Designing a Medical Grade Network

Author
Carole Warner Reece
Architect

NetCraftsmen has been supporting several customers with designs and implementations of ‘Medical Grade Networks’. Steve Meyer and I thought we should discuss an example health care network design that uses converged networks to support ‘medical grade networks’ using VRF-Lite, biomedical NAC, and health care QoS class definitions.

Background

Most health care organizations have an existing network infrastructure – often they have several physically separate networks supporting clinical data, non-clinical data, voice, research, and possibly educational equipment and users. For several reasons (manageability, efficiency, costs), there is a move to converge these separate networks to use the same physical infrastructure while still providing the isolation, security, and quality of service (QoS) needed by the health care applications and resources.

Some quick definitions we use with the health care industry:

  • Medical Grade Network – This is a network built on standards and best practices in the network industry that deliberately addresses the unique requirements at a health care organization. The bullet list of needs may seem fairly universal – interoperability, security, availability, productivity, and flexibility. However, these requirements are flavored by underlying mission of the health care organization – provide optimal patient care.
  • Converged Network – Implementing all logical networks of an organization on a common physical infrastructure
  • Clinical Data – Data (including video) from any device or computer associated with direct patient care. For example, this could be a heart rate monitor, a bedside monitor collecting vital signs, an infusion pump, or a ventilator. Other terms for clinical data include clinical information and clinical systems.
  • Clinical Network – A network that carries clinical data. There may be multiple clinical networks at a hospital, some which support the transmission of life critical data.
    Note: Integrating clinical equipment devices can often require investigation and communication with the equipment vendors on how the specific devices handle IP addressing and masking, and network protocols, and other details. Biomedical devices such as patient monitors are typically “headless”, sealed devices and are not capable of running any form of third-party authentication agents, 802.1x supplicants, or NAC clients. In addition, they do not provide a means by which a user can manually intervene through a browser.
  • Clinical Life Critical – A QoS class used to mark data from clinical network devices supporting life critical data. A separate virtual network may be used to support clinical life critical devices.
  • Biomedical NAC – Biomedical Network Admission Control (or BNAC) is used to automate clinical device assignment to the appropriate virtual network on the network infrastructure. BNAC uses the Cisco NAC Profiler for dynamic profiling and access port provisioning for defined medical devices, and is based on device identity and behavioral signatures.
  • Non-Clinical Network – All PCs, printers, servers, or other devices primarily used for general computing and business-oriented applications. Typically this is the largest block of users, end-hosts, and applications on the network. The IP Unified Communications system (i.e. IP Telephony) also fits within this category.
  • Guest Network – Includes all patients, guests, and vendors connecting the healthcare network with computers not under the jurisdiction of the organization. This computing group includes a quarantine NAC role in addition to a guest NAC role. The quarantine NAC role essentially provides a highly-restricted network connection for allowing remediation of local computer security issues (i.e. virus remediation, anti-virus software updates, etc.).
  • VRF-Lite – A technology that allows us to overlay virtual networks on an existing network infrastructure. (VRF-Lite enables virtual networks by supporting multiple VPN routing/forwarding instances on a network.) The main routing table supports most of the network traffic. Virtual networks are only created when needed to support requirements of specific devices and applications.
    10_04_vrf-overview
  • Virtual Network Overlay – A term we use informally to identify the process to create a virtual network or VRF in the medical grade network.) The virtual network overlay or VNO establishes multiple virtual networks that logically segregate special purpose computing groups – such as clinical systems, medical research systems, and an isolated guest network. These segregated virtual networks ride atop a converged network infrastructure. We use the term virtual network overlay with some organizations instead of VPN to avoid any confusion with Internet IPsec VPNs.
  • Fusion Router – A VNO distribution switch that provide the gateway between the virtual networks and the underlying campus network through the security drop off point.
  • Security Drop Off Point – Point in the network infrastructure where separate virtual networks are interconnected through use of firewalls. These points enable limited communication between virtual networks for defined specific purposes.
  • Perimeter Network – Connections to networks and devices not managed by the healthcare organization. Networks in the perimeter may include the Internet and partner networks. IPS/IDS devices and firewalls customized with organization specific policies and rules control all traffic that passes between the internal network to the perimeter network.

