Background 

The Hillingdon Hospitals NHS Foundation Trust was established on 1st April 2011. The Trust provides health services at two hospitals in North West London and provides clinical services to over half a million patients a year, including over 97,000 Emergency Department attendances, it employs over 3,500 staff making it one of Hillingdon’s largest employers. 

Hillingdon Hospital is the only acute hospital in the London Borough of Hillingdon and offers a wide range of services including accident and emergency, inpatient care, day surgery, outpatient clinics and maternity services. 

The Requirement 

Following a successful deployment of mobility first wireless and network access control technology from Aruba Networks in 2014, the Trust asked EE in June 2018 to provide a feasibility study, exploring the options for delivering free patient Wifi across the hospital. This formed part of a wider NHS WiFi programme with the aim of giving health and care professionals access to services, tools and technologies to deliver improved care to patients. In order to access funding provided as part of the NHS Digital Patient Wi-Fi initiative, any solution put forward had to comply with a number of requirements –   

  • Physical and Logical separation from clinical and corporate traffic 
  • Resilient and unrestricted service, supporting streaming of media, voice and video applications 
  • Block access to illegal or inappropriate content, such as content listed by the Internet Watch Foundation 
  • Use of standardised NHS WiFi landing pages to make the user experience consistent across NHS providers 

After gaining a thorough understanding of how any proposed solution would need to be architected to comply with NHS Digital guidelines, European Electronique identified two suitable options –  

  1. Implementation of a compliant Managed Service offering to provide free and paid for services to patients  
  2. Utilisation and extension of existing investments in technologies from Aruba Networks and Palo Alto Networks to take the management of the solution in-house 

Fully costed proposals for both options were considered from a functionality perspective, along with consideration of both capital expenditure and on-going operating cost of each solution. 

While a managed service offered ‘out-of-the-box’ compliance and lower capital cost for implementation, the nature of the funding from NHS Digital meant that on-going subscription costs for the service would need to be funded by internal budgets in subsequent years. 

Although taking management of the solution in-house presented an increased capital expenditure in year one it did allow for existing investments to be future-proofed and reduced the operating expenditure in subsequent years. 

The Solution 

After detailed analysis of possible options by the Trust, the preferred solution was to extend and update the Trusts investment in technology from Aruba Networks and Palo Alto Networks to deliver compliant NHS Patient Wi-Fi.  

First, the existing infrastructure was upgraded to Aruba’s latest operating system (AOS8) enabling the Trust to take advantage of the new features which would provide better levels of availability, security and management.  Most crucially this would allow simple and effective segmentation of clinical and patient traffic through Aruba’s MultiZone technology.  With MultiZone enabled, one AP can terminate 2 different SSIDS on 2 different controllers. The data is encrypted from the client to the controller via per SSID GRE tunnelling, with Aruba ClearPass providing individual role-based access and policy enforcement rules tailored to the security requirements of that zone.  

To ensure patients could easily access the new service, the standardised NHS Digital Landing page was deployed utilising portal functionality built into the Trusts existing Aruba ClearPass (network Access Control) platform. A number of delivery methods for user credentials are supported, including email, SMS and authentication using social media credentials.  

Filtering of Patient traffic was achieved through deployment of a pair of Palo Alto PAN-850 Firewalls at both Hillingdon and Mount Vernon Hospitals, provisioned with dedicated internet links to ensure physical separation from clinical and corporate networks.  In the event of a failure of the internet link at either site, traffic would be routed across an inter-site link to ensure the solution featured high availability at every level. 

Benefits 

A number of benefits were realised by the Trust  

  • Existing infrastructure was upgraded as part of the project, enabling it to support the next generation of 802.11ax access points and providing at least another 5-7 years life in core system hardware.  
  • AOS8 provided significant enhancements in system availability, with hitless failover and upgrades supporting “always on” connectivity for clinical applications and patient access 
  • Simple and secure separation of clinical and patient traffic across the existing Wi-Fi infrastructure with Aruba MultiZone 
  • Deployment of standardised NHS Patient Wi-Fi landing page via Aruba ClearPass 
  • Lower OPEX costs through in-house management of the solution 

With free patient WiFi in place since December 2018, uptake on the service has been significant and well received.  Furthermore, this investment has futureproofed wireless provision across the Trust, maximising existing investments and creating a platform that can be built up on for the future.