SSL VPN secures hospital records

When more and more doctors started asking for access to patients' test results online, Sydney Adventist Hospital explored alternatives to some of the solutions being used elsewhere in healthcare.

The hospital's first priority was to keep patients' health information secure and confidential while still providing the service the doctors were demanding. And, like anywhere else in the healthcare industry, it was important to keep IT costs down.

The hospital's tech partner and integrator, Emerging Systems, teamed with Nortel Networks to come up with a slightly left-of-field but secure, low maintenance and lower cost option for the hospital -- a secure sockets layer virtual private network.

Already widely used in e-commerce and the financial sector, SSL VPNs have been called the “de facto standard” for securing credit card transactions and online banking. The SSL protocol was developed by Netscape in 1994 as a security mechanism built into the Navigator browser.

Gartner research says: “SSL expedites negotiation between a Web browser and server to establish a session encryption key to encrypt all communications between the two.” This keeps documents private during transmission over the Internet.

Initially Sydney Adventist Hospital looked at Internet Protocol Security (IPsec) which is usually how remote users -- like doctors -- get secure access to patients' records in hospitals.

“In most traditional security deployments, [such as IPsec] you actually have to install some sort of a secure client on the remote users' computer to ensure encryption and authentication before you gain access into an organisations online applications,” says Andrew Cook, director of systems engineering at Nortel.

The hospital soon realised IPsec was going to be a more costly -– and not necessarily superior -– option than SSL VPN.

Sydney Adventist Hospital has up to 700 doctors accredited to work at the hospital at any given time. IPsec would have been costly because the hospital's IT staff would have had to go out to each of the doctor's surgeries to install software, and then provide tech support on an ongoing basis.

Problems also arise for the doctors if they work at a number of different hospitals and therefore have to install different proprietary software required by each of those hospitals.

“But with SSL VPN, we can use some of the features that come with the browser with Internet Explorer [which most doctors already have] to create the security without having to go out there to the doctors rooms,” said the hospital's CIO, Chris Williams.

Gartner has been following SSL VPNs for five years but only recently has it started to generate more interest. Gartner says SSL provides strong, inexpensive security, but it cautions against weak validation and registration processes that could undermine that very security.

Geoff Johnson, VP and research director for networking and telecom at Gartner Asia Pacific, said the attraction of SSL VPNs is that they can be deployed easily and widely using a web browser. Much more straightforward than a client such as in IPsec which may be 20 Mb in size and has to be downloaded and installed, he said.

“In hospitals, SSL VPN can be a sensible approach to secure VPN connectivity, but strongly authenticated SSL certificates are needed,” he added.

The hospital underwent a full security review prior to purchasing Nortel's Alteon product and going down the SSL VPN path. Setting up SSL VPN is a relatively simple process from a technological point of view, said Russel Duncan, CEO of integrator Emerging Systems.

“It's a useful tool in the security arsenal … however, it should be viewed as part of the whole security process.”

He said it's not just about 'buying the box'. There are other issues to consider such as routers, firewalls, external servers, and intrusion detection as part of the whole security infrastructure. “You have to get that right first, before you plonk the box in”, he cautioned.

It's not groundbreaking for doctors to be able to view patient hospital records online from a remote location. However, it is the first time SSL VPN has been used in the hospital environment in Australia.

More than 40,000 inpatients and 170,000 outpatients come through Sydney Adventist Hospital each year, generating millions of test results from x-rays and blood tests. Most of the 700 doctors accredited to work at this private hospital have rooms spread across Sydney or even interstate.

Because the computers are privately owned by the doctors, the hospital effectively has no control over them. Nortel's Cook said SSL VPNs come into their own when you need to keep internal information secure within an organisation but at the same time have to allow external users (whose PCs you don't control) access to some of that information.

Williams said: “There is authorised access only to the appropriate information that the individuals [doctors] are allowed to have access to. It's not free and easy to everybody, just to those who are authorised. And patients still have to give consent for doctors to have access to their information.”

Duncan said just setting up the SSL VPN for the hospital (including hardware, software) worked out about half the cost of installing traditional IPsec.

The hospital also realised early on when it was looking into IPsec that it would take a full time IT staff member –- at a cost of about $60,000 -- just to service the software on doctor's computers. SSL VPN saves that cost on a yearly basis, said Williams.

After a successful pilot, the system is up and running at Sydney Adventist Hospital. In the first stage, doctors in the clinic on the hospital campus used the SSL VPN to view patient test results online. The next stage involved extending it to doctors off-campus, and by next year the hospital hopes to have a couple of hundred more doctors taking advantage of the new system. The service is provided at no cost to the doctors.

Duncan said five other organisations, some in healthcare and some in manufacturing, have also shown interest in piloting SSL VPNs themselves.

Down the track, the hospital plans to incorporate the Health Insurance Commission's certificate arrangement (public key infrastructure) into its system as well. Doctors who participate with HIC in electronic lodgement of medical claims will already have PKI installed on their computers as part of HIC compliance, Williams said.

And when it comes to exchanging private health data online, Gartner's Johnson said PKI is an important goal.

Disclaimer: The writer trained as a nurse at this hospital in 1988 before becoming a journalist.