Wireless local area network (WLAN) technology has made rapid progress over the past few years. As vendors have worked out initial issues with security, scalability and pervasive network management, WLAN has emerged as a leading candidate to significantly improve communications of all kinds throughout medical facilities.
Toward medical-IT unification
At the University of Miami Leonard M. Miller School of Medicine, we view WLAN technology as a practical way to provide access to any network or information resource to anyone at any time. We envision a future in which voice, data, video and other, unfolding applications can be carried to any part of our institution by means of a converged WLAN infrastructure.
Our institution serves more than 5 million people through hospitals, clinics, research institutes, teaching facilities and administrative offices across south Florida. We have 770 faculty physicians and more than 6,000 employees housed in the 67-acre complex of the University of Miami/Jackson Memorial Medical Center in downtown Miami.
In addition, the institution operates clinical facilities at the Miami Veterans Administration Medical Center, five primary care centers throughout Miami-Dade County, and a half-dozen hospitals, clinics and satellite offices in other cities, including West Palm Beach, Naples and Deerfield Beach.
Our focus on pervasive network access is driven by the growing fusion of biomedical technology with IT resources in current and future applications: for example: radio frequency (RF) identification tracking systems, wireless patient charting systems, voice over Internet protocol, educational wireless video transmissions, and beds that monitor patient's vital signs and relay the information to nurses' stations.
We believe that with unified medical information systems, we can deliver better patient care with lower costs. And for us, a wireless infrastructure has been an effective and economical approach.
First steps to pervasive access
We began our wireless deployments in 2002 with extended-range 802.11b base stations from Vivato Inc., Spokane, Wash., to cover a 1.5-square mile area surrounding our main Miami campus. Our team also established several building-to-building bridges to eliminate monthly leased T1 lines for voice and data connectivity, and this approach has worked out well (average return on investment, 9 to 10 months).
The "community cloud" provides Internet and intranet access to authenticated users, so security was a primary concern. Launching an Internet browser on the WLAN brings up a captured portal page provided by Access Manager from Vernier Networks, Mountain View, Calif. The portal has several options pointing to various organizations' secure socket layer (SSL) virtual private network (VPN) appliances, presenting a shared but secure front.
We enabled secure, identity-based access to all clinical and business applications as well as e-mail via SSL VPNs that were provided with equipment from Neoteris, now part of Juniper Networks, Sunnyvale, Calif. We also used VPN concentrators from Cisco Systems, San Jose, Calif., and Vernier appliances to host client VPN services.
Users' credentials are authenticated against the medical center's active directory. All nonauthorized users can access our network's external Internet gateway through a guest user portal. The portal is well used by visiting staff, faculty, students, patients and even family members (through kiosk-type devices).
To address information security concerns, we regulated the guest user portal by opening only a few select outbound ports for Internet traffic and a few other commonly used VPN ports for use by visiting staff, faculty and vendors.
All ingress/egress network traffic is filtered through several intrusion detection and prevention appliances from TippingPoint Technologies, Austin, Texas, a division of 3Com Corp., Marlborough, Mass. Plus, we throttled bandwidth utilization with the Vernier appliances. This approach has successfully provided Internet access and corporate network availability.
Early hurdles
For indoor 802.11b wireless coverage, we initially deployed Cisco Systems Inc., Aironet access points (APs) to operating rooms, cancer treatment and recovery areas, labs and classrooms. By mid-2003, however, we faced two difficult issues as we sought to expand indoor deployments.
First was the cost of reconfiguration of the WLAN infrastructure to support changes, growing data applications and, eventually, voice and video. For example, an area that once served six or seven administrative users had been converted into a classroom with 30 to 40 users and included surrounding labs, all using the same signal. Co-channel interference had become a problem.
Initial AP deployment was intended to serve a small user base. At that time, Cisco's 802.11b products had to be deployed on alternating channels to minimize co-channel interference. We faced time-consuming, expensive network reconfiguration for this and other usage changes. We needed a simpler solution.
