Monday, December 19, 2011

Managing Guest Wireless

BIDMC has two million square feet of wireless coverage using over a thousand 802.11n/a/g access points.   We operate two separate networks - a secure network for clinical applications and a guest network for visitors.

The guest network is physically separate from the secure network and uses a commercial 14 megabit per second DSL line from Sprint for internet services, reducing BIDMC's responsibility for malware control and digital millennium copyright act violations.    Like any public, unrestricted network, the guest network offers the freedom to download malware, broadcast viruses, and use insecure applications.

In a world of Netflix and YouTube,  compounded by bandwidth consumptive standards such as MPEG4, the demands on the guest network are infinite.    Can the hospital afford to provide free bandwidth to every visitor (inpatient, outpatient, families, students etc) when 80% of the traffic is streaming video?

If we do provide infinite free bandwidth, will employees and clinicians use the guest network instead of the Enterprise WPA secured clinical network because configuration is easier?    Mixing malware infected guest traffic with secure hospital applications is something we want to avoid.

Historically, we've only used one approach to discourage our BYOD staff from using the guest wireless - keep the bandwidth limited so that the secure network offers a better user experience.    This is an imperfect solution because it means that patients and visitors compete with each other from the shared megabits.   Two months ago, we restricted streaming video 8a-5pm Monday-Friday so that guest network users can reliably check their email and communicate via social networks.

What are other hospitals doing with their guest networks?    I asked several CIOs in Massachusetts:

Hospital A
"We limit the bandwidth of each user on the guest network to ensure a consistent experience.

We can't really block employees from accessing the guest network when they can bring in their own device  It's slow though. We have about 300-400 guests using wireless per day, sharing 5Mbps.

No corporate resources are available on the guest network without a VPN"

Hospital B
"We do not limit the bandwidth of each user on the guest network.  We do web content filtering and block adult content, peer-to-peer traffic, and illegal activities.  We do have the guest network configured for Bronze quality of service level, which is the lowest setting we could give it."

Hospital C
"We do not limit the bandwidth of each user on our guest network.  We do run web content filtering,
block inappropriate sites, and try to block torrents to limit our Digital Millennium Copyright Act exposure."

Thus, the common practice seems to be
1.  Use web content filtering to block inappropriate sites
2.  Block Peer to Peer traffic/Bit Torrent.
3.  Consider user bandwidth limitations
4.  Provide "bronze" quality of service at the network level
5.  Require VPN to reach clinical applications from the guest network

We already have web content filtering and peer to peer blocks in place.  What can we do to enhance the patient/visitor experience while limiting the use of clinical BYOD devices on the guest network?

Our next step is to evaluate the costs of increasing our guest bandwidth,  to simplify configuration when connecting to the secure network, and to educate our providers about the evils of the guest network and joys of the secure network.

And, yes, we have to ensure those BYOD devices are protected while using the secure network.

Although wireless broadband such as 3G CDMA/UMTS and 4G LTE may provide the technical capability for smartphone users to stream video to their devices, the end of the "all you can use" data plans is likely to further motivate users to seek guest wifi networks.

I predict that any capacity increases we purchase will soon be overwhelmed and we'll have to again impose some kind of user bandwidth, quality of service, or time of  day restrictions.

Feel free to share your experience with managing guest network demand.  All comments are welcome.

5 comments:

Anonymous said...

Who is your customer? As a customer how do you like to be treated? Do you like, think highly of, appreciate, recommend service organizations you utilize that intentionally diminish the quality of service with which you are provided? Use of personal smartphones, iPads, and laptops are a significant component of how your customers experience your organization. They have become a crucial means to communicat with family, obtain needed information about their conditions, and relieve anxiety and boredom. Some of that involves watching streaming content. The responses given in this article reflect an IT centered view rather than a patient centered view, unfortunately typical of most hospital and health system IT departments.

Anonymous said...

Do you have any concerns about staff bridging between the two networks? For example, can someone plug into a wall port to access the secure network while also being connected to the unsecured wireless?

Kevin Groff said...

Our guest network still requires registering with a name. For a hospital, inpatients can be provided a userid during their stay that THEIR guests can use. Something like 3 initials, room#, bed (HAL2402-1) or other unique userid. Upon discharge, IS can simply delete the userid. I don't view a hospital like a Starbucks. I think it is appropriate and value- add to provide family members and friends a way to connect when visiting an extended stay inpatient for long periods. I would want to work virtual out of the patient room if my son or spouse were in the hospital. But to provide an automatic hotspot for anyone walking into the building is not necessary imo.

brelfielfan said...

We have a small 50 bed and have an entirely different ISP (6mb) dedicated to our guest wireless. And we have Untangle as a content filter.

matt said...

@Kevin Groff

"But to provide an automatic hotspot for anyone walking into the building is not necessary imo."

What about day-surg patients & their families/friends who are going to spend hours in the hospital? And patients who come in to BIDMC for outpatient visits with their clinicians? Or patients who are coming in for out-patient diagnostic services?

John has, quite rightly I believe, written about his support for the e-patient movement. Wouldn't taking away patients' access to information (patientgateway, wikipedia, mayo, email, etc) while on the BIDMC campus actually undercut that support?