As it sets up a network access control infrastructure to run herd on the wide range of transient workers who have legitimate needs to access its network, Mercy Medical Center in Baltimore has bumped into business challenges that are proving more difficult than the technical ones.

Those who need to gain network access include residents, interns, rotating medical staff, nurses and doctors from other hospitals with credentials to practice at Mercy, says Mark Rein, director of IT.

They use devices ranging from notebooks to PDAs and mobile phones. “At any given time I have people on my network and I have no idea who they are and who is maintaining their equipment,” he says

Soon after he started working at the hospital nine months ago he set about looking for NAC gear that could check whether machines signing onto the network meet security standards and would authorize them to access only those resources they need to reach.

“We had one person dedicated for three months just testing NAC products,” he says, declining to say which ones. “We’ve been under non-disclosure with several companies the last nine months.”

But he finally settled on ConSentry’s LANShield to scan machines for compliance, then restrict them to the resources they are cleared to reach. The device can also divert machines to sites where they can get updates that help them pass the scans after they have failed.

But before he could get the device to work, he had to determine what workers had legitimate needs to access what resources. Some workers need to access the hospital information system of broad patient information including insurance details, others may just need access to medical records, he says.

“First you need to understand your user base, where they need to go, where they don’t need to go and segregating their traffic appropriately,” Rein says.

“You have to identify what you’re trying to protect, identify different segments you might need to set up,” Rein says. That translates into policies set up for the ConSentry gear to enforce. “The policy gets to what you need to know and what you don’t need to see,” he says.

Rein says he was attracted to ConSentry because it requires no installation of clients on all the legitimate machines that need to be scanned and no creation of extensive virtual LANs (VLAN) to segregate users from resources as other schemes require. “It decomplicates a lot of what Cisco and everybody else tried to complicate by creating thousands of different VLANs or hundreds of VLANs to segregate your traffic, he says.