require seamless roaming to prevent delays and gaps in conversation or connectivity.
During normal operation, LEAP-enabled client devices mutually authenticate with a new access point by performing a complete LEAP authentication, including communication with the main RADIUS server. When a wireless LAN is configured for fast, secure roaming, however, LEAP-enabled client devices roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an Access Point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client so quickly that there is no perceptible delay in voice or other time-sensitive applications.
The first phase of the wireless installation is being used internally by the robots, doctors, nurses, and other hospital staff. In the next phase of the WLAN rollout, the Medical Center staff intends to offer patients service via ‘hot spots’ for wireless access.
UCSF Medical Center
. • Ranked among the top ten hospitals in the United States by U.S. News & World Report
. • Includes the UCSF Children’s Hospital, ranked number one in California by U.S. News & World Report
. • Known for extensive research and treatment of AIDS, cancer, organ transplants, fertility, neurosurgery and orthopedics for children and adult communities
. • Recognized by the U.S. Department of Health and Human Service’s Office of Women’s Health as a “Center of Excellence” in Women’s Health
www.naswireless.com * 7172 Regional St., #313, Dublin, CA 94568 * 800-647-6459