Looking ahead to deploying wireless coverage throughout the institution, we anticipated costs of about $300,000 for RF planning and site surveys to determine best placement of APs over the course of three years to support initial and expanding deployments. And the future promised more spending accompanying more changes.
A related problem was our inability to provide indoor coverage along the outside walls of buildings adjacent to the community cloud. Only three channels are available on 802.11b for alternating AP placements, and we were using one for the outdoor base-station APs. That left only two channels for alternating indoor areas within range of the base station.
We were already having difficulties providing full indoor coverage. Once we added the data, voice and video applications that we had planned, 802.11b's 11 Mbps of shared capacity clearly would not be able to handle the load.
We considered overlaying 54-Mbps 802.11a networks. That strategy would provide higher bandwidth and 11 channels for alternating APs. However, it did not address the need for pre-deployment site surveys or network reconfiguration for facility-use changes over time.
A new type of 802.11 WLAN
In late 2003, we learned about a claim by Meru Networks, Sunnyvale, Calif., that its WLAN system could eliminate site surveys, channel interference and user-density issues and deliver enough capacity to support voice and video as well as data on an 802.11b network. We decided to try the system in our 70,000 square foot Professional Arts Center.
The system coordinates coverage across all APs deployed and, most important to us, uses only one 802.11 channel, if that is what the client desires. In this mode, there is no channel interference, so no site surveys were required. With a general understanding of the geography and building construction, we could simply place APs at regular intervals to provide continuous coverage.
The key benefit of this technology is that the client device no longer manages the connection. Which AP the client device connects to is managed by the Meru controllers.
New technology put to good use
Once the system was in place, we used it to support access to the Internet and e-mail along with our application portal from Citrix Systems, Fort Lauderdale, Fla. It also supported access to clinical and business information systems and other applications via our SSL VPN, with no performance issues. And with the system's load-balancing feature, if a given area had too many users, some of them were automatically directed to a nearby AP to avoid overload.
After the success of our trial in the Professional Arts Center, we deployed the system for indoor coverage adjacent to the outdoor community cloud. We eliminated indoor channel interference by running the APs on channel 11 and using channel 1 for the outdoor base stations. We solved our indoor coverage problems and co-channel interference issues and still had a channel to spare.
Expanding coverage and applications
We have now uniformly adopted Meru's WLAN system for deployment throughout our facilities and are currently deploying the same infrastructure in Jackson Memorial Hospital in collaboration with the management information systems team there. As we installed the Ethernet cabling infrastructure for APs in each facility, we simply placed APs at appropriate intervals to add WLAN coverage. There was no need to conduct site surveys.
The APs are powered via Ethernet, and we provide power from the telecomm closets by means of special power over Ethernet (PoE) appliances or existing PoE-capable switches. Adding more APs to increase coverage density is simply a matter of plugging them in. Meru's network controller automatically rebalances network loads as APs are added or removed.
All hospital space, including classrooms, laboratories, medical records, patient scheduling areas, and facilities maintenance and support, now has wireless coverage. For example, maintenance staffs use wireless handheld devices from Symbol Technologies, Holtsville, N.Y., to scan bar codes on equipment to access repair histories or work orders via WLAN.
We are adding voice communications via our secure WLAN, and clinical staffs in various locations are now linked by way of wireless badges from Vocera Communications, Cupertino, Calif. Long distance charges have been eliminated.
An even wider network
By 2006, we anticipate supporting up to 2,500 WLAN connections for all of our applications, largely using just one 802.11g channel. Thus far, the WLAN covers about 2 million square feet, and we expect to fulfill requirements of another 1 to 2 million square feet after the WLAN is extended throughout Jackson Memorial Hospital and new construction is completed in the next few years.
Chris Bogue is IT Director and Information Security Officer, University of Miami Leonard M. Miller School of Medicine, Miami.
