Securing the Healthcare Border

From the September 2005 Issue

Healthcare professionals need access to patient information 24/7. Protecting it may be an IT organization’s greatest challenge—or nightmare.

By Mark Elliott

Mark Elliott is the vice president of product management for Permeo Technologies Inc., Austin, Texas. Contact him at melliott@permeo.com.

The tremendous expansion of the distributed healthcare network has increased the demands for remote information availability. The ability to provide patient data to the extended network gives hope to increased service levels, reduced diagnosis times and streamlined costs for the industry. Hospitals, remote laboratories, physicians, traveling nurses and other medical service providers all demand remote access to sensitive private information to get their jobs done. Lifestyle issues, coincident with retention challenges for healthcare professionals, mean supporting increased flexibility in terms of workplace location.

Being able to complete electronic paperwork from home, having the ability to remotely check on a patient’s status or lab results, and, in general, not being tied to a specific office or computer are powerfully attractive capabilities. Business units are continually pushing IT departments to enable this access because they can see the clear benefits to the bottom line. But IT departments face the challenges of satisfying the needs of their business units while balancing risk and exposure for the company. Controlling access to and otherwise protecting sensitive healthcare information is also a legal requirement.

Remote access traditionally has been viewed as a networking problem and not the information access problem that it really is. Delivering protected health information (PHI) and other sensitive information to a broad array of users and computers concerns far more than encrypting network packets, as with VPNs (virtual private networks). Browsers cache data, users save information that they shouldn’t and malware can lurk on computers, surreptitiously recording keystrokes, files and even snapshots of the computer screen. IT personnel, especially in the healthcare industry, need to carefully consider what can happen to information after it has been delivered to a remote computer.

Seeking A Security Solution
Early generations of remote access solutions have fallen short of supporting the rapidly evolving needs of the business, especially the healthcare industry. These approaches were very network-centric and assumed a static environment. Solutions such as IPSec-based VPNs, while providing high quality network security, had little or no post-delivery information protections.

Recently, new technologies have shifted the paradigm from providing network access to protecting information in highly mobile, dynamic environments, enabling healthcare IT departments to extend their businesses. Hospital systems that leverage information across a mobile network must ensure PHI is secured while providing access to doctors across their geographic region, no matter where they’re located—at another hospital, another office or even at home. This is a challenge because the access devices are neither known to, nor managed by, the IT organization. By establishing a PHI usage policy, and using tools to enforce that policy, the organization overcomes remote challenges and dramatically increases the ability to service their patients.

The decision to extend business boundaries exposes organizations to a host of challenges and issues. Unmanaged devices in particular are a challenge, as they limit an IT department’s ability to deliver solutions. The traditional approach of preinstalling various software—e.g., a VPN client, anti-malware software or personal firewalls—on a third party’s PC is not very practical. Nor is it desirable for an external organization to install, or demand installation of, security software on PCs not under their IT jurisdiction.

The “On-demand” Approach
Security “on-demand” is a technique that can solve the challenge of securing PHI delivered to unmanaged devices. As its name implies, on-demand security delivers security services, such as anti-malware, VPN and information protection, combined with security policy to a client computer on a transient basis. It can be delivered anytime, anywhere, run for a limited period of a time and then go away when it is no longer needed. However, for an on-demand solution to be successful the following must be considered:

Efficient delivery: Solution must be deliverable in seconds, not minutes;
End user transparency: No end-user intervention installing, operating or removing;
Minimal demands: Requiring administrator privileges or other prerequisites limits solution applicability;
Coexists with installed applications: Including existing security software;
No aftereffects: Software leaves behind no permanent modifications or remnants.

By delivering security services on demand, IT organizations can respond to evolving business needs in an efficient manner. Rolling out new services to a desktop is much faster when no administrator “visit” to that PC is needed. The flexible nature of on-demand security software can enable secure information access regardless of the physical location of the endpoint.

In the secure remote access space, a Secure Socket Layer or SSL VPN is a good example of on-demand security. SSL VPNs have emerged as a more palatable approach to secure networking than existing IPSec VPNs. Connections are made at the application layer, limiting the scope of user access, which can now be constrained by policy down to individual services. Reduced administrative effort and greater flexibility—and consequently the potential for greater user productivity—result from eliminating the need for a fixed, preinstalled software client. Ubiquitous browsers supplemented by dynamically downloadable plug-ins (e.g. Java or ActiveX) render secure remote access instantly and painlessly to virtually any computer, whether owned by the organization or not.

