US-United States
AU-Australia
CA-Canada
CH-China
EEN-Eastern Europe and Nordics
FR-France
DE-Germany
IT-Italy
JP-Japan
KR-Korea
LATAM-Latin America
META-Middle East
NL-Netherlands
ES-Spain
UK-United Kingdom
Reducing costs and complexity never felt better
Published: December 19, 2022
Ziekenhuis Oost-Limburg | Healthcare | Belgium
An apple a day keeps the doctor away, but what would be the prescription for a strong, secure and agile network? Let’s see how Ziekenhuis Oost-Limburg (ZOL), a major healthcare provider in the eastern Belgium, managed to reduce costs and complexity while driving a particularly elaborate migration project!
Ziekenhuis Oost-Limburg (East Limburg Hospital), a collaborative comprised of more than 1,000 hospital beds, essentially comprises of two distinct healthcare institutions: ZOL Genk, which in itself covers three separate locations: campus Sint-Jan (the city of Genk), campus Sint-Barbara (the Lanaken municipality) and Medical Center André Dumont (the Waterschei district), as well as ZOL Maas en Kempen, located in the city of Maaseik, around 30 kilometers away.
And from the IT perspective? 4 campuses, around 450 switches, 1,200 access points, and more than 20,000 endpoints. In other words: not an ordinary environment that can be managed easily. Especially when your networking and security team is only 4 people, responsible for a number of things, including the network, firewalls, voice infrastructure, meeting rooms, and basically anything that has to do with communication and data transport.
“The entire digitization of the healthcare environment is very dependent on a stable and scalable network. Basically speaking, without connectivity, nothing will work. That being said, keeping everything up and running, assuring we can deliver the best possible care with as little risk as possible, isn’t exactly what you’d call a walk in the park”, says Kurt Gielen, IT Manager at the Ziekenhuis Oost-Limburg.
Video: Ziekenhuis Oost-Limburg
“We wanted to build a resilient fabric-based network”
The rapid evolution of technology in recent years in the healthcare industry brought a whole lot of new requirements regarding mobility, efficiency and security. Figuring out how to ensure secure connectivity for an influx of new use cases and technologies, without making any mistakes or “cutting corners”, was starting to pose a considerable challenge for Kurt Gielen and his teammates.
On the other hand, there were some specific requirements regarding the old legacy devices and IP mobility. ZOL’s legacy layer 2 network, built primarily on products and solutions from a single, big networking vendor, set up in a classic, “static” model, didn’t exactly help with reconciling these two issues. A plan started to hatch in Kurt Gielen’s mind.
“We wanted to build a secure, resilient fabric-based network that would enable us to provide IP mobility over different campuses, but had the flexibility of a layer 2 legacy network without its downsides. I made the design, but it was really more like a letter to Santa Claus, a sketch of how my ideal network would look like, without knowing yet exactly which technologies could be used to eventually get us to that point”.
To help bring that vision to life, ZOL decided to employ the services of Orange Cyberdefense, Europe's leading cyber-security service provider.
Moving towards lower costs and reduced complexity
Often enough, the natural first step in the search for the “dream” solution is to explore the offering of your existing vendor – especially when it’s the leading player in the market. Alas, that avenue turned out to be a dead end.
“That solution was too proprietary for us. Also, we didn’t want to engage in a subscription-based model because if you look at the hospital of our size and service mix, the costs could spiral out of control quite rapidly. As for the network edge solution, the design felt very complex, with numerous controllers and a lot of overhead just to manage the network. At the end of the day, we have to support the operating business of a hospital 24/7, so we didn’t have the luxury to go and implement such a complicated solution. Network itself was complex enough”, says Kurt Gielen.
“What Ziekenhuis Oost-Limburg was looking for was more simplicity, ease of use, security, and cost-efficiency, and that’s exactly what we delivered for this project”, says Bart Manteleers, Head of Business Development at Orange Cyberdefense Belgium, who led the consultant team responsible for both the implementation and the after-sales service. “We compared different technologies to see which of them would be the best fit for the needs of ZOL. Eventually, the Extreme Fabric Connect solution came out on top”.
A network segmentation like no other
IT engineers who don’t have a lot of networking experience tend to think about security in terms of having little islands connected through a firewall. In reality, it’s a little bit more complicated than that. However, with Extreme Fabric Connect, complex healthcare organizations like ZOL can translate that idea quite effortlessly into a so called Layer 2 Virtual Services Network (L2 VSN) – a VLAN that is mapped to a Service ID and is isolated on the network, has different breakout points on different campuses, but is implemented virtually, making it very easy to explain to application and system engineers.
What Ziekenhuis Oost-Limburg was looking for was more simplicity, ease of use, security, and cost-efficiency.
Additionally, the solution allowed ZOL to implement the network segmentation in a very structured way.
“It's not a binary thing. We have a macro-segmentation on by implementing different Virtual Routing Domains (VRFs), which is perfectly possible within the fabric. I have virtual routes enabled for different business functions like medical devices, building control systems or communications. We tie them together on an internal segmentation firewall. We can also accommodate patient or visitor BYOD devices, because it’s very easy to keep different traffic flows segmented and isolated from each other. Then, with little effort, we were able to further define hyper-segmentation and micro-segmentation on the VRF level, making it impossible to do the east-west traffic between any endpoint devices. That's a major step forward in our security posture. Penetration tests done on the remaining legacy part and the hyper-segmented fabric side of things showed clearly that it’s a whole different ball game”, says Kurt Gielen.
So now that we know how security works here, let’s take a quick look at a couple of real-life examples highlighting the benefits of Extreme Fabric Connect for the networking team at the Ziekenhuis Oost-Limburg.
