Auto-Provisioning of Biomedical Devices on a Converged IP Network

Abstract

Hospitals continue to spend large amounts of money on upgrading their network infrastructure and/or building new wings to their existing acute care or ambulatory care environments. Traditionally biomedical devices have operated on their own networks, completely separate from the hospital's core information technology (IT) network. This topology puts tremendous pressure on the hospital support staff to maintain and upgrade these parallel networks. Over the last few years, however, advances in networking technologies are slowly but steadily starting to change the current layout from separate disparate networks to a converged Internet protocol (IP) network, where the biomedical devices can still have the logical separation from other end-point devices. A large number of hospitals have or are moving toward a converged IP network and are looking at ways to connect IT devices, biomedical devices, and guest services on a converged IP network. Figure 1 illustrates how the medical device connectivity is being influenced by a converged IP network.There are some real-world challenges experienced by healthcare customers. The following examples illustrate those challenges.All these scenarios are business problems whereby customers are looking for effective ways to automate the process of getting a device—biomedical or IT—onto the network without going through the manual process, which is a very common approach in the healthcare industry. Hospitals do not want to manage multiple disparate networks, nor do they want to provision a port manually because of the added cost and delays.However, with the benefits of convergence come Specifically some challenges the IT and clinical engineering staffs have to address the following:Biomedical devices such as patient monitors and infusion pumps are the fastest growing population of networked connected devices (wired or wireless) in a clinical environment. It is imperative that as more and more biomedical devices become IP-enabled, customers have an automated, secure way of connecting those devices to the network. The Biomedical Network Access Control (BioMed NAC) is an effective way for hospitals to automate the process of connecting certain biomedical, IT, and guest devices to the network, eliminating the manual process. This technology automatically distinguishes a biomedical device and provisions the network for the appropriate access capabilities and restrictions.Biomed NAC is a healthcare solution that addresses the following key challenges:Before we take a deeper dive into the solution, it is important to understand the technology. Network admission control allows only compliant and trusted endpoint devices, such as personal computers, servers, and biomedical devices onto the network, restricting the access of noncompliant devices, and thereby limiting the potential damage from emerging security threats and risks. This technology gives organizations a powerful, roles-based method of preventing unauthorized access and improving network resiliency.The Biomed NAC solution integrates the NAC Appliance and NAC Profiler components into an existing healthcare campus network. The solution automates the process of connecting wired biomedical devices to the hospital's existing infrastructure network. Once this end-point device is connected, the network will continuously monitor its behavior to make sure the device is working and behaving correctly. If the behavior is different than expected, the system will alert and/or report the information to the clinical or IT administrator. The administrator can then intervene and choose to segregate the device accordingly.Traditionally, the NAC Appliance has been used in the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. The Appliance allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. The Biomed NAC solution focuses on defined medical device endpoints for admission control dynamic profiling and access port provisioning. The solution is designed to co-exist with the traditional NAC features described above. Figure 2 identifies the key solution components, integration points, and relevant configurations.As mentioned earlier there are four key steps involved in this solution: device identity, access control and enforcement, behavior monitoring, and reporting and visibility. Figure 3 illustrates the high-level logical flow of the solution.One of the key aspects of the solution is the device profiling. To automate the process of getting the biomedical devices to communicate on the converged network, one has to create profiles for the various end-point devices. In the simplest definition, a profile consists of key device attributes such as the MAC address, device ID, and IP address. Table 1 shows the basic identity attributes that the NAC Profiler uses to build medical device profiles. Profiles are created using the Profiler web GUI.The BioMed NAC solution allows healthcare organizations to use a single, unified, and converged IP network that supports IT equipment, biomedical devices, and guest services. The technology can quickly distinguish certain biomedical devices from other types of hosts, and automatically provision the network for appropriate access capabilities and restrictions for more flexibility and optimal patient care as it: