Since its founding in 1888, Sentara Healthcare in Norfolk, Va., has flourished using the latest technologies and practices to deliver outstanding medical services. Like most healthcare facilities, Sentara must meet government requirements such as the Health Insurance Portability and Accountability Act (HIPAA) for secure handling of medical records.

Today, Sentara operates more than 100 facilities, including 10 hospitals, and is a leader in heart, kidney and stroke care. Similar to other healthcare facilities, Sentara relies on networked technologies to bolster its ability to provide patient care, and found that it could reduce costs by replacing bulky computer pushcarts that caregivers move to and from patient rooms with mobile, thin, client medical devices. Staff could then move freely between patient rooms and use these compact devices from the patients’ rooms.

This solution, however, required a new security strategy. Sentara had to identify and authenticate users and devices to help ensure only authorized staff access the hospital networks. It also had to segment critical patient care devices such as infusion pumps and CT systems from clinical devices like its electronic medical records system, imaging systems and financial solutions. Because FDA mandates require that only manufacturers modify medical device software for upgrades or develop security patches, Sentara had to prevent any inadvertent or unauthorized changes that could disrupt system functionality or affect the integrity of patient-related information.

“To meet our stringent security needs, Sentara needs to dynamically lock down every network port, so our staff, and only our staff, can move about our facilities and use medical systems,” says Chad Spiers, director, voice and data infrastructure services. “We can’t let just anyone plug their own device into a port and access highly confidential patient records. We must identify every device and assign it an appropriate level of security based on its functionality.”

Sentara, along with partner Savant, now use Cisco’s next generation identity and access control policy platform called the Identity Services Engine (ISE). Cisco Professional Services carefully outlined Sentara’s security requirements and supported Sentara/Savant engineers as they rigorously tested ISE at Sentara’s Norfolk data center for nearly four months. The Sentara/Savant IT team went live with the total network in August 2011.

“It gave us control over whom and what enters our network, enabling us to meet our security and compliance needs,” Spiers said. “ISE will offer excellent visibility into our wired and wireless networks, so we always know the status of every user, device and port.”