Part of Architecture pattern for connected medical devices - Imaging Pillar
Sample network segmentation pattern
Sample VLAN configuration for Imaging Pillar
Below are recommended virtual local area network (VLAN) configurations for you to adopt when segmenting imaging modalities on your clinical network:
Imaging modalities VLAN – These VLANs are logical groupings of imaging diagnostic devices connected to your organisation’s clinical network, independent of their Digital Imaging and Communications in Medicine (DICOM) modalities category. For example X-ray, magnetic resonance imaging (MRI), computed tomography (CT), positron emission tomography (PET) and ultrasound scanners. The logical grouping of modalities hosted in these VLANs should comprise a mix of modalities and should not host a specific type of imaging diagnostic devices.
Picture archiving and communication system (PACS) VLAN – You should create dedicated VLANs to host only the PACS assets connected to the network to improve your security posture, ensuring that only authorised traffic is permitted to/from this VLAN.
For improved security, you should adopt a different name for this VLAN other than 'PACS VLAN'.
Radiology information system (RIS) VLAN – RIS system components should be hosted in this VLAN.
Vendor Neutral Archives (VNA) VLAN – These VLANs should host VNA components segmented from the network with adequate access control policies implemented to ensure only authorised traffic (mainly from PACS) is permitted to access the assets in this VLAN.
Viewer VLAN – These VLANs should host the various systems used to access images stored in PACS (such as DICOM viewer or PACS workstation).
The above VLAN segments are recommendations only and are by no means an exhaustive list. You can configure VLANs based on your understanding of the network.
Sample VLAN configuration for imaging modalities using port assignment
Below is an example of VLAN configuration of imaging diagnostic connected medical devices on a clinical network for a medium to large sized health and care organisation.
| VLAN name | VLAN no. | VLAN subnet assignment | Switch assignment | Switch port/no. |
|---|---|---|---|---|
| Imaging modalities 1 | 10 | 172.16.2.0/28 |
Switch 4 Switch 3 |
Fa0/19 Fa0/14 |
| Imaging modalities 2 | 20 | 172.16.3.0/28 |
Switch 2 Switch 1 |
Fa0/9 Fa0/4 |
| Clinical application | 30 | 172.16.4.0/28 |
Switch 4 Switch 3 |
Fa0/17 Fa0/13 |
| RIS | 40 | 172.16.5.0/28 | Switch 2 | Fa0/9 |
| PACS | 50 | 172.16.6.0/28 | Switch 2 | Fa0/8 |
| VNA | 60 | 172.16.7.0/28 | Switch 4 | Fa0/3 |
| Image viewer 1 | 70 | 172.16.8.0/28 |
Switch 4 Switch 3 |
Fa0/18 Fa0/12 |
| Image viewer 2 | 80 | 172.16.9.0/28 |
Switch 2 Switch 1 |
Fa0/7 Fa0/2 |
| Imaging modalities 3 | 90 | 172.16.10.0/28 |
Switch 4 Switch 3 |
Fa0/16 Fa0/11 |
| Imaging modalities 4 | 100 | 172.16.11.0/28 |
Switch 2 Switch 1 |
Fa0/16 Fa0/11 |
Table 7: Sample VLAN configuration for imaging connected medical devices
The above segmentation options are focused on connected medical devices but hospitals also have operational technology assets, such as industrial automation and control system (IACS), deployed. You should refer to standards such as ISO/IEC 2443 standard for recommended network segmentation and security best practices for guidance.
Last edited: 13 October 2023 3:17 pm