Medical Facility Network Design

Medical Facility Network Design Proposal

LIS 4482 Managing Networks and Telecommunications

November 30, 2014

Group 2: Amanda Lee, Chris Stone, Montana Carroll, Zachary Bichard, William Richards

II: EXECUTIVE SUMMARY

Our team has developed a comprehensive network diagram and base infrastructure plan to help the up and coming medical center. The team took careful measures to ensure that all the necessary components of the systems requirements were met and that all patients’ information would remain both readily accessible by nurses, doctors, and surgeons as well as secure from outside parties attempting to access the files. The Written Description is a detailed overview of Appendices A & B. This will go into detail describing the hardware, software, and connections of all components. The information provided in this section will include: why components were chosen, the hardware used, the software used, and the breakdown of the logical and physical structures. The Network Policies section will outline the operations of all elements of the facility, included but not limited to: printing, email, power, information storage, and user privileges. This section describes how these functions will be performed using the infrastructure components and design. The Security Policies section summarizes our team’s plan to keep all information safe and secure within our planned network as well as keeping the systems physical structure safe from outside parties. This will include both physical and logical protection from intrusion. The Disaster Recovery section encapsulates all plans to recover and safeguard information in a variety of situations. Preparedness for events such as sudden power outages or viruses will be detailed in this sections. The Budget section will break down the financial implications of the proposed network design and all the necessary components. This will be an estimate to the total cost of purchasing all the necessary equipment. The Physical Network section details the physical layout of the network. This includes all necessary components to complete the network and ensure all a safety and disaster recovery protocols are met. The Logical Network section goes into detail on how the network actually functions. Hardware and software integration, as well as the protocols in place to ensure file transfers, communications, etc. perform as they should.

III: WRITTEN DESCRIPTION

In the main building server room we have:1. Two modems that are for the two WAN connections that are coming in through the two

ISPs2. One router (dual WAN) connecting the two modems to the external firewall3. One firewall for security from inbound traffic4. One router to subnet the servers5. Two switches

a. To run from the router to the servers to run from the servers to the datacenter, to run from the servers to the RAID

6. One firewall to secure the servers from the office network7. One switch to run to the routers for the desktops and wireless access points8. Two routers for the desktop and VoIP and wireless access points9. Two patch panels

a. One to run ethernet drops for the desktopsb. One to run ethernet drops for the wireless access points

10. Two RAID racks running RAID 10 for high redundancy and uptime11. Five UPS to protect servers, RAID, switches, and patch panels from power surges and

power outagesIn the main building we have:

1. 20 computers for use by employees that do not have mobile devicesa. Also for employees that work with sensitive information that the company wants

to stay on site2. Two VoIP phones

a. One for the IT staffb. One for the Directorc. We will have drops for expansion

3. Three network printersa. One for ITb. One for HR/Billingc. One for second floor Nurse’s Station and Counseling

4. 11 local printers5. 29 Business phones6. 10 Wireless Access Points

a. To ensure complete wireless coverageFirst Floor Telecommunication room:

1. Two switchesa. This allows for redundancy to ensure users may reach internet and needed files

2. Two patch panelsa. allows for easier troubleshooting of ethernet connectionsb. also helps network connections stay neat and organized

3. Two UPS Batteriesa. ensure proper surge and power outage protection

Second Floor Telecommunication room 1:1. One Switch

a. To ensure users may reach internet and needed files2. One patch panel

a. allows for easier troubleshooting of ethernet connectionsb. also helps network connections stay neat and organized

3. One UPS Batterya. ensure proper surge and power outage protection

Second Floor Telecommunication room 2:1. Two switches

a. This allows for redundancy to ensure users may reach internet and needed files2. Two patch panels


