|
From the January 2003 Issue 11th-Hour HIPAA: How Can You Meet the Deadlines? |
Remote Access for Physicians SSL VPNs offer advantages for healthcare organizations that want to provide mobile physicians with secure access. By Reggie Best Providing physicians and other caregivers with simple and secure remote access to hospital-based applications is emerging—with surprising speed—as a “must-have” for healthcare organizations. It’s not hard to see why momentum is building behind the new generation of remote access solutions. Healthcare organizations can leverage their investment in electronic patient order entry systems and provide real-time access to patient health information, while maximizing physician time and productivity. Implementing the right remote access solution can lower costs, raise productivity and even bring about improved patient care. The path to the best strategy, however, is not always clear. Hospitals deploying remote-access solutions have been faced with something of a balancing act: How to make healthcare data available to authorized users outside the hospital’s walls in the most cost-effective manner, while ensuring the privacy and security of critical patient data to meet the HIPAA compliance requirements now taking effect? Traditional remote-access approaches—leased lines, dial-up remote-access servers and client/server-based computing—have proven inadequate to the task. Toll charges, poor security implementations, deployment complexity, ongoing maintenance costs, lack of scalability and bandwidth limitations have led healthcare facilities to consider alternatives. VPN Alternatives As a result, virtual private networks (VPNs) have emerged as the logical choice for extending hospital resources securely and cost-effectively. VPNs allow an organization to leverage a widespread existing public infrastructure—the Internet—to reduce private network and dial-up toll communication costs, while making information available anytime, anywhere.
Essentially, a VPN employs various data-protection technologies to create a virtual “tunnel,” using the Internet as an inexpensive transport bridge. VPNs eliminate the high cost of using dedicated private networks based on ATM or frame relay, while still providing the security and functionality that healthcare enterprises require. VPNs fall into several categories. Some VPNs use IPSec (Internet Protocol Security), and operate at the network layer (layer three) of the OSI (open system interconnection) network architecture model. Other VPNs use SSL (Secure Sockets Layer) technology and function as “application layer” VPNs. Such VPNs operate above layers four through seven. While both VPN models leverage the Internet, the SSL application layer approach offers compelling cost and ease-of-use benefits over IPSec-based networks. IPSec VPNs The IPSec protocol is an IETF (Internet Engineering Task Force) standard that provides authentication and encryption over the Internet. IPSec-based VPNs have been sold for many years, with products from many vendors, each with their own proprietary IPSec client. Typically, IPSec devices sit between the public and private network at both ends of the communication points. Information sent from the private network passes through the device, where it is encrypted, sent over the public network and accepted by the remote client side. IPSec VPNs are best suited for site-to-site connections—between remote payer organizations such as insurance providers and a main hospital data center, for example—that require large, constant data transfers. They are also a good choice for tying remote LANs together over distances where network access is limited to IT-controlled PCs. However, when used for remote access to distributed users, such as doctors at remote or home offices that need access to hospital-based applications at numerous remote locations, IPSec VPNs present significant drawbacks. For one, IPSec VPNs are IT-resource intensive. Individual VPN clients must be installed and maintained on every PC that requires access. For a healthcare organization that does not own or have easy access to remote physicians’ computers, managing a field of such clients can be a time- and cost-intensive undertaking. Initiating an IPSec connection is not as easy as launching a Web browser, the mechanism for SSL-based VPNs. Navigating the typical IPSec VPN complexities of IP addresses and Network Address Translation settings can be difficult for nontechnical users. In addition, firewall traversal, particularly for outgoing connections, can be difficult. Internal firewalls often require additional configuration to permit outgoing IPSec traffic to pass. This extra step adds to growing support requirements, particularly given home and home office users’ reliance on firewalls. IPSec VPNs are also not adept at delivering shared application services or centralized databases. Rather, individual client copies of healthcare applications must be installed, updated and maintained on each remote machine, which adds to overall IT maintenance. While an IPSec VPN may satisfy security requirements for sending information over the Internet, the source data itself, often residing on laptops or other remote devices, remains vulnerable to loss and theft. Alternatively, a “smart, thin-terminal” approach