Can government agencies use a shared LAN? VLANs and NAC make it so

At the Aldershot Centre for Health, multiple government agencies use a shared LAN that enables each to have separately secured data using a combination of Cisco NAC and VLAN implementation.

The Aldershot Centre for Health is a huge venture. With a new build -- the size of two Wembley football pitches -- it houses three GP practices and local primary care trusts (PCTs), as well as a large chunk of the area’s army garrison. Yet when the idea for a shared services centre was first mooted, the plan was to have a separate network for each agency. Then the IT team rethought that strategy.

“What has traditionally happened when we have multiple NHS organisations that work collaboratively is that they will all just divide the building up, pick their areas, organise for their individual lines to come from their respective WANS and do their own thing,” said Karl Goatley, IT programme director for NHS Hampshire, the Centre’s head lessee.

“As soon as I walked in and had all the various stakeholders around the table I just thought, ‘this is absolutely crazy, to have the Aldershot Centre for Health (ACfH) being divvied up into all these various sections.’ Inevitably you start changing the service provision, so you need to start moving people around the building, and that would cause a major headache.”

Instead, a tender was put out for a highly secure voice and data WAN with a shared LAN that demarcates access to confidential information for each agency while allowing them each to access their information from an integrated network. That even goes for the Ministry of Defence (MOD), which is a 20% stakeholder and needs even deeper security.

Solution provider Logicalis won the deal with a Cisco network and OneSign Single Sign-On (SSO) solution from Imprivata. Why was Cisco technology chosen?

“If things change in the building, we can do that through a central patching arrangement. It is a completely combined solution, which allowed our health clinicians to be able to move around the building, plug in and be able to connect to their respective applications and networks,” Goatley said.


Cisco NAC and VLANs: Managing data and controlling user access

Specifically, the centre implemented an 802.1X NAC solution powered by a Cisco Access Control Server with secure VLANs. Through customised access control for individuals and groups, and port authentication using 802.1x, Cisco NAC ensures path isolation that maps validated users or devices to the correct secure set of available resources. Cisco Adaptive Security Appliances address perimeter and inter-organisational security and control the flow of network traffic among agencies.

On top of that, the SSO solution has the option of a secure access process based on finger biometrics. The SSO is integrated with Microsoft Active Directory authentication. “The SSO allows you to be able to plug in something like 21000 Active Directory entries, so once you have invested in that we are now in the process of rolling it out across the whole of Hampshire.

“If you imagine ACH as the hub, and of course it’s on the periphery of Hampshire - we have got some cross-border work with Frimley Park for example - there are lots of different networks that plug into this,” Goatley said.

The network is not yet set up for access by mobile devices. “We have always reserved the right because we know that wireless has absolutely got a place within healthcare,” he said. “But we are also cognisant of the fact that the army has strict security regulations and they don’t like the idea of wireless at the moment.”

Overall, the implementation has been well received. “I know from experience that you roll something out and there are all sorts of issues. People are busy and they say ‘Why have you chosen to do this now because it is my end of month, financially?’ but with this there has just been a flurry of emails back to say this is absolutely fantastic, thank you,” Goatley said.

Goatley hopes the implementation will be iterative, a tried and tested method that will be used for other multi-occupancy buildings developed across Hampshire and with other partners.

Shared LANS could ease overall NHS transitions

The shared network used by ACfH could be a model for multiple healthcare agencies as huge changes take place across the NHS with the abolition of PCTs and Strategic Health Authorities in favour of GPs commissioning health services.

“We are now all trying to frantically put together what the new organisations are going to look like in the future, with new commissioning organisations, and we don’t know who is going to own the buildings or be responsible for the strategy of those,” Goatley said.  “Yet the information revolution planned by the DoH makes it explicitly clear that organisations will have a single view of the patient. The technology at Aldershot is exactly what is required to make sure we can deliver on that strategy.”

Read more on Network security strategy