3. Two UPS Batteriesa. ensure proper surge and power outage protection

Datacenter1. One router

a. provides subnet for RAID Racks2. One switch3. One patch panel


4. One routera. provides subnetting for the wireless access points and mobile devices

5. Two RAID racksa. provide backup for server room RAID racks

6. Tape Drivea. to create backups of RAID Racks for secure storage and send to offsite storage

7. One wireless access pointa. to allow access for mobile devices and laptops

Secure Storage (holds backup hardware):1. Four wireless access points2. Five VOIP phones3. Five business phones4. Five desktop computers5. One modem6. Two routers7. One patch panel8. One Dual WAN router9. Two servers10. Three switches

IV. NETWORK POLICIES As a responsible member of the global community, our medical facility has established

in-depth standard operating procedures for our facility. For Internet access, all users are required to use the login information that was given to them by the IT department. While Internet usage is not monitored at all times; any misconduct that is reported will be investigated. All users are responsible for the activities performed under their credentials.

Our facility offers printing services for work-related needs. All users have access to the printers for ease-of-access. However, personal use should be kept to a minimum. Whenever possible, conserve color ink. Use as few sheets as possible for lengthy reports. Suspected abuse of printer privileges will be investigated.

All users are assigned a business email to allow for easy inter-office communication. Business email accounts should be used for business purposes only. All emails are stored and can be accessed by administration at any time.

As previously stated, users will be issued login information. General users will be unable to change settings or clear histories. Contact the IT department with any questions regarding privileges.

Since most of the organization uses the same files, we use a unified syntax for naming standards. The standard for patient documents are as follows: date_staffmember_patientname_description (eg. 112914_smith_roberts_toxicology). The standard for staff-to-staff documents are as follows: date_fromstaffmember_tostaffmember_description. (eg. 090914_smith_peters_inforequest)

All workstations are configured by the IT department. All users will be able to perform all functions required by their position. Some things that are allowed for everyone are: email, the Microsoft Office suite, and web browser usability. Hardware settings are set to update manually by the IT department. Our IT department works around the clock to make sure all of the workstations are configured properly; and perform their functions without any issues.Our facility strives to provide the best possible experience for our employees. To that effect, network devices are strategically placed so there are no gaps in coverage. For the most part, every department has their own network inside the organization’s intranetwork.

One factor that is completely out of our control is the environment. The best thing we can try to do is plan for the worst. Our facility has backup batteries on every single floor to ensure that we never truly lose power. We also have offsite backups that are updated weekly to ensure minimal loss of data.

There are no automatic updates at this site. The IT department handles all of the updating processes to ensure that all updates work as the should. The IT department checks for new operating system patches and updates daily. The rest of the systems’ updates are performed on a bi-weekly basis.

V. SECURITY POLICYSecurity is vital to the operation of this company, because if any records were to be

viewed by unauthorized parties it would be in direct violation of HIPPA standards and could be

sued for millions of dollars. It is critical that there is a strict user account policy in which we will employ the principle of least privilege, which means only those that must view the files to complete their work are allowed to actually view the files. Password requirements to log into their accounts are as follows: minimum of 8 characters, no dictionary words/names, the passwords expire every 90 days, the new password cannot be identical to the last 10 passwords, the passwords are not to be displayed when entered, and they are to be deleted once no longer in use. All remote access to the network MUST be through a VPN to ensure that the connection is secure and impenetrable, but remote access to the network will also be limited to those that absolutely need it. The firewalls will be set to default block all incoming and outgoing traffic that is not expressly permitted in the firewall policies. They will immediately blacklist any IPs that show malicious activity, as well as limit access in to and out of both China and Russia. We will encrypt all sensitive data such as medical records and billing information so that even if an attacker does manage to steal records they will not be able to read them.

We will keep detailed logs of all failed logins, any modification of security settings, flagged system events, modification of privileges, and modification of system level objects. We will also log all personnel that come into and leave the building as well as the datacenter. The datacenter will be limited to only necessary personnel and you must register with the datacenter and get approval to be able to enter the first time.

The IDS and IPS will be set inline so that all traffic passes through them to be scanned, and will alert on events of interest. There will also be regular vulnerability assessments in which manual scans for vulnerabilities will be completed. We will also use this time to review for outdated/unused software, employees password quality, as well as occasionally have external audits where they will conduct penetration testing.

