Medical Facility Network Design
Content
Medical Facility Network Design Proposal
LIS 4482 Managing Networks and Telecommunications
November 30, 2014
Group 2: Amanda Lee, Chris Stone, Montana Carroll, Zachary Bichard, William
Richards
II: EXECUTIVE SUMMARY
Our team has developed a comprehensive network diagram and base infrastructure plan
to help the up and coming medical center. The team took careful measures to ensure that all the
necessary components of the systems requirements were met and that all patients’ information
would remain both readily accessible by nurses, doctors, and surgeons as well as secure from
outside parties attempting to access the files.
The Written Description is a detailed overview of Appendices A & B. This will go into
detail describing the hardware, software, and connections of all components. The information
provided in this section will include: why components were chosen, the hardware used, the
software used, and the breakdown of the logical and physical structures.
The Network Policies section will outline the operations of all elements of the facility,
included but not limited to: printing, email, power, information storage, and user privileges. This
section describes how these functions will be performed using the infrastructure components
and design.
The Security Policies section summarizes our team’s plan to keep all information safe
and secure within our planned network as well as keeping the systems physical structure safe
from outside parties. This will include both physical and logical protection from intrusion.
The Disaster Recovery section encapsulates all plans to recover and safeguard
information in a variety of situations. Preparedness for events such as sudden power outages or
viruses will be detailed in this sections.
The Budget section will break down the financial implications of the proposed network
design and all the necessary components. This will be an estimate to the total cost of
purchasing all the necessary equipment.
The Physical Network section details the physical layout of the network. This includes all
necessary components to complete the network and ensure all a safety and disaster recovery
protocols are met.
The Logical Network section goes into detail on how the network actually functions.
Hardware and software integration, as well as the protocols in place to ensure file transfers,
communications, etc. perform as they should.
III: WRITTEN DESCRIPTION
In the main building server room we have:
1. Two modems that are for the two WAN connections that are coming in through
the two ISPs
2. One router (dual WAN) connecting the two modems to the external firewall
3. One firewall for security from inbound traffic
4. One router to subnet the servers
5. Two switches
a. To run from the router to the servers to run from the servers to the
datacenter, to run from the servers to the RAID
6. One firewall to secure the servers from the office network
7. One switch to run to the routers for the desktops and wireless access points
8. Two routers for the desktop and VoIP and wireless access points
9. Two patch panels
a. One to run ethernet drops for the desktops
b. One to run ethernet drops for the wireless access points
10. Two RAID racks running RAID 10 for high redundancy and uptime
11. Five UPS to protect servers, RAID, switches, and patch panels from power
surges and power outages
In the main building we have:
1. 20 computers for use by employees that do not have mobile devices
a. Also for employees that work with sensitive information that the
company wants to stay on site
2. Two VoIP phones
a. One for the IT staff
b. One for the Director
c. We will have drops for expansion
3. Three network printers
a. One for IT
b. One for HR/Billing
c. One for second floor Nurse’s Station and Counseling
4. 11 local printers
5. 29 Business phones
6. 10 Wireless Access Points
a. To ensure complete wireless coverage
First Floor Telecommunication room:
1. Two switches
a. This allows for redundancy to ensure users may reach internet
and needed files
2. Two patch panels
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. Two UPS Batteries
a. ensure proper surge and power outage protection
Second Floor Telecommunication room 1:
1. One Switch
a. To ensure users may reach internet and needed files
2. One patch panel
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. One UPS Battery
a. ensure proper surge and power outage protection
Second Floor Telecommunication room 2:
1. Two switches
a. This allows for redundancy to ensure users may reach internet
and needed files
2. Two patch panels
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. Two UPS Batteries
a. ensure proper surge and power outage protection
Datacenter
1. One router
a. provides subnet for RAID Racks
2. One switch
3. One patch panel
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
4. One router
a. provides subnetting for the wireless access points and mobile
devices
5. Two RAID racks
a. provide backup for server room RAID racks
6. Tape Drive
a. to create backups of RAID Racks for secure storage and send to
offsite storage
7. One wireless access point
a. to allow access for mobile devices and laptops
Secure Storage (holds backup hardware):
1. Four wireless access points
2. Five VOIP phones
3. Five business phones
4. Five desktop computers
5. One modem
6. Two routers
7. One patch panel
8. One Dual WAN router
9. Two servers
10. Three switches
IV. NETWORK POLICIES
As a responsible member of the global community, our medical facility has established
in-depth standard operating procedures for our facility. For Internet access, all users are
required to use the login information that was given to them by the IT department. While Internet
usage is not monitored at all times; any misconduct that is reported will be investigated. All
users are responsible for the activities performed under their credentials.
Our facility offers printing services for work-related needs. All users have access to the
printers for ease-of-access. However, personal use should be kept to a minimum. Whenever
possible, conserve color ink. Use as few sheets as possible for lengthy reports. Suspected
abuse of printer privileges will be investigated.
All users are assigned a business email to allow for easy inter-office communication.
Business email accounts should be used for business purposes only. All emails are stored and
can be accessed by administration at any time.
As previously stated, users will be issued login information. General users will be unable
to change settings or clear histories. Contact the IT department with any questions regarding
privileges.
