As medical devices appear more fre-quently on hospital networks, hospital IT staffs are challenged to keep those devices secure from potential threats such as viruses and worms, outside intrusion, and other malicious attacks. Given the critical nature of keeping these devices running at all times, medical devices pose an even bigger challenge than traditional PCs that may be running on a hospital network. As a result, IT staffs have attempted to try to shield these devices as much as possible not only from the outside world via firewalls and other protective measures, but also from other devices on the hospital network via virtual local area networks (VLANs). With the increasing commonality of VLANs in health care networks, CEs and BMETs will need at least some basic understanding of what a VLAN is to ensure that devices are kept secure within their institutions.
At a basic level, a VLAN is a small portion of a larger network that is isolated from the larger network. For example, a hospital may have thousands of devices connected to its network. Let’s say that a hospital purchases smart infusion devices that are connected to the network to communicate to a central server that allows the management of safe drug dose parameters, medication conflicts, etc. While these devices need to be on the network to communicate to this one server, they do not need to communicate with any of the other thousands of networked devices. Nor do those other devices need to communicate with the infusion devices. As a result, these new devices could be added to their own VLAN that only allowed them to communicate to other infusion devices/servers in that VLAN, and not communicate to any device beyond the VLAN. In this way, they are shielded from outside threats that could potentially attack the main hospital network.
|As medical devices appear more frequently on hospital networks, hospital IT staffs are challenged to keep those devices secure.|
At the same time, the VLAN also helps to contain threats. In this instance, let’s say a service engineer unknowingly uploaded a file to the infusion server that contained a virus. This virus could potentially attack all of the infusion devices on the network, but the remainder of the hospital’s devices not on the VLAN would not be attacked because of the blocked communication out of the VLAN. In addition to the security benefits, a VLAN may also help increase bandwidth and data flow through specific devices by alleviating the need for them to share broader network connections.
Overall, the VLAN is comprised of specific connections (ports) to the network switches that are grouped together to allow communication only to other specific network switch connections on the VLAN. It is possible to build VLANs of any size—from a few devices, to hundreds or thousands of devices located at various places throughout an enterprise. Obviously, the larger the VLAN the less effective the security it offers. For example, if the VLAN is limited to a few devices, the likelihood that one of those devices is infected by an uploaded virus is small. As the VLAN grows to hundreds or thousands of devices, then there are that many more entry points where a virus could accidentally be uploaded and impact all the devices on the VLAN.
On the other hand, smaller VLANs allow fewer devices to communicate with one another, possibly restricting necessary data exchanges between devices and systems. In addition, more IT setup and management are needed to run numerous small VLANs. It becomes a trade-off between restricting devices to VLANs to the point where it jeopardizes medical device operation, and creating VLANs that are so broad that they essentially eliminate the security benefits of putting devices on a VLAN in the first place. Subsequently, it is possible to connect multiple VLANs together through network hardware—a viable option that provides a level of security and still allows communication to devices across different VLANs.
The Vital Biomed Role
In general, a hospital’s IT staff will be responsible for creating and maintaining VLANs that are established for medical devices. However, CEs and BMETs still have a critical role to play in the process. This falls in the area of getting the VLAN implemented correctly and in a coordinated manner. Let’s look at another example.
In the radiation therapy department, there are multiple systems involved in ultimately delivering targeted radiation to a patient. First, the patient receives a CT scan. These images are sent to a treatment planning system where the radiation plan for the patient is developed. This plan is then sent to the linear accelerator that ultimately delivers the radiation. Let’s say this department would like to create a VLAN to protect its devices. CEs and BMETs would play an important role in helping the department to determine what specific devices should be on the VLAN. At a minimum, the CT scanner, treatment planning system, and linear accelerator would need to be on the VLAN. But what about ancillary PCs that may run 3D volume rendering or the fusion software used to assist in the planning? And what about things like printers, to which they may want to print specific treatment information? Again, the more devices added, the greater the risk to the security of the VLAN. CEs and BMETs can assist departments in determining what devices need to be on the VLAN.
Now let’s say that the CT scanner is located in radiology on its own radiology VLAN. CEs and BMETs could again work with departments to identify the need to connect these VLANs and could convey this information to the IT department to allow them to correctly configure the VLANs.
Once the VLAN is planned, CEs and BMETs can play a vital role in getting the VLAN implemented. When a device is added to a VLAN, it is given new network settings to allow it to operate on the VLAN. What this means is that the existing network settings on every device to be added to a VLAN must be modified to the new settings. For a new implementation, this is easier since the devices can be set up initially with the settings. But for existing devices, this needs to be very carefully coordinated and CEs and BMETs can provide this coordination. Getting back to the radiation therapy example, there would be a need to have the settings changed on the CT, treatment planning system, and linear accelerator. If settings were changed on some of the devices but not on all of the devices, then these devices could no longer communicate with one another because some of the devices would be in the VLAN and others would be outside the VLAN. As a result, it would take coordination to ensure that all these settings are changed at roughly the same time.
In addition to the related articles below, previous Networking articles are available by searching for Tech Talk in our archives.
In some cases, CEs and BMETs can change the settings. At other times, coordination is necessary for one or multiple vendors to be on-site at the same time to change and test the settings. With CEs’ and BMETs’ strong familiarity with the equipment and strong ties to the equipment vendors, they can play a critical role in ensuring the success of implementing a VLAN in a timely manner with limited impact to the clinical departments.
This column only briefly touches on what a VLAN does and how to implement a VLAN. For additional information on the topic, the US Department of Veterans Affairs created a Medical Device Isolation Architecture Guide several years ago that gives a more detailed process for implementing VLANs for hospitals to protect their medical equipment. This guide can be located online at www.nwfusion.com/news/2004/VA_VLAN_Guide_040430.pdf.
Ken Olbrish, MSBE, is an enterprise imaging system administrator in the Information Services Department for the Main Line Health System, Suburban Philadelphia, and is a member of 24×7’s editorial advisory board.