Our procedures for handling security violations are to carefully monitor regular violation reports to check and see if there are any repeat offenders, if a violation is made against a specific set of resources, consult with the manager of those resources to determine the sensitivity of the information attempting to be accessed, and if the violation is found to be malicious then the associated IPs must be blacklisted as soon as possible.

VI. DISASTER RECOVERY POLICYAs it is critical the company have all records immediately as needed, it was clear they

needed a secure disaster recovery plan. For backup procedures we have a backup server deployed along with a virtual tape library. Backups of the servers will occur every day after business hours, and full backups of the network will occur once a week followed by differential and/or incremental backups that only record the changes since the last backup. The daily backups will be kept for 5 days, weekly backups for 5 weeks, monthly backups for 12 months, and special backups are to be kept for longer periods of time. This would include backups directly after system upgrades and other major changes. The tapes will be stored off site to avoid loss of data in the event of a physical disaster.

As for virus management we have a few policies in place to ensure that employees are always able to retrieve records with no delays, as well as ensure that no attackers can access the medical and billing records via a virus. Employees are to never open an attachment when they are unsure of the source or the business-related reason for the file being sent. They are to always use virus scanning first before downloading any files, this same policy applies to

installing software. No software is to be downloaded until it has been verified that it is free of malware. Special attention should be paid to any shareware or freeware employees may download. Do not download anything from unknown sources without approval from IT staff, and they must allow virus definition updates to be pushed to their computer every day. If concerned there may be malware on your machine, quarantine the file if possible, and alert the IT staff immediately.

In the event of the building losing power we have a couple of plan b’s in place, so to speak. We have UPS’s attached to all the vital components to help buffer against power surges, and we have a battery backup power configured to give employees an extra 15 minutes of warning to either save their work, or hopefully get the regular power restored without losing any data.

As for disk/fault tolerance we are employing a RAID to ensure that there is redundancy. This will increase availability, and help to make sure that employees are always able to access the network. We will have the UPS system attached to the RAID racks to ensure they are not electrified in the event of a power surge.

VIII: BUDGET This should be a spreadsheet outlining costs relating to your proposal. If the company already has an asset, note this in your budget. Include a written description that details and justifies each cost.

Hardware/Software Brand Quantity Total Price

Cat5e Cables StarTech.com 1000-Feet Roll of Blue Plenum CMP Cat5e Solid UTP Bulk Cable (WIR5ECMPBL)

6 rolls(1 extra 1000ft roll)

$1,271.94 (buying in bulk is best way to save money and acquire appropriate cable length)

Fiber Optic Multimode Cables

SM 12-Channel 900u Tight Buffer Tactical Fiber Optic Cable

385 feet $673.75

Modems

Motorola - SURFboard DOCSIS 3.0 High-Speed Cable Modem

3 modems $263.97

Routers

NETGEAR - Nighthawk Dual-Band

7 routers and 2 Dual Wan Routers

1,743.93

Wireless-AC Router with 4-Port Ethernet Switch

And

Cisco Small Business RV320-K9-NA Dual Gigabit WAN VPN Routers

Switches

EDGE-CORE ECS4610-50T - L3 MANAGED 48 PORT GIGABIT ETHERNET STACKABLE SWITCH WITH 4 COMBO SFP PORTS

12 $28,164

Computers

Dell™ XPS 8700 Desktop Computer, Intel i7-4790 Quad-Core 8GB 3.6 GHz

25 $19,749.75

Patch Panels

TRENDnet TC-P08C5E 8-Port Cat. 5e Unshielded Patch Panel

9 $161.91

Raid Racks Sans Digital 8-Bay eSATA RAID 0/1/10/5/JBOD Tower Storage Enclosure w/ 6G PCIe Card TR8M+ (Silver)

4 $1,199.96

UPS

CyberPower CP1000AVRLCD Intelligent LCD Series UPS

7 $699.93

Servers

Lenovo ThinkServer TS140 Tower Server System Intel Xeon E3-1225 v3 3.2GHz 4GB 70A4001LUX