Since most of the organization uses the same files, we use a unified syntax for naming
standards. The standard for patient documents are as follows:
date_staffmember_patientname_description (eg. 112914_smith_roberts_toxicology).
The standard for staff-to-staff documents are as follows:
date_fromstaffmember_tostaffmember_description. (eg. 090914_smith_peters_inforequest)
All workstations are configured by the IT department. All users will be able to perform all
functions required by their position. Some things that are allowed for everyone are: email, the
Microsoft Office suite, and web browser usability. Hardware settings are set to update manually
by the IT department. Our IT department works around the clock to make sure all of the
workstations are configured properly; and perform their functions without any issues.
Our facility strives to provide the best possible experience for our employees. To that effect,
network devices are strategically placed so there are no gaps in coverage. For the most part,
every department has their own network inside the organization’s intranetwork.
One factor that is completely out of our control is the environment. The best thing we can
try to do is plan for the worst. Our facility has backup batteries on every single floor to ensure
that we never truly lose power. We also have offsite backups that are updated weekly to ensure
minimal loss of data.
There are no automatic updates at this site. The IT department handles all of the
updating processes to ensure that all updates work as the should. The IT department checks for
new operating system patches and updates daily. The rest of the systems’ updates are
performed on a bi-weekly basis.
V. SECURITY POLICY
Security is vital to the operation of this company, because if any records were to be
viewed by unauthorized parties it would be in direct violation of HIPPA standards and could be
sued for millions of dollars. It is critical that there is a strict user account policy in which we will
employ the principle of least privilege, which means only those that must view the files to
complete their work are allowed to actually view the files. Password requirements to log into
their accounts are as follows: minimum of 8 characters, no dictionary words/names, the
passwords expire every 90 days, the new password cannot be identical to the last 10
passwords, the passwords are not to be displayed when entered, and they are to be deleted
once no longer in use. All remote access to the network MUST be through a VPN to ensure that
the connection is secure and impenetrable, but remote access to the network will also be limited
to those that absolutely need it. The firewalls will be set to default block all incoming and
outgoing traffic that is not expressly permitted in the firewall policies. They will immediately
blacklist any IPs that show malicious activity, as well as limit access in to and out of both China
and Russia. We will encrypt all sensitive data such as medical records and billing information so
that even if an attacker does manage to steal records they will not be able to read them.
We will keep detailed logs of all failed logins, any modification of security settings,
flagged system events, modification of privileges, and modification of system level objects. We
will also log all personnel that come into and leave the building as well as the datacenter. The
datacenter will be limited to only necessary personnel and you must register with the datacenter
and get approval to be able to enter the first time.
The IDS and IPS will be set inline so that all traffic passes through them to be scanned,
and will alert on events of interest. There will also be regular vulnerability assessments in which
manual scans for vulnerabilities will be completed. We will also use this time to review for
outdated/unused software, employees password quality, as well as occasionally have external
audits where they will conduct penetration testing.
Our procedures for handling security violations are to carefully monitor regular violation
reports to check and see if there are any repeat offenders, if a violation is made against a
specific set of resources, consult with the manager of those resources to determine the
sensitivity of the information attempting to be accessed, and if the violation is found to be
malicious then the associated IPs must be blacklisted as soon as possible.
VI. DISASTER RECOVERY POLICY
As it is critical the company have all records immediately as needed, it was clear they
needed a secure disaster recovery plan. For backup procedures we have a backup server
deployed along with a virtual tape library. Backups of the servers will occur every day after
business hours, and full backups of the network will occur once a week followed by differential
and/or incremental backups that only record the changes since the last backup. The daily
backups will be kept for 5 days, weekly backups for 5 weeks, monthly backups for 12 months,
and special backups are to be kept for longer periods of time. This would include backups
directly after system upgrades and other major changes. The tapes will be stored off site to
avoid loss of data in the event of a physical disaster.
As for virus management we have a few policies in place to ensure that employees are
always able to retrieve records with no delays, as well as ensure that no attackers can access
the medical and billing records via a virus. Employees are to never open an attachment when
they are unsure of the source or the business-related reason for the file being sent. They are to
always use virus scanning first before downloading any files, this same policy applies to
installing software. No software is to be downloaded until it has been verified that it is free of
malware. Special attention should be paid to any shareware or freeware employees may
download. Do not download anything from unknown sources without approval from IT staff, and
they must allow virus definition updates to be pushed to their computer every day. If concerned
there may be malware on your machine, quarantine the file if possible, and alert the IT staff
immediately.
In the event of the building losing power we have a couple of plan b’s in place, so to
speak. We have UPS’s attached to all the vital components to help buffer against power surges,
and we have a battery backup power configured to give employees an extra 15 minutes of
warning to either save their work, or hopefully get the regular power restored without losing any
data.
As for disk/fault tolerance we are employing a RAID to ensure that there is redundancy.
This will increase availability, and help to make sure that employees are always able to access
the network. We will have the UPS system attached to the RAID racks to ensure they are not
electrified in the event of a power surge.
VIII: BUDGET
This should be a spreadsheet outlining costs relating to your proposal.
If the company already has an asset, note this in your budget. Include a written
description that details and justifies each cost.