Extreme Fabric Connect: network security in practice
In the past, Kurt Gielen and his colleagues were asked on a number of occasions to enable connectivity, without really knowing how to do it without making some significant security compromises. For example: a doctor wanted to have VR glasses in the operating room, but the network specialists didn’t know the vendor so they wouldn’t be able to integrate the technology in a secure fashion instantly, as if with a magic wand.
“Often, you have to figure out which segmentation rules the device needs because you're not aware of the security requirements it may have. Now we have our segmentation plan. We pick the right spot to put the device into, enter the authentication credentials, plug it in and it's segmented and secured by default. This enabled us to answer those kinds of questions very quickly and accelerate our pace of integration”.
Penetration tests done on the remaining legacy part and the hyper-segmented fabric side of things showed clearly that it’s a whole different ball game.
Another case: a police station has recently been established at one of the ZOL’s hospitals and it needed to be connected to the local network. On the surface level, both are public organizations serving the community. But from the technical point of view, it’s a completely external, third party that couldn’t be more far apart in terms of what can be on their network. Kurt Gielen was ready to tackle that challenge, too.
“Extreme Fabric Connect enabled us to easily assign them an island within our network and let them have the complete management of their own environment, without interfering in any possible way with the hospital’s operations. And that functionality is infinitely scalable – we can accommodate virtually any number of such implementations. Having a ready solution for every possible question in place is a very comfortable position to be in”.
Prepared for anything
The migration project, handled by Orange Cyberdefense, started in the early 2019. Originally, ZOL’s IT team envisioned a 4-year plan to make the full transition. However, two major issues came up along the way: a merger with the Maas en Kempen hospital in Maaseik and the COVID-19 pandemic. In both cases, the existing Fabric Connect infrastructure turned out be a great enabler.
“I’ve seen my share of mergers and I know they are rarely easy to do. But since we’ve had a really solid and scalable design up front, restricted in neither geographical nor technical aspect, what we did was a very simple carbon copy of what we already had. We put the switches in the other data center, interconnected via some leased lines, and extended the fabric. Within a week we were already migrating legacy devices to the new fabric. We can very easily pull out a switch, put in a new one, or get a new link added to the SPBM fabric and have the link up and running, without having second thoughts about configuring OSPF, routing protocols or things like that”, says Kurt Gielen.
Having a ready solution for every possible question in place is a very comfortable position to be in.
A year into the migration process, COVID-19 came to Europe, throwing a monkey wrench in the works. The challenge was double. Obviously, no personnel could work on site to roll out the physical devices. On the other hands, there was a massive spike in demand for video connected, virtual boardrooms.
“The positive side is that the technology delivered by Orange Cyberdefense prior to March 2020 enabled us to cope with those increased demands. From the very beginning we were able to use Fabric Connect to easily design and build the segments for virtual boardrooms, have that kind of equipment nicely isolated and quickly onboarded. And I can say that despite the COVID, if we take everything into account, we are ahead of schedule with our migration”.
The best possible choice
What most people don't realize is the sheer complexity and interdependency of a typical hospital’s environment.
“Today, everything and everybody has to be connected to everything and everyone. This is the same for a hospital environment. From the moment the patient arrives, he or she is a part of an elaborate digital process”, says Bart Manteleers. “Having an underlay network that takes away some of that complexity is crucial”.
“At the end of the day, we are an IT organization within a hospital, but our core mission is delivering better patient care. For us, network is just an enabler to do our job, so it's something that should be looked at as a commodity, not an obstacle. Adding complexity to it is not very difficult. You can always add complexity to the system, but taking it away – that's a whole different challenge”, says Kurt Gielen.
You can always add complexity to the system, but taking it away – that's a whole different challenge.
Last but not least, there is one other important aspect of reducing network complexity, and that’s of course the money.
“When you make a decision as an IT manager, you’re not always 100% sure it will be the right one, because the only way to know is just to see how it works. You also need to consider the total cost of ownership, which only becomes clear if you're really deploying and getting to the nitty-gritty details of the implementation, since that’s usually when most of the hidden costs pop out. With the Extreme Fabric Connect solution delivered by Orange Cyberdefense, those kind of surprises were really limited to an absolute minimum and I'm pretty sure that if we had chosen another technology, that wouldn't have been the case. The segmentation of layer 2, the ability to hyper-segment in an easy way to have a multi-campus fabric solution in the edge that is very easy to use, with a highly scalable, but yet not very proprietary extensions… Taking all this into account leads me to strongly believe we made the best possible choice”, Kurt Gielen sums up.
Would you like to talk about creating effortless networking experiences for your organization?
Hungry for more Healthcare customer stories?
- Cordaan Group (The Netherlands)
- Elisabeth-TweeSteden Hospital (The Netherlands)
- Groupe Jolimont (Belgium)
- Třinec Hospital (Czech Republic)
- Gabos Medical Center (Poland)
You may also want to read:
Extreme Networks in Healthcare: getting a new lease of life
Digital transformation in Healthcare means that medical organizations require reliable networking solutions that enhance patient care, drive IT automation, minimize security risk, and reduce costs – without sacrificing one for another.
Read More
About Orange Cyberdefense
Orange Cyberdefense is the Orange Group entity dedicated to cybersecurity. It has 8,500 customers worldwide. As Europe's leading cybersecurity service provider, we strive to protect freedom and build a safer digital society. Our services capabilities draw their strength from research and intelligence, which allows us to offer our clients unparalleled knowledge of current and emerging threats. With 25 years of experience in the field of information security, more than 2,700 experts, 17 SOCs and 13 CyberSOCs spread around the world, we know how to address the global and local issues of our customers. We protect them across the entire threat lifecycle in more than 160 countries.