High Level Converged Network Infrastructure Design

In designing a converged network infrastructure for the campus LAN in a health care organization, we build on the traditional hierarchical three-layer (core, distribution, access) model. This hierarchy establishes the general framework and connectivity for the entire network. Within each layer are modules that serve a specific role in that layer. As changes or upgrades are needed, they can be performed at one layer in the hierarchy, without disruption or significant changes to the other layers or components. Whenever possible, we use Layer 3 routing end-to-end throughout the network to provide network stability and fast response as well as maximum link use. The Layer 3 design permits traffic to leverage equal cost forwarding across all paths to support load sharing and fast failover. In addition, problems in a routed network generally show up as localized connectivity issues that do not feed upon themselves to cause wider outages. The Layer 3 network to the access layers allows for the use of a standard set of locally significant Virtual Local Area Network (VLAN) assignments, which leads to simpler operation.

We overlay the network infrastructure with virtual networks to provision and support the logical networks that transport and connect the underlying applications and resources using VRF-Lite technology. (We sometimes refer to this technique as ‘virtual network overlays’.) VRF-Lite technology allows us to overlay multiple virtual networks on top of the common underlying infrastructure. As a result, separate logical networks can be built to support clinical, voice, research, and guest users/devices while maintaining appropriate isolation from the main system.  Here is an example high level network diagram:

High Level Health Care Diagram

Where needed, we use discrete routing domains to segregate natural partitions within the network where security and/or operational boundaries occur. Route distribution and security policies govern the points where the routing domains intersect. These policies primarily restrict routing and access for example between the main campus network and a virtual network overlay (VNO) or access to outside networks such as the Internet and partners. Here is an example high level routing diagram:

High Level Health Care Routing Diagram

Along with Layer 3 routing, we recommend a structured addressing plan based on IPv4 as a groundwork for current or future IPv6. The structured IP addressing plan allows for a high degree of summarization (such as at building boundaries, data center, etc.). It also incorporates some addressing support for the implementation of Network Admission Control (NAC). With properly structured IP addressing, simple access control lists (ACLs) can be used for NAC-based role group network access control. Such an addressing scheme also lends itself to IP Telephony, which can be handled like a NAC role as far as addressing. Simple ACLs for IPT Security and QoS greatly facilitate deployment, operation, and maintenance. The most scalable way to deploy NAC involves assigning users, based on their roles, to VLANs at each LAN closet. This method also assigns their subnet. When users are assigned to subnets by role, the relevant subnet bits can be used in simple access-lists (ACLs) to help control access to servers in the data center.

QoS is embedded in the infrastructure design to support delay sensitive network applications and improve application performance. It provides end-to-end differentiated service levels to ensure that appropriate applications receive end-to-end preferential treatment to insure optimal quality. For example, Voice over IP (VoIP), video, and clinical systems are three ‘fragile’ applications that need end-to-end preferential treatment. The generalized QoS design is flexible by design so that it easily extends to support new services, and is based on the Cisco 11 Class QoS model.  Here is an example QoS Class Definition for health care:

10_04_qos-classes

To implement high availability throughout the network infrastructure, we typically design with redundant pairs of devices, especially for the core and distribution layer. We find that replicating a standard redundant design, based on pairs, is predictable, easy to implement correctly, scalable, and relatively simple to maintain.Security is a crucial part of the health care network designs. In addition to standard infrastructure security practices, our designs include a security module to control all communication between the global network and the virtual networks. IPS/IDS devices and firewalls customized with organization specific policies and rules comprise the nucleus of the security module. All traffic that passes between the virtual networks and the global network travels through these network security devices. In addition, the perimeter network needs to be secured to meet appropriate health care policies and regulations.

Conclusion

This concludes our overview of health care network designs. We hope to develop additional articles with more technical details.

My thanks again to Steve Meyer who is co-author of this article!!

— Carole

_________________________________________________________________________________________

More on VRF-Lite

Other recent NetCraftsmen blogs on VRF-Lite that might be helpful include:

CE Design Options When Using VRF-Lite End-to-End (Part2)

CE Design Options When Using VRF-Lite End-to-End (Part1)

Using VRF-Lite, EIGRP, and Static Routes

Using BGP with VRF-Lite for Shared Service Support

IP Multicast in a VRF

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.