Hardware/Software
Cat5e Cables
Brand
StarTech.com 1000Feet Roll of Blue
Plenum CMP Cat5e
Solid UTP Bulk Cable
(WIR5ECMPBL)
Fiber Optic Multimode
Cables
Quantity
Total Price
6 rolls(1 extra
1000ft roll)
$1,271.94 (buying
in bulk is best way
to save money and
acquire appropriate
cable length)
385 feet
$673.75
3 modems
$263.97
7 routers and 2
Dual Wan Routers
1,743.93
SM 12-Channel 900u
Tight Buffer Tactical
Fiber Optic Cable
Modems
Motorola - SURFboard
DOCSIS 3.0 HighSpeed Cable Modem
Routers
NETGEAR Nighthawk Dual-Band
Wireless-AC Router
with 4-Port Ethernet
Switch
And
Cisco Small Business
RV320-K9-NA Dual
Gigabit WAN VPN
Routers
Switches
12
$28,164
25
$19,749.75
9
$161.91
4
$1,199.96
7
$699.93
2
$679.98
EDGE-CORE
ECS4610-50T - L3
MANAGED 48 PORT
GIGABIT ETHERNET
STACKABLE SWITCH
WITH 4 COMBO SFP
PORTS
Computers
Dell™ XPS 8700
Desktop Computer,
Intel i7-4790 QuadCore 8GB 3.6 GHz
Patch Panels
TRENDnet TCP08C5E 8-Port Cat. 5e
Unshielded Patch
Panel
Raid Racks
Sans Digital 8-Bay
eSATA RAID
0/1/10/5/JBOD Tower
Storage Enclosure w/
6G PCIe Card TR8M+
(Silver)
UPS
CyberPower
CP1000AVRLCD
Intelligent LCD Series
UPS
Servers
Lenovo ThinkServer
TS140 Tower Server
System Intel Xeon E31225 v3 3.2GHz 4GB
70A4001LUX
VOIP Phones
Cisco 7970G IP
Phone, CP-7970G
Business Phones
7
$866.25
34
$1,359.66
15
$1,650.67
RCA 25201RE1 2-Line
Corded Speakerphone
Wireless Access Points
CISCO - (AIRLAP1242AG-A-K9)
AIRONET 1242AG
WIRELESS ACCESS
POINT 802.11B
802.11A 802.11G
Totals of Equipment - Look at the Written Description for quantities of the hardware
10 LT06 tapes (cost around 650 dollars)
1. LTO6 Tape has a storage capacity of 2.5 TB uncompressed and up to
6.25 TB (2.5:1 compression). LTO Ultrium 6 hardware incorporates the Advanced
Encryption Standard (AES) and Linear Tape File System (LTFS) dual partitioning
functionality.
??? Hard Drives (Not sure how many gigs we need but I know it is a lot; plus we need backup
drives)
Make sure to do cabling prices based off of the quantities and lengths in the Tables of appendix
A
APPENDIX A: PHYSICAL NETWORK DIAGRAM
Appendix A
Legend
Floor 1 Hardware
Floor 2 Hardware
Datacenter Hardware
WAN Links
Cabling between buildings
Cabling inside of Main Building
Floor 1
Floor 1 cable lengths, types, and quantities
Cable Locations
Cable Type
Cable Length
Cable Quantity
Server Room to IT Drop 1
Category 5e
35’
3
Server Room to IT Drop 2
Category 5e
40’
3
Server Room to Hallway WAP
Category 5e
50’
1
Server Room to Patient Room Drop
Category 5e
40’
1
Server Room to Patient Room Drop
Category 5e
55’
1
Server Room to Patient Room Drop
Category 5e
60’
1
Server Room to Patient Room Drop
Category 5e
60’
1
Server Room to Cafeteria Drop
Category 5e
75’
1
Server Room to Cafeteria WAP
Category 5e
85’
1
Server Room to Receptionist
Category 5e
70’
1
Server Room to HR & Billing Drop 1
Category 5e
70’
3
Server Room to HR & Billing Drop 2
Category 5e
75’
3
Telecomm. to Nurse’s Station
Category 5e
65’
2
Telecomm. to Director’s Office
Category 5e
65’
3
Telecomm. to Nurse’s Station WAP
Category 5e
55’
1
Telecomm. to Receptionist WAP
Category 5e
75’
1
Telecomm. to Telecomm. WAP
Category 5e
35’
1
Telecomm. to Patient Room Drop
Category 5e
55’
1
Telecomm. to Patient Room Drop
Category 5e
60’
1
Telecomm. to Patient Room Drop
Category 5e
55’
1
Telecomm. to Patient Room Drop
Category 5e
75’
1
Server room to Telecomm. Fiber 1
Fiber Optic Multimode
155’
1
Server Room to Telecomm. Fiber 2
Fiber Optic Multimode
155’
1
Cables for Server and Telecomm. Room
Category 5e
5’ / 10’
96
Spare cables for rooms
Category 5e
10’
33
Floor 2
Floor 2 cable lengths, types, and quantities
Cable Locations
Cable Type
Cable Length
Cable Quantity
Telecomm. 1 to Medical Records Drop
Category 5e
35’
1
Telecomm. 1 to Doctor Drop
Category 5e
40’
1
Telecomm. 1 to Doctor Drop
Category 5e
50’
1
Telecomm. 1 to Doctor Drop
Category 5e
75’
1
Telecomm. 1 to Hallway WAP
Category 5e
45’
1
Telecomm. 1 to Accounting
Category 5e
75’
1
Telecomm. 1 to Patient Room Drop
Category 5e
75’
1
Telecomm. 1 to Counseling Drop
Category 5e
95’
1
Telecomm. 1 to Counseling WAP
Category 5e
85’
1
Telecomm. 1 to Office Manager Drop
Category 5e
55’
1
Telecomm. 2 to Telecomm. WAP
Category 5e
25’
1
Telecomm. 2 to Patient Room
Category 5e
50’
1
Telecomm. 2 to Patient Room
Category 5e
35’
1
Telecomm. 2 to Patient Room
Category 5e
50’
1
Telecomm. 2 to Patient Room
Category 5e
65’
1
Telecomm. 2 to Nurses’ WAP
Category 5e
55’
1
Telecomm. 2 to Nurses’ Drop
Category 5e
75’
2
Telecomm. 2 to Chief Medical Drop