works well with the “clientless” SSL model. Because they operate at the network level, IPSec VPNs effectively provide the remote PC with full network visibility as if it were a computer located on the corporate LAN. This means users can have a full view of the corporate network—an unnecessarily broad level of access for remote physicians typically looking to access one or two applications. SSL VPNs Since originally developed by Netscape to secure electronic commerce transactions, SSL, which is also referred to as IETF standard Transport Layer Security, has evolved into one of the leading security protocols throughout the Web. SSL provides server authentication, data encryption and message integrity over TCP/IP connections. Today, SSL supports millions of online transactions daily and is the de facto standard for secure online credit card purchases, stock trading and banking. SSL VPNs provide a number of advantages to the healthcare environment, including the ubiquity of ready-made SSL clients—the Web browsers built into every modern computer. By taking advantage of this clientless deployment, SSL VPNs minimize the need to configure and maintain remote computers. Taking the clientless deployment one step further, some SSL VPNs provide an additional key benefit: easy access to legacy (Windows®, UNIX, Linux and mainframe) applications quickly and easily over the Internet. This crucial functionality differentiates the various SSL VPN approaches, some of which are limited to Web applications or network file access only. The fact that remote users can access centralized applications securely from any Web browser frees IT staff from having to install, update and maintain application clients on hundreds of remote PCs. With SSL VPN appliances that incorporate this “thin-client” approach, the applications that end- users access reside not on the remote PC, but rather on the application servers located in the main data center. In this thin-client model, application processing is performed on the data center-based server, while the end-user’s computer handles only the input and output data (keystrokes, mouse clicks and graphical display). One advantage of this secure, “application layer proxy” arrangement—so-called because the SSL appliance generates a proxy, or a representation of the application, rather than the application itself—is that remote users can access various applications through native protocols such as Remote Desktop Protocol (RDP) data for Windows-based applications, X11 data for UNIX applications or telnet data for IBM mainframe applications via a single-protocol, secure http. Network resources are kept safe on the private LAN. End-users never directly access the applications and servers. The result of this application proxy model is greater efficiency when running remote applications. Hundreds of remote users can simultaneously access the same centralized applications—whether Windows, UNIX, Linux or mainframe-based—via a single SSL appliance. Anytime, Anywhere Access Unlike IPSec VPNs, there is no need to expose all network resources to the entire user base: Network administrators can set user permissions and policies to limit access to specific applications for specified users as needed. SSL traverses standard firewall ports that are already open to allow Web traffic. The result is that unlike IPSec VPNs, SSL VPNs seldom require firewalls to be reconfigured. SSL VPN appliances combine a number of security elements into a unified, hardened appliance. These include authentication—such as RADIUS, RSA SecurID®, Windows 2000 and Active Directory, LDAP, Vasco and ActivCard—policy, encryption and third-party trusted digital certificates for site authentication. Once users are authenticated, they need to be authorized, to be given access to a given set of applications and privileges based on their profile. By functioning as application layer VPNs, some SSL VPNs provide robust, multistage authentication modules that poll external authentication and authorization information stored in LDAP or active directory repositories, and function as a gateway to network resources from a single point of centralized access management. In this way, administrators can group different types of users according to their level of trust or needs, in a manner not easily matched by IPSec VPN alternatives. SSL-based, clientless VPNs are well-suited to meet the anytime, anywhere remote-access needs of the healthcare industry in general, while complying with the security demands of the HIPAA regulations in particular. Certainly, healthcare institutions need to choose the VPN that best meets their needs for a particular implementation, and there will be many instances when IPSec-based VPNs are appropriate. But taking into account its “total cost of ownership” benefits compared to IPSec-based VPNs, its simplicity
For more information about remote-access solutions from Netilla Networks, www.rsleads.com/301ht-196 Reggie Best is president and CEO of Netilla Networks Inc., Somerset, NJ. Contact him at reggie@netilla.com. © 2003 Nelson Publishing, Inc |
from a user’s standpoint and the ease with which it can be deployed, the SSL-based clientless VPN is poised to bring the benefits of secure remote access to thousands of healthcare providers in the coming years.