Healthcare organizations and the healthcare industry are transforming at an unprecedented pace. The proliferation of sophisticated medical devices, the increasing adoption of telemedicine and its expansion into patient's homes and the workplace, the growing number of mobile devices used by hospital staff and patients to access the network, and aggregating and extracting analytics to make smarter decisions are among the many trends that are disrupting the basic fabric of healthcare organizations and their service delivery mechanisms.

These changes and trends within the healthcare industry and the associated health delivery models requires tight interaction between historically separate segments.

Traditionally most of healthcare organizations have operated in disparate silos, where different applications such as electronic health records (EHR), medical imaging systems, and billing and finance applications reside.

In addition, many healthcare organizations are divided into separate entities such as hospitals, pharmacies, physician offices and outpatient care agencies that traditionally have operated in a loose network mesh with limited capabilities. The many innovative health service delivery models that are now emerging rely upon a closely knit web of resources that enables the instantaneous access to health-related data and close collaboration between the many entities within the healthcare organization.

Close collaboration between healthcare staff and instantaneous access to a comprehensive view of health-related data aggregated and collocated from the many disparate segments is placing increasing demands on the network infrastructure that it runs on. The network is increasingly becoming the bottleneck.

The network is getting in the way of the digital transformation needed to enable innovation in this new era of healthcare. A new network architecture is needed to address the complex requirements of this new era.

Software-defined network architecture

Software-Defined Access (SD-Access) is an intent-based campus networking solution for the enterprise built on the principles of Cisco's Digital Network Architecture (DNA).

SD-Access is a major evolution in the network infrastructure. It is a network fabric that seamlessly integrates disjointed segments, wired and wireless devices, and enables automated definition of end-to-end group-based policies, regardless of location and access device. It also provides end-to-end segmentation of traffic that can securely separate critical applications, users and organizations.

The relationship between Cisco's DNA and SD-Access is shown above.

The SD-Access architecture leverages an overlay network that can provide instantaneous point-to-point connectivity over the existing underlay network to create an end-to-end network fabric. Shown above.

SD-access benefits for healthcare organizations

The SD-Access campus architecture provides several benefits to healthcare organizations spanning traffic segmentation, consolidating traffic into a single fabric, creating resource mapping and levels of access, supporting medical imaging and meeting HIPAA compliance. All of these benefits are now necessary to transform the business and provide innovative healthcare.

Segmentation of traffic

Healthcare organizations are inherently complex and require proper segmentation and separation of its disparate elements. The SD-Access campus architecture allows for the seamless segmentation of the following traffic types:

Critical and Confidential Patient Data: The secure separation of patient data is obviously of great concern. Any breach of confidential patient data can lead to significant regulatory fines as well as diminishing public trust. In addition, the proliferation of mobile devices has created a need for seamless access to resources within and outside the healthcare facility for patients, visitors and hospital staff. The SD-Access architecture segments the network into logical domains and can control access to various resources at the time of authentication. Guests, clinical staff, hospital personnel and contractors can be denied access or be given different levels of access privileges to patient data while at the same time allowing unfettered internet access.

Finance and Billing: All commercial transactions and applications processing cardholder financial data are subject to the Payment Card Industry Security Standard (PCI DSS) The SD-Access architecture can facilitate compliance with the PCI standard by leveraging the following features:

  • Placing all card holder data transactions within its own network domain.
  • The encryption transmission of cardholder data can be enforced.
  • SD-Access' policy engine allows access or restriction of access to cardholder data by business need-to-know.
  • The underlying protocol within the architecture assigns a unique ID to each person with computer access and allows the development of policies that addresses information security for all personnel.
  • Track all access to network capabilities and cardholder data.