Category 5e
75’
1
Telecomm. 2 to Public Outreach Drop 1
Category 5e
85’
1
Telecomm. 2 to Public Outreach Drop 2
Category 5e
100’
1
Telecomm. 2 to Office Manager WAP
Category 5e
95’
1
Telecomm. to Telecomm. 1 Fiber
Fiber Optic Multimode
25’
1
Telecomm. to Telecomm. 2 Fiber 1
Fiber Optic Multimode
25’
1
Telecomm. to Telecomm. 2 Fiber 2
Fiber Optic Multimode
25’
1
Cables for Telecomm. rooms
Category 5e
5’
54
Spare Cables for rooms
Category 5e
10’
23
Cabling inside of Data Center
Cable Locations
Cable Type
Cable Length
Cable Quantity
Telecomm. to RAID Rack 1
Category 5e
40’
1
Telecomm. to RAID Rack 2
Category 5e
40’
1
Telecomm. to Ethernet Drop 1
Category 5e
80’
1
Telecomm. to Ethernet Drop 2
Category 5e
85’
1
Telecomm. to WAP
Category 5e
50’
1
Spare cables
Category 5e
5’
5
Cables for Telecomm. Room
Category 5e
5’ / 7.5’
20
APPENDIX B: LOGICAL NETWORK DIAGRAM
Contributions
Cover Page: Montana Carroll
Executive Summary: Zachary Bichard
Written Description: Zachary Bichard, Amanda Lee, Montana Carroll
Network Policies: Chris Stone
Security Policies: Amanda Lee
Disaster Recovery Policies: Amanda Lee
Budget: Billy Richards
Appendix A: Montana Carroll with assistance from Amanda Lee and Zachary Bichard
Appendix B: Montana Carroll with assistance from Amanda Lee and Zachary Bichard for
IP addressing
Building location
We can make up wherever we want the building to be. The main thing needed is that wherever
we decide needs to have existing fiber so that we can lease or buy it.
Hippa standards
He did not mention that the patients needed access to the internet so we will not give them any.
This way we do not have to worry about having a secure network and a public(like for public
use) one.
Those three will make up the 180 mobile users
??? Laptops
??? Tablets
??? Smartphones
I put some pictures of laptops on the diagram because he said he wanted to see them but there
is no way we can put all of the staff’s laptops, tablets, and other devices.
Just to clarify there are about 45 IP addresses that are public non-mobile
Those will be the computers, voip phones, network printers, and wireless access points.
The wireless access points will be set in the router to have fixed ip addresses so that
administration/maintenance will be easier.
The network printers are located at nurse’s station 2nd floor, IT, HR & Billing, and Public
Outreach.
Also the dual wan router will need an ip address.
Storage
The network area storage will be configured in a raid 10 because it is the best raid array for
mission critical operations. It is the most expensive but it will save lives if something were to
happen like disk failures. It can easily handle the load until the new hard drives are hot swapped
out. We will have a normal set up in the server room and the raid 10 in the data center. Please
correct me if this won’t work. I know some about this but not a lot.
Router
We will have two different ISP companies in order to have redundancy for our connection. So
that means two modems that hook into the dual wan router. Dual WAN allows you to connect to
different ISPs. After that the hardware firewall should be placed for security measures.
Communication Rooms
Each communication room has either one 48 port patch panel and switch or 2 24 port patch
panels and switches. They are on UPS to protect for power surges or drops. The switches on
the opposite side of the building from the Server room will be connected with a multimode fiber
optic cable. From the switch to the patch panels and to the computers/printers/voip phones we
will use ethernet cables either cat 6 or cat 5e.
Nurse Station Rolling Computer
There is a computer near each nursing station that will be on a cart and can be rolled into the
rooms of the patients. It will be connected to the wall with the ethernet jacks provided in the
rooms(so that they can retrieve and send data faster).
Phones
Due to ip address limitations not all rooms could have voip so I decided to do a PBX/voip hybrid.
Which is actually pretty common in businesses since upgrading to voip can be difficult. Plus not
all rooms need voip like the patient’s rooms.
Cabling
Like I mentioned we can either use cat 5e or cat 6 whichever you want. From comm room to
server room will be multimode fiber for faster transfer of patient records. From the data center to
the main building we will use dark fiber from the city or a company that has fiber. It will be single
mode fiber optic cable since it is a further distance. We will use a vlan to transfer the data.