On-demand secure connectivity technologies like SSL VPNs represent a significant improvement over past approaches. From a business perspective it is a win-win situation. Remote access is scalable, able to be secured and costs less than conventional approaches. But are encrypted packets enough?

Network Security to Secure Information Access
Where private and confidential information is being accessed, organizations responsible for delivering that information must consider the post-delivery (i.e., post-VPN decryption) ramifications. Patient records, confidential radiology images and other similar data deserve the highest available degree of protection. Leakage of such material on the endpoint—intentional or not—is simply not acceptable. It immediately erodes the trust relationship between patients and providers and jeopardizes continued patronage, not to mention the potential for assessment of civil and criminal penalties.

Security “on-demand” is a technique that can solve the challenge of securing PHI delivered to unmanaged devices.

To reduce this risk, other on-demand security technologies can be brought to bear. For example, Web browser cache cleaning and host-integrity checks purge browser- and application-specific caches upon completion of the user’s session, validate the remote node’s security status and configuration settings prior to enabling network access, and create an encrypted workspace on the remote node to help ensure against information leakage. These two items, however, only begin to address the subsequent issue of protecting information once it has been delivered to—and accessed by—a remote endpoint. Additional measures are needed to reduce the post-delivery security gap.

Post-delivery security is concerned with protecting information after it has been delivered via the VPN. This includes minimizing the vectors for information compromise by hostile, unauthorized access, as well as inadvertent action by end users or software. As such, three additional features deserve strong consideration when selecting and implementing a secure remote-access solution: client-based malware protection, information controls and client activity audits.

Client-based malware protection is intended to identify and remove Trojans and similar threats that reside on endpoints, but which do not overtly impact them or the networks where they are connected. These Trojans can capture passwords or entire sessions and pose as authorized users while facilitating nefarious activities. By their very nature, Trojans are elusive and quite powerful; therefore, a dynamically downloaded module that can address them would be highly beneficial. To be truly effective, though, it must work continuously during the session, as opposed to conducting “one-off” or periodic inspections.

Information controls enforce policies pertaining to what users can do with data once it arrives. Functions such as copy/paste, save-to-disk and printing can be selectively controlled with different policies being applicable for different users, data and endpoints (e.g., kiosks versus home computers versus corporate managed devices).

Activity audits can and should be done at the central gateway used to terminate all remote connections. Logs of who is accessing what are essential for operational and forensic processes, as well as for defending the suitability and effectiveness of the organization’s policies and access control measures. Such logs, however, only provide part of the picture. Having a log of activities undertaken locally on the remote host during a remote access session could also prove to be highly informative and useful. At a minimum, such capability would complement the aforementioned information controls, providing visibility about information usage for those situations where such controls are not applicable, or otherwise ineffective.

Information Access Policy
Ultimately, none of the capabilities discussed to this point are particularly meaningful in the absence of an over-arching access policy and data classification methodology. The overall recipe for a flexible and efficient yet highly secure and compliant remote access solution would involve:

Classifying accessible information in terms of its sensitivity;
Establishing policies corresponding to each classification of sensitivity that indicate the conditions under which access is provided and how it is subsequently controlled. Who, for example, (in terms of user groups) has access to which categories of information and from where? In addition, identify what type and strength/degree of safeguards (e.g., authentication, audit logging, information controls) apply to each access scenario;
Implementing a secure remote access product that supports, in an on-demand fashion (i.e., without having to predeploy software on every PC), as many of the features and advanced security controls that have been discussed as possible, including: multiple forms/strengths of user authentication, encryption of information in transit, granular access control to applications (not networks), cache cleaning, host integrity checking, continuous malware protection, information controls, and client- and gateway-based activity logs;
Auditing actual usage and activities on a regular basis.

The final hurdle to surmount is enforcing a PHI policy at the endpoint. The on-demand solution should protect the information beyond its delivery and follow it through the rest of its lifecycle, protecting it through consumption and automatically disposing of it. An audit trail of the information through its lifecycle guarantees the IT organization that the risk of stranded or misused information has been eliminated.

For more information about on-demand security from Permeo,
www.rsleads.com/509ht-210