Guest and Patient Originated Data: Patients are increasingly demanding access to real-time diagnostic and clinical data, internet access and direct communication at any time with doctors during their hospital stay. The SD-Access architecture can facilitate these patient-centric services by proper segmentation of patient and guest data with proper policy definition, control and enforcement. It can allow flexible access to specific patient diagnostic information, medical imaging data and access to other resources that aligns with the policies set by the healthcare provider.

Internet-enabled Medical Devices: The proliferation of diverse and innovative internet-enabled devices is spurring innovation and improving health outcomes. These devices can monitor patient's vital signs and report in real-time, anywhere. SD-Access architecture is a network fabric that enables connectivity anywhere at any time. Policies controlling the access and security requirements and its network parameters follow the devices regardless of location. These devices can be segmented into its own separate domain with its own security grouping that prevents unauthorized hacking of these devices by cybercriminals. Security is not top of mind when many clinical devices were. Proper segmentation of these devices can mitigate attacks. In addition, the identity engine that is integrated within the SD-Access architecture has a library of hundreds of medical devices enabling automation for the onboarding of these devices through secure authentication.

Consolidation into a single fabric

One of the most critical aspects of a new network architecture is its requirements to integrate disparate networks into a single fabric. Integration of wired and wireless within the same fabric allows seamless integration of mobile devices. Policies can be set regardless of the method of connectivity and particular location. Clinical staff can move between buildings or work at different campus locations and enjoy the same level of access to resources without sacrificing security. SD-Access architecture consolidates various organizational segments at different locations with consistent policies within the same view.

Resource mapping and access control

Using the SD-Access architecture, administrators can easily translate and apply business intent and policies to the network. By invoking the orchestrator, policies can be implemented by configuring role-based access to corporate resources by any user with any device from any location at any time.

You can divide entities across the whole healthcare organization into resources and users as shown above.

With the adoption of the SD-Access architecture, you can easily translate and incorporate these corporate policies and requirements into the network infrastructure. As shown in the example above, you can restrict access to sensitive patient data from any mobile device, restrict visiting clinical staff from accessing corporate resources and allow patients to view their test results and billing information.

Medical imaging

Transmission of medical imaging data such as Computed Tomography (CT), Magnetic Resonance Imaging (MRI), and Digital Radiography (DR) requires large network bandwidth. In many instances, these images are converted to a Picture Archiving and Communications System (PACS) ready for viewing by the clinical staff. The increasing use of mobile devices, workstations, and the viewing of these images by a larger number of people places increasing stress on the network. In addition, storage and backup of images to dispersed locations requires a network that accommodates a complicated bandwidth-hungry image distribution system. The SD-Access architecture can alleviate these problems by:

  • The architecture natively supports active-active links allowing higher aggregate uplink bandwidth from the edge to the rest of the network.
  • Quality of Service policies can easily be orchestrated to give specific imaging data higher priority than other traffic.
  • By segmenting imaging data, you can ensure that this traffic does not get propagated to other parts of the network unnecessarily.

HIPAA compliance

United States government introduced the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with the aim of protecting privacy and security of health information. The Department of Health and Human Services (HHS) published what are commonly known as HIPAA Privacy Rule and Security Rule providing guidance and safeguards on protecting privacy and security of health information.

While the HIPAA Privacy Rule establishes privacy requirement for the patients, the HIPAA Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations call "covered entities." HIPAA Security Rule on the other hand focuses on the safeguarding of "electronic protected health information" (e-PHI) that is created, received, transmitted, or maintained by a covered entity.

Protecting the confidentiality, integrity and availability of e-PHI is the key goal of HIPAA Security Rule. Hence the network becomes the integral part of facilitating healthcare organizations to be compliant with the HIPAA security rule.

The following table summarizes the HIPAA security rules that can be addressed by adopting the SD-Access architecture:

The rapid changes effecting the healthcare industry requires a fundamental change in the network infrastructure and the associated architecture. Cisco's SD-Access solution is the next generation campus architecture that can enable healthcare organizations to move towards digital healthcare where the network is the enabler.

Technologies