LIS 4482 Managing Networks and Telecommunications
November 30, 2014
Group 2: Amanda Lee, Chris Stone, Montana Carroll, Zachary Bichard, William
Richards
II: EXECUTIVE SUMMARY
Our team has developed a comprehensive network diagram and base infrastructure plan
to help the up and coming medical center. The team took careful measures to ensure that all the
necessary components of the systems requirements were met and that all patients’ information
would remain both readily accessible by nurses, doctors, and surgeons as well as secure from
outside parties attempting to access the files.
The Written Description is a detailed overview of Appendices A & B. This will go into
detail describing the hardware, software, and connections of all components. The information
provided in this section will include: why components were chosen, the hardware used, the
software used, and the breakdown of the logical and physical structures.
The Network Policies section will outline the operations of all elements of the facility,
included but not limited to: printing, email, power, information storage, and user privileges. This
section describes how these functions will be performed using the infrastructure components
and design.
The Security Policies section summarizes our team’s plan to keep all information safe
and secure within our planned network as well as keeping the systems physical structure safe
from outside parties. This will include both physical and logical protection from intrusion.
The Disaster Recovery section encapsulates all plans to recover and safeguard
information in a variety of situations. Preparedness for events such as sudden power outages or
viruses will be detailed in this sections.
The Budget section will break down the financial implications of the proposed network
design and all the necessary components. This will be an estimate to the total cost of
purchasing all the necessary equipment.
The Physical Network section details the physical layout of the network. This includes all
necessary components to complete the network and ensure all a safety and disaster recovery
protocols are met.
The Logical Network section goes into detail on how the network actually functions.
Hardware and software integration, as well as the protocols in place to ensure file transfers,
communications, etc. perform as they should.
III: WRITTEN DESCRIPTION
In the main building server room we have:
1. Two modems that are for the two WAN connections that are coming in through
the two ISPs
2. One router (dual WAN) connecting the two modems to the external firewall
3. One firewall for security from inbound traffic
4. One router to subnet the servers
5. Two switches
a. To run from the router to the servers to run from the servers to the
datacenter, to run from the servers to the RAID
6. One firewall to secure the servers from the office network
7. One switch to run to the routers for the desktops and wireless access points
8. Two routers for the desktop and VoIP and wireless access points
9. Two patch panels
a. One to run ethernet drops for the desktops
b. One to run ethernet drops for the wireless access points
10. Two RAID racks running RAID 10 for high redundancy and uptime
11. Five UPS to protect servers, RAID, switches, and patch panels from power
surges and power outages
In the main building we have:
1. 20 computers for use by employees that do not have mobile devices
a. Also for employees that work with sensitive information that the
company wants to stay on site
2. Two VoIP phones
a. One for the IT staff
b. One for the Director
c. We will have drops for expansion
3. Three network printers
a. One for IT
b. One for HR/Billing
c. One for second floor Nurse’s Station and Counseling
4. 11 local printers
5. 29 Business phones
6. 10 Wireless Access Points
a. To ensure complete wireless coverage
First Floor Telecommunication room:
1. Two switches
a. This allows for redundancy to ensure users may reach internet
and needed files
2. Two patch panels
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. Two UPS Batteries
a. ensure proper surge and power outage protection
Second Floor Telecommunication room 1:
1. One Switch
a. To ensure users may reach internet and needed files
2. One patch panel
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. One UPS Battery
a. ensure proper surge and power outage protection
Second Floor Telecommunication room 2:
1. Two switches
a. This allows for redundancy to ensure users may reach internet
and needed files
2. Two patch panels
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
3. Two UPS Batteries
a. ensure proper surge and power outage protection
Datacenter
1. One router
a. provides subnet for RAID Racks
2. One switch
3. One patch panel
a. allows for easier troubleshooting of ethernet connections
b. also helps network connections stay neat and organized
4. One router
a. provides subnetting for the wireless access points and mobile
devices
5. Two RAID racks
a. provide backup for server room RAID racks
6. Tape Drive
a. to create backups of RAID Racks for secure storage and send to
offsite storage
7. One wireless access point
a. to allow access for mobile devices and laptops
Secure Storage (holds backup hardware):
1. Four wireless access points
2. Five VOIP phones
3. Five business phones
4. Five desktop computers
5. One modem
6. Two routers
7. One patch panel
8. One Dual WAN router
9. Two servers
10. Three switches
IV. NETWORK POLICIES
As a responsible member of the global community, our medical facility has established
in-depth standard operating procedures for our facility. For Internet access, all users are
required to use the login information that was given to them by the IT department. While Internet
usage is not monitored at all times; any misconduct that is reported will be investigated. All
users are responsible for the activities performed under their credentials.
Our facility offers printing services for work-related needs. All users have access to the
printers for ease-of-access. However, personal use should be kept to a minimum. Whenever
possible, conserve color ink. Use as few sheets as possible for lengthy reports. Suspected
abuse of printer privileges will be investigated.
All users are assigned a business email to allow for easy inter-office communication.
Business email accounts should be used for business purposes only. All emails are stored and
can be accessed by administration at any time.
As previously stated, users will be issued login information. General users will be unable
to change settings or clear histories. Contact the IT department with any questions regarding
privileges.
