BIDMC has two million square feet of wireless coverage using over a thousand 802.11n/a/g access points. We operate two separate networks – a secure network for clinical applications and a guest network for visitors.
The guest network is physically separate from the secure network and uses a commercial 14 megabit per second DSL line from Sprint for internet services, reducing BIDMC’s responsibility for malware control and digital millennium copyright act violations. Like any public, unrestricted network, the guest network offers the freedom to download malware, broadcast viruses, and use insecure applications.
In a world of Netflix and YouTube, compounded by bandwidth consumptive standards such as MPEG4, the demands on the guest network are infinite. Can the hospital afford to provide free bandwidth to every visitor (inpatient, outpatient, families, students etc) when 80% of the traffic is streaming video?
If we do provide infinite free bandwidth, will employees and clinicians use the guest network instead of the Enterprise WPA secured clinical network because configuration is easier? Mixing malware infected guest traffic with secure hospital applications is something we want to avoid.
Historically, we’ve only used one approach to discourage our BYOD staff from using the guest wireless – keep the bandwidth limited so that the secure network offers a better user experience. This is an imperfect solution because it means that patients and visitors compete with each other from the shared megabits. Two months ago, we restricted streaming video 8a-5pm Monday-Friday so that guest network users can reliably check their email and communicate via social networks.
What are other hospitals doing with their guest networks? I asked several CIOs in Massachusetts:
"We limit the bandwidth of each user on the guest network to ensure a consistent experience.
We can’t really block employees from accessing the guest network when they can bring in their own device It’s slow though. We have about 300-400 guests using wireless per day, sharing 5Mbps.
No corporate resources are available on the guest network without a VPN"
"We do not limit the bandwidth of each user on the guest network. We do web content filtering and block adult content, peer-to-peer traffic, and illegal activities. We do have the guest network configured for Bronze quality of service level, which is the lowest setting we could give it."
"We do not limit the bandwidth of each user on our guest network. We do run web content filtering,
block inappropriate sites, and try to block torrents to limit our Digital Millennium Copyright Act exposure."
Thus, the common practice seems to be
1. Use web content filtering to block inappropriate sites
2. Block Peer to Peer traffic/Bit Torrent.
3. Consider user bandwidth limitations
4. Provide "bronze" quality of service at the network level
5. Require VPN to reach clinical applications from the guest network
We already have web content filtering and peer to peer blocks in place. What can we do to enhance the patient/visitor experience while limiting the use of clinical BYOD devices on the guest network?
Our next step is to evaluate the costs of increasing our guest bandwidth, to simplify configuration when connecting to the secure network, and to educate our providers about the evils of the guest network and joys of the secure network.
And, yes, we have to ensure those BYOD devices are protected while using the secure network.
Although wireless broadband such as 3G CDMA/UMTS and 4G LTE may provide the technical capability for smartphone users to stream video to their devices, the end of the "all you can use" data plans is likely to further motivate users to seek guest wifi networks.
I predict that any capacity increases we purchase will soon be overwhelmed and we’ll have to again impose some kind of user bandwidth, quality of service, or time of day restrictions.
Feel free to share your experience with managing guest network demand. All comments are welcome.
In addition to his CIO role at BIDMC, Dr. Halamka blogs at GeekDoctor.blogspot.com.