SSLVPN secures critical information

Communications News, April, 2004

The Catholic Health System (CHS) in western New York has four acute care hospitals in Buffalo. N.Y., in its health system, and a network serving 8,000 total employees and 1,200 physicians. T-1 lines connect the remote hospitals, and information is secured and shared through an application called Siemens NetAccess residing on a Siemens mainframe server host located in Melvern, Pa.

Because of the different systems used by the hospitals, however, sharing the patient data between all four geographically separate sites was difficult. This caused problems because doctors need 24-hour secure access to key information, such as patient information, records and lab results.

Two of the hospitals run a patient information-and-billing system that is different from the others. For those two hospitals, patient and hospital information is stored centrally on the mainframe server in Melvern.

The problem with the CHS network was that different hospital locations use different IP addressing schemes. This means that the application designed to secure network access through the CHS intranet could not access the centrally stored information from the remote locations.

Because patient information needs to be kept confidential, yet also is required to be accessed by authorized personnel on a 24/7 basis, secure access from doctors' homes and remote offices required the use of remote-access VPNs. In addition to the connectivity challenges with various home networks and Internet service providers, the remote-access VPN client device software download and installation process posed problems, as well.

"We gave the remote-access VPN client software to the doctors, and they needed to install it on their home PCs themselves," says Chuck Simet, CHS network engineer. "Quite simply, the doctors didn't want to deal with the client software. Most were reluctant to load the software, and some who had home networks had support questions about configuration. Many of those who tried to install the software clients themselves installed them improperly."

Doug Torre, director of networking and technical services for CHS, adds, "The challenge with home support is that we clearly can't be there at the home to help. In addition, home networks add to the complexity of networking. Every PC may have different configurations that can add to the challenge of a streamlined support methodology."

An additional concern is CHS' ongoing commitment to patient privacy and security, which will be mandated by upcoming legislation. According to Torre, "With these requirements, the whole information system has to work together to achieve the overall goals and spirit of the legislation."

CHS recently purchased an SSL VPN appliance from NetScreen to solve the network security and access problem. The goal, according to Torre, was to "wrap the application in a delivery mechanism with both strong security and authentication."

The SSL VPN is a hardened network appliance that leverages the benefits of traditional remote-access technologies, such as remote-access VPNs and extranets. The SSL VPN secures access to networked applications and information over the Internet to authorized users with any Web-enabled device, without requiring client-device software downloads of installation, changes to the internal servers, and little to no ongoing maintenance. The SSL VPN also provides authorization and authentication to secure information both inside and outside the organization.

Simet says he was attracted to NetScreen's SSL VPN because of its ease of use, and no requirements for client-device software downloads. In addition, the SSL VPN supports many major forms of authentication, including RSA SecurID, the authentication method chosen by CHS for its practitioners. Access to resources can be set by user of by group, and access can be allowed or denied all the way to the file of URL level.

The Siemens NetAccess application is now available in a secure fashion by doctors via any Web browser, regardless of location. "Now doctors can get patient information such as lab results at any time from anywhere, without having to come all the way into the hospital to look at the results," he says. "We tell the doctors to bookmark a URL and they are connected to NetAccess--it's that easy. The SSL VPN has saved significant time for the IS staff, and it has saved time for the doctors, too."

Simet says the SSL VPN was was up and running in 30 minutes. "We just plugged in the serial cable and answered a number of IP questions," he says. NetScreen has upgraded the SSL VPN product code since the initial CHS installation, and the upgrade was completed "with no problems whatsoever," he adds.

CHS' cost for this initial SSL VPN deployment was $90,000. CHS has already achieved a return on investment (ROI) of approximately $98,000 over a 12-month period, thanks to reduced support costs and eliminating the need for a managed remote-access service. Torre estimates an ROI of approximately $180,000 over the next three years.

The SSL VPN also helps CHS in its privacy-compliance efforts, One of the major attractions for using the SSL VPN was its high encryption capability and its ability to plug in with the RSA two-tier authentication mechanism used at CHS, says Torre.