Since most of the organization uses the same files, we use a unified syntax for naming
standards. The standard for patient documents are as follows:
date_staffmember_patientname_description (eg. 112914_smith_roberts_toxicology).
The standard for staff-to-staff documents are as follows:
date_fromstaffmember_tostaffmember_description. (eg. 090914_smith_peters_inforequest)
All workstations are configured by the IT department. All users will be able to perform all
functions required by their position. Some things that are allowed for everyone are: email, the
Microsoft Office suite, and web browser usability. Hardware settings are set to update manually
by the IT department. Our IT department works around the clock to make sure all of the
workstations are configured properly; and perform their functions without any issues.
Our facility strives to provide the best possible experience for our employees. To that effect,
network devices are strategically placed so there are no gaps in coverage. For the most part,
every department has their own network inside the organization’s intranetwork.
One factor that is completely out of our control is the environment. The best thing we can
try to do is plan for the worst. Our facility has backup batteries on every single floor to ensure
that we never truly lose power. We also have offsite backups that are updated weekly to ensure
minimal loss of data.
There are no automatic updates at this site. The IT department handles all of the
updating processes to ensure that all updates work as the should. The IT department checks for
new operating system patches and updates daily. The rest of the systems’ updates are
performed on a bi-weekly basis.
V. SECURITY POLICY
Security is vital to the operation of this company, because if any records were to be
viewed by unauthorized parties it would be in direct violation of HIPPA standards and could be
sued for millions of dollars. It is critical that there is a strict user account policy in which we will
employ the principle of least privilege, which means only those that must view the files to
complete their work are allowed to actually view the files. Password requirements to log into
their accounts are as follows: minimum of 8 characters, no dictionary words/names, the
passwords expire every 90 days, the new password cannot be identical to the last 10
passwords, the passwords are not to be displayed when entered, and they are to be deleted
once no longer in use. All remote access to the network MUST be through a VPN to ensure that
the connection is secure and impenetrable, but remote access to the network will also be limited
to those that absolutely need it. The firewalls will be set to default block all incoming and
outgoing traffic that is not expressly permitted in the firewall policies. They will immediately
blacklist any IPs that show malicious activity, as well as limit access in to and out of both China
and Russia. We will encrypt all sensitive data such as medical records and billing information so
that even if an attacker does manage to steal records they will not be able to read them.
We will keep detailed logs of all failed logins, any modification of security settings,
flagged system events, modification of privileges, and modification of system level objects. We
will also log all personnel that come into and leave the building as well as the datacenter. The
datacenter will be limited to only necessary personnel and you must register with the datacenter
and get approval to be able to enter the first time.
The IDS and IPS will be set inline so that all traffic passes through them to be scanned,
and will alert on events of interest. There will also be regular vulnerability assessments in which
manual scans for vulnerabilities will be completed. We will also use this time to review for
outdated/unused software, employees password quality, as well as occasionally have external
audits where they will conduct penetration testing.
Our procedures for handling security violations are to carefully monitor regular violation
reports to check and see if there are any repeat offenders, if a violation is made against a
specific set of resources, consult with the manager of those resources to determine the
sensitivity of the information attempting to be accessed, and if the violation is found to be
malicious then the associated IPs must be blacklisted as soon as possible.
VI. DISASTER RECOVERY POLICY
As it is critical the company have all records immediately as needed, it was clear they
needed a secure disaster recovery plan. For backup procedures we have a backup server
deployed along with a virtual tape library. Backups of the servers will occur every day after
business hours, and full backups of the network will occur once a week followed by differential
and/or incremental backups that only record the changes since the last backup. The daily
backups will be kept for 5 days, weekly backups for 5 weeks, monthly backups for 12 months,
and special backups are to be kept for longer periods of time. This would include backups
directly after system upgrades and other major changes. The tapes will be stored off site to
avoid loss of data in the event of a physical disaster.
As for virus management we have a few policies in place to ensure that employees are
always able to retrieve records with no delays, as well as ensure that no attackers can access
the medical and billing records via a virus. Employees are to never open an attachment when
they are unsure of the source or the business-related reason for the file being sent. They are to
always use virus scanning first before downloading any files, this same policy applies to
installing software. No software is to be downloaded until it has been verified that it is free of
malware. Special attention should be paid to any shareware or freeware employees may
download. Do not download anything from unknown sources without approval from IT staff, and
they must allow virus definition updates to be pushed to their computer every day. If concerned
there may be malware on your machine, quarantine the file if possible, and alert the IT staff
immediately.
In the event of the building losing power we have a couple of plan b’s in place, so to
speak. We have UPS’s attached to all the vital components to help buffer against power surges,
and we have a battery backup power configured to give employees an extra 15 minutes of
warning to either save their work, or hopefully get the regular power restored without losing any
data.
As for disk/fault tolerance we are employing a RAID to ensure that there is redundancy.
This will increase availability, and help to make sure that employees are always able to access
the network. We will have the UPS system attached to the RAID racks to ensure they are not
electrified in the event of a power surge.
VIII: BUDGET
This should be a spreadsheet outlining costs relating to your proposal.
If the company already has an asset, note this in your budget. Include a written
description that details and justifies each cost.
