Balancing Network Security and Uninterrupted Service at Saudi Arabia’s King Fahad Specialist Hospital in Dammam


Healthcare IT does not exist in a vacuum. Your hospital’s network infrastructure does not belong in a silo that is solely the domain of your technology team. From your most senior executives to your youngest patients, everyone has a stake in your IT environment. It is always staggering to consider the number of people, devices, systems, and applications that use the hospital network infrastructure every day.

Deploying, operating, and securing hospital-wide IT infrastructure requires a 360-degree approach. Your top priority is serving your patients with a network that keeps their personal information private and that is also robust enough to operate without interruption should an issue arise. All of this ensures that life-saving devices and systems remain online.

Avoid IT silos. Embrace all stakeholders. @CiscoGateway

These are basic priorities when you are in the business of treating, healing, and comforting people, but you also need to look a little further. Your IT activities not only support patients, but also the healthcare practitioners and administrators who serve them. You have to understand the many ways these different stakeholders connect to your network using wired or wireless networks from different type of devices. You must then build up deployment and security strategies that reflect their real-world usage, instead of fighting to change their habits.

Another critical piece of the puzzle is complying with healthcare and privacy regulations. It isn’t always easy to balance these with the way users connect to your network, but your IT team must find a way.

Finally, you have to think of your reputation. You can offer the best healthcare in the country, but a serious data breach or network interruption can shake public confidence in your institution, and rebuilding trust may require a sustained public relations campaign that will divert funds from treating patients.

Excellence in Healthcare, Education, and Research

King Fahad Specialist Hospital in Dammam (KFSH-D) is the premier teaching hospital in Saudi Arabia’s Eastern Region. We combine compassionate quality healthcare with education and research. KFSH-D specializes in oncology, organ transplantation, neuroscience, cardiac services, and genetics. Our many other services include hematology, nuclear medicine, radiation therapy, and orthopaedic surgery.

We strive to be on the cutting edge of medicine here and internationally. KFSH-D is the only Ministry of Health hospital in the country to perform stem cell transplants in adults and children. We are also the first specialist hospital in the Kingdom to earn Joint Commission International Accreditation. On top of this, our Laboratory and Hematology Department was certified by the College of American Pathologists.

Securing a Challenging IT Environment

Our quest for excellence extends to our network infrastructure, but securing it is a bit of a challenge. Look around the hospital, and you’ll see technology everywhere. For example, bedside monitors beam real-time patient health and telemetry data to our nursing stations. Spectrometers upload blood test results to our EMR system to be consulted at a later date. Clinicians can view diagnostic images from X-ray machines, CAT scanners, and MRIs on their computers and tablets. And, of course, patients and staff use personal and hospital-owned mobile devices to connect wirelessly to our network. But the issue from an IT perspective is that these medical systems are not pure IT systems. 

Our biggest challenge was securing all of our network endpoints. Security threats come in all shapes and sizes, and from the most unexpected places. A hacker might have compromised a vendor’s software with spyware, and we may have installed it before it was patched. Trouble, as they say, is everywhere.

Security Is Not Secondary

Securing the information is not an option…

We wanted to create a secure environment for our staff and our patients. We already had a good working relationship with a leader in the IT space: Cisco. The company was already supplying our network infrastructure, and so we asked whether they had a solution that could meet our needs.

At the time we were considering Cisco’s Secure Access Control System, but the company had just launched a new product called Identity Services Engine (ISE). I looked at the specifications, and I realized that ISE is exactly what we were looking for, but there was one big stumbling block. We could not take our network offline, not even for a minute.

This is where Cisco proved to be an invaluable partner. Their engineers worked with us to implement ISE without any service interruptions. They provided the expertise that allowed us to get the go-ahead from KFHS-D’s management team. You have to understand one thing about the way healthcare services management operates: There can be no delays. Security is not secondary, but it cannot compromise continuous service delivery.

Network Visibility and Malware Protection

Once we had obtained approval, we went ahead and deployed ISE. This was back in 2016. The change was remarkable. The first major difference was full network visibility. We could see every service and every device that accessed our infrastructure. We were stunned by the number of devices and services that were connecting without the proper credentials. Now, we have full control and visibility about any device connects to our network and no one can connect to the network without permission.

The second big change was advanced malware protection for all the computers on our system. In the past, we had to go through the systems team to install antivirus software and service packs with network security postures on individual machines. Now, everything is centralized through ISE. On top of that, if someone installs unauthorized software, spyware or any malicious application, we can also monitor switches and other network components that have been compromised by such an incursion.

As a real-life example, we were able remarkably to seized up internal malware attack by which eliminates its effects totally. We isolated the affected system, removed the threat, and wrote up a security report in less than an hour. Our colleagues in medical team of the hospital were astounded at the speed of our intervention, and by the fact that there had been no perceptible service interruption.

The Numbers Add Up

The results have been nothing short of miraculous. Our environment is more secure, and we spend 60% less time on network administration. ISE automates a great deal of the network management process. It allows us to instantly create guest portals that allow patients and visitors to connect safely to the internet. ISE also automates the configuration of switches, and the addition of network nodes, thus eliminating human errors.

Automating network configuration eliminates human error. @CiscoGateway

ISE’s live authentication function lets us authorize or block traffic on the fly. For example, there are times when a system or an application needs to send massive amounts of data over the network. ISE enables us to monitor such atypical traffic, and to then determine whether it is legitimate or malicious. We can also authorize the connection of diagnostic equipment that isn’t normally allowed on the network if one of our technicians is performing a specialized test.

Stability, Leadership, and Service

This level of stability is unheard of in Saudi Arabia. We are proud that we at King Fahad Specialist Hospital Dammam have not experienced any service interruptions due to cyberattacks. This comes down to the dedication of our team, and to the superlative support we continue to receive from Cisco.

You don’t have to choose between network security and uninterrupted service. @CiscoGateway

This is also a testament to our leadership here at KFSH-D. We’ve several CEOs in the last three years, and we have been asked to sell our vision for ISE three times. You could say we were lucky to weather these administrative upheavals, but our results speak for themselves. We have had no downtime, and we have not succumbed to any malware or ransomware attacks. It takes a leader to recognize these results rather than to change direction for the sake of change.

In the end, we adopted ISE to provide the best possible healthcare. King Fahad Specialist Hospital in Dammam is on the frontlines of medical innovation in Saudi Arabia. We have had no major incidents since we deployed ISE three years ago. Although we were facing many cyber security challenges, but (الحمدلله) we have never lost the entire network security.