Hospital initiates secure wireless transmission of medical data

A hospital in northwest England recently faced a classic security challenge when it used wireless networks to better manage electronic patient information.

When bringing electronic patient information to the hospital bedside, the device used must be reliable, and also protect the confidentiality and integrity of patient data, which is a classic security challenge.

At the Wirral University Teaching Hospital NHS Foundation Trust in northwest England, the mechanism is based on a wireless network that not only maintains security, but also provides clinical staff with a measure of flexibility they have never had before.

The network was deployed over a vast site that encompasses the Arrowe Park and Clatterbridge hospitals, and is also supporting the phone system and paging of medical staff.

The system is the culmination of many years' work under the leadership of Pete Marsh, the technical director for Wirral Health Informatics Service (WHIS). Marsh has been using wireless communications since the 1990s, incorporating spread-spectrum technology, and his group has spent a long time exploring various interfaces that could help clinical staff in their work.

The new IP-based network was installed principally to support picture archiving communications systems (PACS) -- electronic scans and X-rays -- which would enable doctors to view the images wherever they are needed, without the aid of a lightbox.

"We needed to take the lightbox to the bedside," Marsh said, "And to do that we needed mobile technology and wireless networking." The technology would also allow MRI scans to be streamed directly to the bedside.

NHS trust moves to protect data in emails, laptops and USB sticks

To better protect patient information, one Lancashire NST trust has stepped up its email encryption and mobile data defenses.

When it came to choosing a network supplier, Marsh set up a trial between Cisco Systems Inc. and Aruba Networks Inc., giving them each a ward to cover. It was important to test that a Wi-Fi network could deliver the data speeds required for streamed images of MRI scans, for example. He also needed to test the hand-off between access points as clinicians went about their work and moved around a ward.

"They were close, but Aruba had the edge for performance, spread and availability. And they were better on security -- their control could go down right to the aerial," Marsh said.

Aruba was able to provide coverage with fewer access points (three in most wards) and was able to cope with the practical constraints that limit where an access point could be placed. The system also came with security -- firewalls, message encryption and wireless IDS -- embedded into the controllers and management servers, and not as an add-on.

At the time of the decision, Wirral was also in the process of moving from a Novell-based user directory to Microsoft Active Directory, and it was essential for users to be able to authenticate to either system during the transition period, which the Aruba network was able to accommodate.

Now that the transition is complete, any device attached to the network is first authenticated against Active Directory to verify that it is a known Wirral-owned machine, and then the user may log on using a username and password, or increasingly an NHS smart card.

The wireless traffic is encrypted right from the client machine to the data centre, preventing hackers from intercepting and spying on network traffic.

If a device is reported lost or stolen, it can be deactivated in Active Directory, and therefore blocked out of the network. Any unknown access points will be picked up by the Aruba access points and reported back to a central monitor, where staff will decide if they are a potential threat.

Using the mapping function in the central controller, IT staff can pinpoint the physical location of the device within a couple of metres, and then go investigate.

The resilience of the network is maintained by having two controllers, one on each hospital site, both of which are capable of supporting the whole network if the other fails. Equally, if an access point fails, it is detected by neighbouring access points, which boost their broadcasting power to cover any dead areas.

The initial deployment involved more than 150 access points and was confined to the major wards in the Arrowe Bridge site. With more funding becoming available, wireless VoIP has been implemented across the two-hospital site.

The Voice over Internet Protocol (VoIP) project -- which now allows free phone communications over the IP network and supports the paging of clinical staff -- greatly extended the Aruba network into corridors, stairwells and other departments to provide complete coverage, raising the total number of access points up to 550.

Although wireless networking used to be considered difficult, Marsh said his system hasn't encountered many problems. The Aruba technology automatically balances the loads between access points to maintain service levels and prioritises phone traffic to ensure call quality.

"The users take it for granted," he said. "They just assume they can move around a ward and have image data or patient record delivered when they need them."

Read more on Privacy and data protection