The average healthcare organization has at least four kinds of network users on-site at any given time. There are medical devices and there are healthcare professionals. There are administrative workers and there are patients. For network administrators, the question is which of these users should share networks. Does it make sense to segment them in a way that is more than just software-based?
Quarantine Patients and Visitors
One obvious network that should be split from the others is the one for patients and visitors. It should be removed as far as possible, both logically and physically, from the network used by the healthcare professionals. Give it a different name, its own set of access points, and its own switches. Then plug those switches straight into the ports allocated to the DMZ on the router. Once the visitors are safely out of the way, you can begin to think about the networks used by equipment and employees.
Separate Business from Treatment
There is no operational reason for the business side of the organization to be on the same network as the healthcare providers and their equipment.
The downside is obvious. There are malware versions and attack vectors that exist for business computers that might then move to, and infect, the systems of doctors and technicians. If information sharing is required, it can be done through secured systems that ensure no intrusion can spread laterally through the organization, causing damage to business and diagnostic systems.
Do Doctors Need to Share with Machines?
Medical equipment and doctors’ computers must share data, but many systems share data without sharing a network. There have already been instances of process control systems being infected, compromised, and even physically damaged or destroyed by malware introduced through business computers on the same network.
Keeping the networks separate and the data transfers secure (by limiting, for example, the data moved between computers to the type of data that is expected to flow between the devices) will help an organization make sure no one can use an administrative computer in HR to take down an operating suite.
All About Risk Assessment
It is true that multiple networks cost more than a single network. There are multiple access points, switches, cables, wall plates, and security stacks to consider. But at its most basic level, this comes down to a question of risk assessment and cost.
There is no number of networks that is right for every healthcare organization. But the bias in network architecture should be toward the soothing complexity of multiple networks rather than the scary simplicity of a single, organization-wide network. There will be more work for your network staff, but much less work for your legal and PR teams. And that’s a trade-off worth making.