Part of Architecture pattern for connected medical devices - Imaging Pillar

Imaging specific design principles

Ensure proper business continuity planning is considered when determining the logical grouping of connected medical devices (CMDs), as part of the overall network segmentation strategy, with participation of a clinical safety officer.
The logical group of assets should be based on a mix of CMDs to prevent the unavailability of a CMD type in event of a compromise due to a cyber-attack.
You should deploy your picture archiving and communication systems (PACS) and Vendor Neutral Archives (VNAs) dedicated virtual local area networks (VLANs), separate from the modalities VLANs.
Traffic originating from the modalities VLAN to the PACS VLAN must be restricted to source and destination IP addresses, service and port numbers, as required for daily functionality.
VLANs must be associated with unique IP subnets on the network, to ensure effective segmentation.
For inter-VLAN routing, access controls lists must be configured on the connecting router to ensure only authorised traffic is forwarded between the applicable VLANs. This enables the routing process in a multi-VLAN environment.
Supplier remote access servers must be deployed in a dedicated VLAN on the network complemented with security policies to enforce traffic.
Where VLAN trunk links are configured to traffic frames between switches on the network, ensure authorisation to share such information is obtained especially for VLANs that host Container Network Interface (CNI).
Network layer access control lists should be configured to prevent wireless VLAN traffic from reaching other destinations inside the clinical network.
802.1Q tagging should be used to map wireless traffic to VLANs where applicable, based on defined criteria.
Network experts should take into account the limitation of a maximum 254 IP addresses available per subnet when designing VLAN segmentation.

Last edited: 13 October 2023 3:19 pm

Imaging specific design principles

Chapters