A Hawaiian long-term healthcare facility adds secure wireless surfing and HIPAA protection to two locations.
With the rising popularity of social networking and the ubiquity of wireless access, Hawaii's premier retirement residence felt it necessary to prescribe some extra security for their wireless network. The challenge was to ensure that security and compliance regulations were exceeded, while also making it easy to fulfill the connectivity needs of the residents, guests and their staff.
Residents and guests regularly use e-mail, Facebook and other social applications to stay in touch with family and friends, and the staff carries Wi-Fi-enabled laptops as part of their job to record patient information. While each group has very important needs, each has completely separate security requirements.
The Arcadia Retirement
At Arcadia Community Services in Honolulu, it's the job of Michael Chong, the director of IT, to define and address any of the business' connectivity and compliance requirements within their two retirement residences, Arcadia Retirement Residence and the recently opened 15 Craigside. In early 2011, Chong and his team set out to find a security solution that augmented their wireless access service and met two key requirements:
- Differentiated access based on identity and role; and
- Automated tools that cut down on service and help-desk calls.
Making wireless work
For wireless connectivity at 15 Craigside, Chong looked at solutions from Cisco, Meru, Aruba and Xirrus. The decision came down to Meru, based on the advantages of their single-cell architecture design, sales support and price. “Implementing a NAC 9 [network access control] solution was also a requirement, so going with Cisco would have almost doubled the price for the wireless equipment, making their NAC solution impossible to consider,” says Chong.
The Meru deployment was first offered with limited coverage at Arcadia Retirement Residence, and Chong has gradually expanded the deployment. Feedback from the staff and residents was so positive that the newest facility, 15 Craigside, was fully outfitted with wireless from day one in early 2011.
“We found that while Meru offers great Wi-Fi coverage, they lacked the ability to provide detailed identity and role-based authentication on their own,” Chong says. The team needed something easy to use that would also support guest access, and it needed to display detailed visibility information as well for: users on the network, where in the network they are connected, and (in some cases) why people couldn't connect
These requirements led Chong and his team to look to Meru partners to begin their NAC evaluation.
Network access security diagnosis
Because Arcadia wanted an enterprise solution to include policy services; an authentication, authorization and accounting (AAA) server; and NAC, Chong and his team looked at only a few select vendors: Avenda, Bradford and Cloudpath. It was determined that Cloudpath only offers an endpoint tool for configuring 802.1X variables and does not provide a complete NAC solution.
During the investigation phase, Chong and his team found that only Avenda met their technical and price requirements. The Bradford solution would require a separate AAA server to support 802.1X, and Bradford was reluctant to send an appliance all the way to Hawaii from the East Coast. Avenda earned the business, Chong says, because they were easy to work with and sent out a free evaluation unit upon initial inquiry.
“Once the Avenda eTIPS unit arrived, we had it operating right away,” Chong says. “The customer support at Avenda is brilliant, and because of its close relationship with Meru they were able to help our Meru engineer configure the wireless controller for 802.1X and other features.”
The eTIPS platform from Avenda Systems is an identity-aware solution that controls, secures and manages users and devices that attempt to connect to wireless and wired networks.
The team tested 802.1X authentication, which included identity-based user policies, guest access and virtual local area network (VLAN) steering. Each group of users was put into separate VLANs for guests, residents and staff, depending on its role. Another time-saving feature is that resident and guest credentials can be stored in a local database on eTIPS, while staff credentials are stored in active directory (AD). This cut down on the amount of time spent adding short-term user information into their AD, Chong says.
“Prior to adding the eTIPS solution, we had to use multiple SSIDs [service set identifiers] to differentiate user traffic, which meant we were constantly distributing shared keys, which is a big headache,” Chong says. “Now we use a single SSID, which saves us a lot of time with configuration and support. Plus, there is less for the residents and guests to remember.”
The tracking of devices was also off-loaded to eTIPS, so that policies or rules can differentiate access for laptops, smartphones and Macbooks owned by Arcadia, versus those owned by residents and guests. Chong and his staff enter device MAC addresses and then capture or enter additional device attributes to make it easy to match a device to a user.
“This tracking helps with troubleshooting and to find misplaced devices,” adds Chong. “A tool within eTIPS called 'Access Tracker' allows our support teams to see who had a device last, what AP [access point] the device associated to, and other important information.”
A healthy and secure wireless network
Rolling out the eTIPS solution to an existing customer base was the next hurdle. Since residents are required to pay for Internet access, Chong and his team need to ensure that their accounts are up to date and logins are successful. Even though many of the residents are computer novices, adding stronger network access security has not raised any eyebrows, which has proven invaluable to the IT team.
From a healthcare perspective, the nursing staff at 15 Craigside take a laptop wheeled on a cart right to a resident's room to conduct in-house checkups. The nurse captures electronic health records in real time and can consult a doctor while still with the resident. 802.1X ensures the log-in information is encrypted and that the staff has access to the proper VLAN. Role-based user information, encryption and access differentiation help meet HIPAA requirements in the event of an audit and keep patient information private.
“We want to be proactive,” says Chong. “If there were ever a HIPAA question regarding security, we want to be able to pull up detailed access records. Avenda's per-session tracking and archive feature makes it easier to successfully meet audit requirements.”
Ease-of-management drove the team's guest-access requirements. A simple and fast solution was needed to create guest credentials, store user information and shut down a guest's access to the Internet once they had left the facility. Avenda's guest-access portal, and the receptionist sponsor and self-service capabilities, are a nice complement to what Meru does not provide, says Chong.
“Avenda's guest portal made it easy to create a page with Arcadia branding, and it can easily integrate with PCI DSS [payment card industry data security standard] services that handle billing information,” Chong explains. “At some point, endpoint health checks can also be added, since Avenda supports Web-based NAC health checks for non-company managed devices.”
Looking to the future
Since Arcadia is using eTIPS for wireless authentication today, it will look to NAC health checks in the future, says Chong. Because the residents have a tendency to click on unsuspicious-looking links, simple checks for current anti-virus tools and firewall status will help prevent network outages caused by malware. Checks performed on guests' devices will play the same role.
“We like that eTIPS is based on a multi-function architecture that does not require us to spend more on NAC, external RADIUS servers and other overhead expenses,” says Chong.
“Arcadia is also considering a second appliance for load balancing and fail-over requirements,” Chong adds. This will add the ability to load balance authentications between their two facilities and ensure no loss of service or archive capabilities.
“In addition, Arcadia will look to add 802.1X for wired access on their Cisco and HP switches in the future,” Chong says, “which Avenda can also support.”
About Arcadia Community Services
Arcadia Community Services is a non-profit organization that has provided continuous care for the elderly since 1967. It includes Arcadia Retirement Residence, their original facility which consists of 250 independent living units and 81 licensed nursing units. At 15 Craigside, which is a new facility that opened in early 2011, there are 170 independent living units and 41 licensed nursing units. Two adult day-care programs and a home health organization that provides meals and home-care services are also operated.
For more information on Avenda Systems' eTIPS solution: www.avendasys.com/products/.