Remote access for physicians: SSL VPNs offer advantages for healthcare organizations that want to provide mobile physicians with secure access - Data Security

Health Management Technology, Jan, 2003 by Reggie Best

Providing physicians and other caregivers with simple and secure remote access to hospital-based applications is emerging--with surprising speed--as a "must-have" for healthcare organizations.

It's not hard to see why momentum is building behind the new generation of remote access solutions. Healthcare organizations can leverage their investment in electronic patient order entry systems and provide real-time access to patient health information, while maximizing physician time and productivity. Implementing the right remote access solution can lower costs, raise productivity and even bring about improved patient care.

The path to the best strategy, however, is not always clear. Hospitals deploying remote-access solutions have been faced with something of a balancing act: How to make healthcare data available to authorized users outside the hospital's walls in the most cost-effective manner, while ensuring the privacy and security of critical patient data to meet the HIPAA compliance requirements now taking effect?

Traditional remote-access approaches--leased lines, dial-up remote-access servers and client/ server-based computing--have proven inadequate to the task. Toll charges, poor security implementations, deployment complexity, ongoing maintenance costs, lack of scalability and bandwidth limitations have led healthcare facilities to consider alternatives.

VPN Alternatives

As a result, virtual private networks (VPNs) have emerged as the logical choice for extending hospital resources securely and cost-effectively. VPNs allow an organization to leverage a widespread existing public infrastructure--the Internet--to reduce private network and dial-up toll communication costs, while making information available anytime, anywhere.

Essentially, a VPN employs various data-protection technologies to create a virtual "tunnel," using the Internet as an inexpensive transport bridge. VPNs eliminate the high cost of using dedicated private networks based on ATM or frame relay, while still providing the security and functionality that healthcare enterprises require.

VPNs fall into several categories. Some VPNs use IPSec (Internet Protocol Security), and operate at the network layer (layer three) of the OSI (open system interconnection) network architecture model. Other VPNs use SSL (Secure Sockets Layer) technology and function as "application layer" VPNs. Such VPNs operate above layers four through seven. While both VPN models leverage the Internet, the SSL application layer approach offers compelling cost and ease-of-use benefits over IPSec-based networks.

IPSec VPNs

The IPSec protocol is an IETF (Internet Engineering Task Force) standard that provides authentication and encryption over the Internet. IPSec-based VPNs have been sold for many years, with products from many vendors, each with their own proprietary IPSec client.

Typically, IPSec devices sit between the public and private network at both ends of the communication points. Information sent from the private network passes through the device, where it is encrypted, sent over the public network and accepted by the remote client side.

IPSec VPNs are best suited for site-to-site connections--between remote payer organizations such as insurance providers and a main hospital data center, for example--that require large, constant data transfers. They are also a good choice for tying remote LANs together over distances where network access is limited to IT-controlled PCs. However, when used for remote access to distributed users, such as doctors at remote or home offices that need access to hospital-based applications at numerous remote locations, IPSec VPNs present significant drawbacks.

For one, IPSec VPNs are IT-resource intensive. Individual VPN clients must be installed and maintained on every PC that requires access. For a healthcare organization that does not own or have easy access to remote physicians' computers, managing a field of such clients can be a time- and cost-intensive undertaking.

Initiating an IPSec connection is not as easy as launching a Web browser, the mechanism for SSL-based VPNs. Navigating the typical IPSec VPN complexities of IP addresses and Network Address Translation settings can be difficult for nontechnical users. In addition, firewall traversal, particularly for outgoing connections, can be difficult. Internal firewalls often require additional configuration to permit outgoing IPSec traffic to pass. This extra step adds to growing support requirements, particularly given home and home office users' reliance on firewalls.

IPSec VPNs are also not adept at delivering shared application services or centralized databases. Rather, individual client copies of healthcare applications must be installed, updated and maintained on each remote machine, which adds to overall IT maintenance.

While an IPSec VPN may satisfy security requirements for sending information over the Internet, the source data itself, often residing on laptops or other remote devices, remains vulnerable to loss and theft. Alternatively, a "smart, thin-terminal" approach works well with the "clientless" SSL model.