2 $679.98

VOIP Phones Cisco 7970G IP Phone, CP-7970G

7 $866.25

Business Phones

RCA 25201RE1 2-Line Corded Speakerphone

34 $1,359.66

Wireless Access Points

CISCO - (AIR-LAP1242AG-A-K9) AIRONET 1242AG WIRELESS ACCESS POINT 802.11B 802.11A 802.11G

15 $1,650.67

Totals of Equipment - Look at the Written Description for quantities of the hardware10 LT06 tapes (cost around 650 dollars)

1. LTO6 Tape has a storage capacity of 2.5 TB uncompressed and up to 6.25 TB (2.5:1 compression). LTO Ultrium 6 hardware incorporates the Advanced Encryption Standard (AES) and Linear Tape File System (LTFS) dual partitioning functionality.

??? Hard Drives (Not sure how many gigs we need but I know it is a lot; plus we need backup drives)

Make sure to do cabling prices based off of the quantities and lengths in the Tables of appendix A

APPENDIX A: PHYSICAL NETWORK DIAGRAM

Appendix A

Legend

Floor 1 Hardware

Floor 2 Hardware

Datacenter Hardware

WAN Links

Cabling between buildings

Cabling inside of Main Building

Floor 1

Floor 1 cable lengths, types, and quantities

Cable Locations Cable Type Cable Length Cable Quantity

Server Room to IT Drop 1 Category 5e 35’ 3

Server Room to IT Drop 2 Category 5e 40’ 3

Server Room to Hallway WAP Category 5e 50’ 1

Server Room to Patient Room Drop Category 5e 40’ 1




Server Room to Cafeteria Drop Category 5e 75’ 1

Server Room to Cafeteria WAP Category 5e 85’ 1

Server Room to Receptionist Category 5e 70’ 1

Server Room to HR & Billing Drop 1 Category 5e 70’ 3

Server Room to HR & Billing Drop 2 Category 5e 75’ 3

Telecomm. to Nurse’s Station Category 5e 65’ 2

Telecomm. to Director’s Office Category 5e 65’ 3

Telecomm. to Nurse’s Station WAP Category 5e 55’ 1

Telecomm. to Receptionist WAP Category 5e 75’ 1

Telecomm. to Telecomm. WAP Category 5e 35’ 1

Telecomm. to Patient Room Drop Category 5e 55’ 1




Server room to Telecomm. Fiber 1 Fiber Optic Multimode 155’ 1

Server Room to Telecomm. Fiber 2 Fiber Optic Multimode 155’ 1

Cables for Server and Telecomm. Room Category 5e 5’ / 10’ 96

Spare cables for rooms Category 5e 10’ 33

Floor 2

Floor 2 cable lengths, types, and quantities


Telecomm. 1 to Medical Records Drop Category 5e 35’ 1

Telecomm. 1 to Doctor Drop Category 5e 40’ 1



Telecomm. 1 to Hallway WAP Category 5e 45’ 1

Telecomm. 1 to Accounting Category 5e 75’ 1

Telecomm. 1 to Patient Room Drop Category 5e 75’ 1

Telecomm. 1 to Counseling Drop Category 5e 95’ 1

Telecomm. 1 to Counseling WAP Category 5e 85’ 1

Telecomm. 1 to Office Manager Drop Category 5e 55’ 1

Telecomm. 2 to Telecomm. WAP Category 5e 25’ 1

Telecomm. 2 to Patient Room Category 5e 50’ 1




Telecomm. 2 to Nurses’ WAP Category 5e 55’ 1

Telecomm. 2 to Nurses’ Drop Category 5e 75’ 2

Telecomm. 2 to Chief Medical Drop Category 5e 75’ 1

Telecomm. 2 to Public Outreach Drop 1 Category 5e 85’ 1

Telecomm. 2 to Public Outreach Drop 2 Category 5e 100’ 1

Telecomm. 2 to Office Manager WAP Category 5e 95’ 1

Telecomm. to Telecomm. 1 Fiber Fiber Optic Multimode 25’ 1

Telecomm. to Telecomm. 2 Fiber 1 Fiber Optic Multimode 25’ 1

Telecomm. to Telecomm. 2 Fiber 2 Fiber Optic Multimode 25’ 1

Cables for Telecomm. rooms Category 5e 5’ 54

Spare Cables for rooms Category 5e 10’ 23

Cabling inside of Data Center


Telecomm. to RAID Rack 1 Category 5e 40’ 1

Telecomm. to RAID Rack 2 Category 5e 40’ 1

Telecomm. to Ethernet Drop 1 Category 5e 80’ 1

Telecomm. to Ethernet Drop 2 Category 5e 85’ 1

Telecomm. to WAP Category 5e 50’ 1

Spare cables Category 5e 5’ 5

Cables for Telecomm. Room Category 5e 5’ / 7.5’ 20

APPENDIX B: LOGICAL NETWORK DIAGRAM

