• Home
• News, Press, & Events
• News Articles
• Remote Access is Nothing without Security

Remote Access is Nothing without Security

September 7, 2006 - Advance News Magazine, Sebastian Sullivan, MBA

As more health care organizations are moving to electronic medical records, an increasing amount of electronic medical information flows over the Internet between health care providers and payers. In this environment, health care organizations such as Southern Illinois Healthcare (SIH) are finding themselves increasingly vulnerable to attacks. The complex challenge of securing information and maintaining strict levels of patient confidentiality has become increasingly difficult since Web-based systems now provide easy and ubiquitous access to authorized users.

"Health care facilities such as ours need to provide secure remote access to physicians, employees and vendors," said Frank Sears, vice president and CIO at SIH. "A growing number of employees need to work from home or while traveling on business. IT staff needs to be able to provide emergency support or assistance outside of normal business hours. Providers and physician offices located throughout our region need to connect to clinical systems such as radiology imaging, patient records or medical billing. And technology vendors need to remotely monitor, maintain or remediate technical problems on servers they have been contracted to support."

Consistent and reliable remote access to information, while working on the road or from home, is one thing. But it all means nothing if the information can be hacked by others, or if unauthorized users gain access to private medical information or medical records. The private business sector understands this well; the increase in high-profile hacking of Web sites to obtain confidential information such as Social Security numbers and credit card numbers has created a public relations nightmare for many organizations. Health care providers, however, are held to an even higher standard of security for their information due to mandated federal regulation under HIPAA.

HIPAA: A higher standard

HIPAA requires health care organizations to take precautions to ensure the security of their networks and the privacy of patient data. HIPAA compliance applies to all covered entities (CEs). A CE is an individual or organization that falls into one of three groups: health plans, health care clearinghouses and health care providers.

According to the American Medical Association, CEs that are not in compliance face either civil or criminal penalties. Violations of the HIPAA Administrative Simplification Act can result in civil monetary penalties of $100 per violation, up to $25,000 per year. As for criminal penalties, any person who knowingly obtains or discloses individually identifiable health information in violation of the Administrative Simplification Act faces a fine up to $50,000, as well as imprisonment for up to one year.

Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, and up to five years in prison. Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

A new way of working

Combining these security requirements with the new ways in which people work presents a challenge. A physician may want to access hospital or patient data on a laptop half a world away, or check a medical record from home after putting the kids to bed, without having to physically drive back to the office. This remote access is more than just a convenience -- it can serve as a huge productivity boost and can add to the physician's quality of life, enabling him or her to work when he/she wants, outside of the facility's four walls. Yet, the underlying security posture of this new-world access is always a main concern. You want to provide easy access to data, but only for those whom you can trust.

This is difficult because remote access has become simultaneously easier and more complex. In the past, IPSec-based remote access solutions were typically offered only with strict settings, specific ports and virtually no endpoint security checks. IT staff either needed to pre-configure the VPN client on company-issued PCs before turning them over to employees, or had to travel to the remote location where the end-point PC was located to do the setup, placing a huge burden on IT staff resources.

Newer SSL VPN-type solutions have made it easier for anyone to connect to network resources. With a wide variety of users connecting from various devices, and needing access to vastly different internal resources, SSL VPN systems now make it possible to inspect every requesting host to ensure that it is trusted and/or in compliance with organizational remote access policies, such as having anti-virus (AV) or firewall software installed and operating.

Security, again, is critical as SSL VPN technology becomes more mainstream and health care facilities extend their internal infrastructures to users. It is no longer enough to protect your assets from an unknown malicious intruder. Organizations need to protect against trusted employees connecting from their unpatched home computers or against that same trusted employee entering his/her sensitive user credentials on a public terminal at a conference.

Following an extensive review of remote access appliances for our infrastructure at SIH, the health system selected a SSL VPN remote device called FirePass from F5 Networks in Seattle. FirePass provides people working from home or on the road secure remote access to network resources using any Web-enabled device and over a range of access networks, regardless of location.

Beyond its security posture, SIH had other reasons for selecting an SSL VPN solution in general, and FirePass specifically. Prior to installing FirePass, we were using a client-based Cisco VPN. This required each remote PC to have the Cisco client application installed on it and required detailed configuration settings to be made by a staff technician before establishing a connection. Although well-suited for site-to-site connections and even manageable for a small number of user-to-site connections, this approach was logistically difficult and expensive to implement on the scale we ultimately needed.

Security equals happy users

In addition to day-to-day information security responsibilities, I currently handle remote access administration for SIH. I clearly understand the importance of the administrative interface of this product. With FirePass, accessing various features is easy and can be achieved several different ways, depending on the style and preferences of the administrator. The administrative interface had a dramatically shorter learning curve than competing products, which made training of backup staff easier and more cost-effective.

In addition, the technology facilitates anytime/anywhere information access. This improves the efficiency, productivity and accessibility for SIH employees who telecommute, who need access while traveling on business, or who need to rapidly respond to urgent situations while off the premises. The technology also enables our IT staff to quickly and securely connect with the SIH information systems to perform critical support or administrative actions remotely, as needed.

The solution was easy to set up, compared to the other products we tested in our data center environment. When the appliance arrived, our manager of technical support had it out of the box and configured in about 30 minutes without the need for support calls or factory assistance. The other appliances we initially evaluated required VAR field engineers to do the initial setup.

Administrator benefits

Because my job focuses on information security, I find the following features to be of critical value from a compliance perspective: AV and firewall checker, cache cleaner, visual policy editor and exportable logs/reports with robust SYSLOG output capabilities. In the context of day-to-day use, the intuitive administrative interface makes routine tasks extremely fast and easy to perform. Freedom from having to drill down a half dozen layers just to complete standard tasks greatly improves administrative efficiency and cuts down dramatically on service ticket times. Plus, our end users are pleased with how fast their VPN requests get implemented -- and that helps IT maintain high customer satisfaction.

User benefits

SIH users can access the VPN from any computer that has Internet access and a standard Web browser, whether it's from their home PC, a hotel lobby PC or another workstation on SIH's internal network. The ability to log in to the VPN using Active Directory account credentials also makes users happy; they no longer must remember yet another user name/password.

They can remotely control their work PCs as if they were sitting directly in front of them, too. They can work with their Windows desktop with all applications and files exactly as they normally would without having to learn new interface or access methodology. In the future we are looking to integrate FirePass with our enterprise single sign-on identity management system, to further simplify employee access to network resources.

Aggressive security

Ultimately SIH was sold on the product's aggressive end-point security features such as the virtual keyboard, firewall and AV end-point inspectors, as well as audit reporting capabilities. Its ability to output robust SYSLOG data, which can be processed by other third-party security event correlation, reporting, and archiving systems sold by FortiNet or EIQ Networks, is a valuable feature, too. FirePass also takes a highly granular approach to granting resource access and the ability to regulate access based on organizational remote access policies and security safeguards present on end systems such as AV and firewall software. And the ability to control and report user actions, in terms of accessing specific resources, helps us meet our internal reporting needs, as well as HIPAA compliance requirements.

In short, the robust, progressive, and evolving security and compliance-driven features make SSL VPN solutions a key component for health care remote access, especially as regulatory requirements continually place more demands on the IT environment. And especially as more and more people find themselves working from home at 1:00 am on a Saturday, or accessing a patient record from a coffee shop halfway around the world.

Mr. Sullivan is security specialist for the IT Compliance & Quality Assurance Department of Southern Illinois Healthcare.