Co-Author Shyam Maniyar, Vice President, Engineering
The healthcare industry is undergoing unprecedented change. The pandemic has accelerated the process of digitization and the need for an always available and secure digital infrastructure. In particular, Healthcare IT (HIT) faces several significant challenges:
- Prevent security breaches across hospitals, clinics, and research centers
- Protect patient and research data through standards, integration, and governance
- Understand and support technological innovations in healthcare
- Provide simple, secure access to data and analytics to all key stakeholders
To address these challenges and support the connectivity and security needs of hospitals, branch clinics, and telehealth, HIT needs to build and maintain a resilient network architecture that is secure, automated, and provides a continuous feedback loop with rich analytics.
Cisco Software-Defined Access (SD-Access) is a network controller-based solution that helps organizations enable policy-based automation to address access control and segmentation. With its broad adoption in healthcare organizations worldwide, a set of use cases and best practices have emerged that demonstrate how HIT is using Cisco SD-Access to address changing network requirements and meet the needs of the healthcare workforce and patients.
Simplify Network Expansion
Healthcare networks in the modern all-digital world must provide service-level resiliency and be modifiable on demand. Cisco SD-Access provides ample support for site additions and site expansions and is flexible enough to spin up a new site in hours. It provides full lifecycle management of existing campus and branch environments in a simple and secure manner.
SD-Access starts with providing workflows for automating the physical network underlay using the LAN automation capabilities in Cisco DNA Center. Lan automation simplifies network operations and provides a zero-touch plug-and-play workflow. LAN automation can also quickly expand the network using extended nodes to spaces such as parking lots and warehouses.
HIT can build an automated network fabric and seamlessly connect external networks to the fabric borders. The network fabric also provides capabilities for HIT to connect their current networks to the fabric edges and extend security and segmentation benefits. SD-Access enables the creation of new branch and remote sites on-demand―from small fabric in a box for branches to extensive deployments with thousands of switches. It provides zero-touch network automation to bring up the routing underlay along with setting up the fabric and managing day-N operations on the network. All of this is possible through an intent-based network interface in Cisco DNA Center.
Built-in Network Fault Tolerance and Service Resiliency
The healthcare network is mission-critical, requiring minimal downtime. The services and the network must be highly resilient to support healthcare workers and patients. Cisco SD-Access is built on a highly fault-tolerant fabric architecture with redundant elements at all critical points. This includes fully redundant network peering points, control plane elements, StackWise Virtual Links (SVLs), and stacking on edge switches. Additionally, the services are always available through a Cisco DNA Center three-node clustered management system and fully distributed multi-node Cisco Identity Service Engine (ISE). The design of the network is flexible to accommodate even the most stringent needs of healthcare networks.
Secure Segmentation Based on Organizational Functions
Healthcare organizations have separate departments performing different and unique functions. HIT has found it highly useful to segment and secure communication among these different organizational entities.
Beyond communications, healthcare systems must safeguard the medical records and financial information of patients. In the U.S., hospitals and medical centers are required to have Health Insurance Portability and Accountability Act (HIPAA)-compliant wired and wireless networks that can provide complete and constant visibility into network traffic. These networks must protect sensitive data and medical devices such as electronic medical records (EMR) servers, vital sign monitors, and nurse workstations from malicious devices that seek to compromise the network. Prescription drug safes should be able to communicate with respective destinations even during a network impact, such as Cisco ISE being temporarily unavailable. Administrators can implement a critical VLAN for fabric edges, where devices like prescription safes reside, when access verification services are unreachable.
Close collaboration between healthcare staff and instantaneous access to a comprehensive view of health-related data, aggregated and collocated from the many disparate segments, is placing increasing demands on the network infrastructure. Cisco SD-Access architecture provides automated network fabric configurations, identity-based policy and segmentation, AI-driven insights, and telemetry services.
Cisco SD-Access addresses the need for complete data and control plane isolation between patient and visitor devices and medical and research facility devices by using macro segmentation. By onboarding devices into different overlay virtual networks (VNs), healthcare facilities can achieve complete data isolation and provide security among different departments and users.
Provide Rich Network Services
One of the biggest demands on the healthcare IT network infrastructure is to handle guest and patient traffic separate from staff and sensitive patient data. Mobility and roaming across campus buildings are therefore key requirements for healthcare networks. Cisco SD-Access has a built-in Fabric Enabled Wireless (FEW) architecture that enables seamless mobility for endpoints and devices connected to the edge of the network.
In a healthcare facility, various medical devices are in different locations but should be managed in a unified manner for proper usage and availability. SD-Access allows IT to place these devices in a separate virtual network and routed to a common border over a tunneled interface. This provides clean and secure segmentation of anchored traffic to a common exit point in the network.
Another important requirement of healthcare networks today is the ability to access medical records, security camera recordings across sites, staff records, and other sensitive data from a central server. In most cases, these data sets need to be accessible on-demand at a subset of branch sites. Cisco SD-Access helps in creating groups of sites that need to receive these types of records through its built-in multicast features.
Improve Network Visibility and Assurance
Network administrators should be able to efficiently manage and monitor their networks to quickly respond to the dynamic needs of healthcare systems. To improve the performance of a network, attached devices, and applications, the deployment should use telemetry to proactively predict performance and security risks.
Cisco DNA Center with Cisco SD-Access Assurance provides a comprehensive solution that addresses not just reactive network monitoring but also enables proactive monitoring with network health and issue dashboards. In addition to the network, client, and application health dashboards, the SD-Access Health Dashboard provides analytics and insights for both network underlay and fabric overlay by correlating actionable insights based on a wide variety of telemetry data ingested from sources throughout the network.
SD-Access provides visibility insights into the fabric, virtual network health, transit, and peer network connectivity health using a health score metric. The health of the fabric is quantified using Key Performance Indicators (KPIs) of the operational state of the fabric. These KPIs are also used to identify issues in the fabric. The operational data is collected from fabric devices using telemetry.
Visit Cisco SD-Access website for more information