ContributionsCover Page: Montana CarrollExecutive Summary: Zachary BichardWritten Description: Zachary Bichard, Amanda Lee, Montana CarrollNetwork Policies: Chris StoneSecurity Policies: Amanda LeeDisaster Recovery Policies: Amanda LeeBudget: Billy RichardsAppendix A: Montana Carroll with assistance from Amanda Lee and Zachary BichardAppendix B: Montana Carroll with assistance from Amanda Lee and Zachary Bichard for IP addressing

Building location

We can make up wherever we want the building to be. The main thing needed is that wherever we decide needs to have existing fiber so that we can lease or buy it.

Hippa standards

He did not mention that the patients needed access to the internet so we will not give them any. This way we do not have to worry about having a secure network and a public(like for public use) one.

Those three will make up the 180 mobile users??? Laptops??? Tablets??? Smartphones

I put some pictures of laptops on the diagram because he said he wanted to see them but there is no way we can put all of the staff’s laptops, tablets, and other devices.

Just to clarify there are about 45 IP addresses that are public non-mobileThose will be the computers, voip phones, network printers, and wireless access points.The wireless access points will be set in the router to have fixed ip addresses so that administration/maintenance will be easier.The network printers are located at nurse’s station 2nd floor, IT, HR & Billing, and Public Outreach.Also the dual wan router will need an ip address.

StorageThe network area storage will be configured in a raid 10 because it is the best raid array for mission critical operations. It is the most expensive but it will save lives if something were to happen like disk failures. It can easily handle the load until the new hard drives are hot swapped out. We will have a normal set up in the server room and the raid 10 in the data center. Please correct me if this won’t work. I know some about this but not a lot.

Router

We will have two different ISP companies in order to have redundancy for our connection. So that means two modems that hook into the dual wan router. Dual WAN allows you to connect to different ISPs. After that the hardware firewall should be placed for security measures.

Communication Rooms

Each communication room has either one 48 port patch panel and switch or 2 24 port patch panels and switches. They are on UPS to protect for power surges or drops. The switches on

the opposite side of the building from the Server room will be connected with a multimode fiber optic cable. From the switch to the patch panels and to the computers/printers/voip phones we will use ethernet cables either cat 6 or cat 5e.

Nurse Station Rolling Computer

There is a computer near each nursing station that will be on a cart and can be rolled into the rooms of the patients. It will be connected to the wall with the ethernet jacks provided in the rooms(so that they can retrieve and send data faster).

Phones

Due to ip address limitations not all rooms could have voip so I decided to do a PBX/voip hybrid. Which is actually pretty common in businesses since upgrading to voip can be difficult. Plus not all rooms need voip like the patient’s rooms.

Cabling

Like I mentioned we can either use cat 5e or cat 6 whichever you want. From comm room to server room will be multimode fiber for faster transfer of patient records. From the data center to the main building we will use dark fiber from the city or a company that has fiber. It will be single mode fiber optic cable since it is a further distance. We will use a vlan to transfer the data.

Documents

Medical Facility Network Design