Hardware/Software
Cat5e Cables
Brand
StarTech.com 1000Feet Roll of Blue
Plenum CMP Cat5e
Solid UTP Bulk Cable
(WIR5ECMPBL)
Fiber Optic Multimode
Cables
Quantity
Total Price
6 rolls(1 extra
1000ft roll)
$1,271.94 (buying
in bulk is best way
to save money and
acquire appropriate
cable length)
385 feet
$673.75
3 modems
$263.97
7 routers and 2
Dual Wan Routers
1,743.93
SM 12-Channel 900u
Tight Buffer Tactical
Fiber Optic Cable
Modems
Motorola - SURFboard
DOCSIS 3.0 HighSpeed Cable Modem
Routers
NETGEAR Nighthawk Dual-Band
Wireless-AC Router
with 4-Port Ethernet
Switch
And
Cisco Small Business
RV320-K9-NA Dual
Gigabit WAN VPN
Routers
Switches
12
$28,164
25
$19,749.75
9
$161.91
4
$1,199.96
7
$699.93
2
$679.98
EDGE-CORE
ECS4610-50T - L3
MANAGED 48 PORT
GIGABIT ETHERNET
STACKABLE SWITCH
WITH 4 COMBO SFP
PORTS
Computers
Dell™ XPS 8700
Desktop Computer,
Intel i7-4790 QuadCore 8GB 3.6 GHz
Patch Panels
TRENDnet TCP08C5E 8-Port Cat. 5e
Unshielded Patch
Panel
Raid Racks
Sans Digital 8-Bay
eSATA RAID
0/1/10/5/JBOD Tower
Storage Enclosure w/
6G PCIe Card TR8M+
(Silver)
UPS
CyberPower
CP1000AVRLCD
Intelligent LCD Series
UPS
Servers
Lenovo ThinkServer
TS140 Tower Server
System Intel Xeon E31225 v3 3.2GHz 4GB
70A4001LUX
VOIP Phones
Cisco 7970G IP
Phone, CP-7970G
Business Phones
7
$866.25
34
$1,359.66
15
$1,650.67
RCA 25201RE1 2-Line
Corded Speakerphone
Wireless Access Points
CISCO - (AIRLAP1242AG-A-K9)
AIRONET 1242AG
WIRELESS ACCESS
POINT 802.11B
802.11A 802.11G
Totals of Equipment - Look at the Written Description for quantities of the hardware
10 LT06 tapes (cost around 650 dollars)
1. LTO6 Tape has a storage capacity of 2.5 TB uncompressed and up to
6.25 TB (2.5:1 compression). LTO Ultrium 6 hardware incorporates the Advanced
Encryption Standard (AES) and Linear Tape File System (LTFS) dual partitioning
functionality.
??? Hard Drives (Not sure how many gigs we need but I know it is a lot; plus we need backup
drives)
Make sure to do cabling prices based off of the quantities and lengths in the Tables of appendix
A
APPENDIX A: PHYSICAL NETWORK DIAGRAM
Appendix A
Legend
Floor 1 Hardware
Floor 2 Hardware
Datacenter Hardware
WAN Links
Cabling between buildings
Cabling inside of Main Building
Floor 1
Floor 1 cable lengths, types, and quantities
Cable Locations
Cable Type
Cable Length
Cable Quantity
Server Room to IT Drop 1
Category 5e
35’
3
Server Room to IT Drop 2
Category 5e
40’
3
Server Room to Hallway WAP
Category 5e
50’
1
Server Room to Patient Room Drop
Category 5e
40’
1
Server Room to Patient Room Drop
Category 5e
55’
1
Server Room to Patient Room Drop
Category 5e
60’
1
Server Room to Patient Room Drop
Category 5e
60’
1
Server Room to Cafeteria Drop
Category 5e
75’
1
Server Room to Cafeteria WAP
Category 5e
85’
1
Server Room to Receptionist
Category 5e
70’
1
Server Room to HR & Billing Drop 1
Category 5e
70’
3
Server Room to HR & Billing Drop 2
Category 5e
75’
3
Telecomm. to Nurse’s Station
Category 5e
65’
2
Telecomm. to Director’s Office
Category 5e
65’
3
Telecomm. to Nurse’s Station WAP
Category 5e
55’
1
Telecomm. to Receptionist WAP
Category 5e
75’
1
Telecomm. to Telecomm. WAP
Category 5e
35’
1
Telecomm. to Patient Room Drop
Category 5e
55’
1
Telecomm. to Patient Room Drop
Category 5e
60’
1
Telecomm. to Patient Room Drop
Category 5e
55’
1
Telecomm. to Patient Room Drop
Category 5e
75’
1
Server room to Telecomm. Fiber 1
Fiber Optic Multimode
155’
1
Server Room to Telecomm. Fiber 2
Fiber Optic Multimode
155’
1
Cables for Server and Telecomm. Room
Category 5e
5’ / 10’
96
Spare cables for rooms
Category 5e
10’
33
Floor 2
Floor 2 cable lengths, types, and quantities
Cable Locations
Cable Type
Cable Length
Cable Quantity
Telecomm. 1 to Medical Records Drop
Category 5e
35’
1
Telecomm. 1 to Doctor Drop
Category 5e
40’
1
Telecomm. 1 to Doctor Drop
Category 5e
50’
1
Telecomm. 1 to Doctor Drop
Category 5e
75’
1
Telecomm. 1 to Hallway WAP
Category 5e
45’
1
Telecomm. 1 to Accounting
Category 5e
75’
1
Telecomm. 1 to Patient Room Drop
Category 5e
75’
1
Telecomm. 1 to Counseling Drop
Category 5e
95’
1
Telecomm. 1 to Counseling WAP
Category 5e
85’
1
Telecomm. 1 to Office Manager Drop
Category 5e
55’
1
Telecomm. 2 to Telecomm. WAP
Category 5e
25’
1
Telecomm. 2 to Patient Room
Category 5e
50’
1
Telecomm. 2 to Patient Room
Category 5e
35’
1
Telecomm. 2 to Patient Room
Category 5e
50’
1
Telecomm. 2 to Patient Room
Category 5e
65’
1
Telecomm. 2 to Nurses’ WAP
Category 5e
55’
1
Telecomm. 2 to Nurses’ Drop
Category 5e
75’
2
Telecomm. 2 to Chief Medical Drop
Category 5e
75’
1
Telecomm. 2 to Public Outreach Drop 1
Category 5e
85’
1
Telecomm. 2 to Public Outreach Drop 2
Category 5e
100’
1
Telecomm. 2 to Office Manager WAP
Category 5e
95’
1
Telecomm. to Telecomm. 1 Fiber
Fiber Optic Multimode
25’
1
Telecomm. to Telecomm. 2 Fiber 1
Fiber Optic Multimode
25’
1
Telecomm. to Telecomm. 2 Fiber 2
Fiber Optic Multimode
25’
1
Cables for Telecomm. rooms
Category 5e
5’
54
Spare Cables for rooms
Category 5e
10’
23
Cabling inside of Data Center
Cable Locations
Cable Type
Cable Length
Cable Quantity
Telecomm. to RAID Rack 1
Category 5e
40’
1
Telecomm. to RAID Rack 2
Category 5e
40’
1
Telecomm. to Ethernet Drop 1
Category 5e
80’
1
Telecomm. to Ethernet Drop 2
Category 5e
85’
1
Telecomm. to WAP
Category 5e
50’
1
Spare cables
Category 5e
5’
5
Cables for Telecomm. Room
Category 5e
5’ / 7.5’
20
APPENDIX B: LOGICAL NETWORK DIAGRAM
Contributions
Cover Page: Montana Carroll
Executive Summary: Zachary Bichard
Written Description: Zachary Bichard, Amanda Lee, Montana Carroll
Network Policies: Chris Stone
Security Policies: Amanda Lee
Disaster Recovery Policies: Amanda Lee
Budget: Billy Richards
Appendix A: Montana Carroll with assistance from Amanda Lee and Zachary Bichard
Appendix B: Montana Carroll with assistance from Amanda Lee and Zachary Bichard for
IP addressing
Building location
We can make up wherever we want the building to be. The main thing needed is that wherever
we decide needs to have existing fiber so that we can lease or buy it.
Hippa standards
He did not mention that the patients needed access to the internet so we will not give them any.
This way we do not have to worry about having a secure network and a public(like for public
use) one.
Those three will make up the 180 mobile users
??? Laptops
??? Tablets
??? Smartphones
I put some pictures of laptops on the diagram because he said he wanted to see them but there
is no way we can put all of the staff’s laptops, tablets, and other devices.
Just to clarify there are about 45 IP addresses that are public non-mobile
Those will be the computers, voip phones, network printers, and wireless access points.
The wireless access points will be set in the router to have fixed ip addresses so that
administration/maintenance will be easier.
The network printers are located at nurse’s station 2nd floor, IT, HR & Billing, and Public
Outreach.
Also the dual wan router will need an ip address.
Storage
The network area storage will be configured in a raid 10 because it is the best raid array for
mission critical operations. It is the most expensive but it will save lives if something were to
happen like disk failures. It can easily handle the load until the new hard drives are hot swapped
out. We will have a normal set up in the server room and the raid 10 in the data center. Please
correct me if this won’t work. I know some about this but not a lot.
Router
We will have two different ISP companies in order to have redundancy for our connection. So
that means two modems that hook into the dual wan router. Dual WAN allows you to connect to
different ISPs. After that the hardware firewall should be placed for security measures.
Communication Rooms
Each communication room has either one 48 port patch panel and switch or 2 24 port patch
panels and switches. They are on UPS to protect for power surges or drops. The switches on
the opposite side of the building from the Server room will be connected with a multimode fiber
optic cable. From the switch to the patch panels and to the computers/printers/voip phones we
will use ethernet cables either cat 6 or cat 5e.
Nurse Station Rolling Computer
There is a computer near each nursing station that will be on a cart and can be rolled into the
rooms of the patients. It will be connected to the wall with the ethernet jacks provided in the
rooms(so that they can retrieve and send data faster).
Phones
Due to ip address limitations not all rooms could have voip so I decided to do a PBX/voip hybrid.
Which is actually pretty common in businesses since upgrading to voip can be difficult. Plus not
all rooms need voip like the patient’s rooms.
Cabling
Like I mentioned we can either use cat 5e or cat 6 whichever you want. From comm room to
server room will be multimode fiber for faster transfer of patient records. From the data center to
the main building we will use dark fiber from the city or a company that has fiber. It will be single
mode fiber optic cable since it is a further distance. We will use a vlan to transfer the data.
