Security /

To your health

By Tim Greene
Network World VPNs Newsletter, 09/05/01

Health care providers are faced with federal regulations stipulating that they keep medical records secure, and health organizations are looking to VPNs to meet those requirements.

Health Insurance Portability and Accountability (HIPAA) rules are developing to meet the federal law that mandates safe handling of this sensitive data. Health care providers will be required to meet what is considered best industry practices or risk being found liable if the data is compromised.

Health care providers are still working on this best-practices outline, and many say that IP Security VPNs will meet the criteria for many types of data transfers.

Below is a rudimentary outline of policies for use within a health-care VPN, which was sent in by a fellow reader for comment. It's not stringent, but it is presented here as a point of departure for discussion.

Once you've read the draft, please drop me a note about your thoughts on it, and also include any drafts of your own that you might be working on. A later newsletter will compile the responses.

While HIPAA is focused on health-care providers, devising a public set of tough security standards can be valuable to any enterprise that needs to protect its most sensitive traffic. Please share your knowledge.

VPN USER POLICY

Concerns about accessing a private network such as the one at [company name] over the Internet through a Virtual Private Network (VPN) are summarized quite well in the Internet Engineering Task Force draft document, " Requirements for IPSec Remote Access Scenarios " :

" Due to the open nature of common consumer operating systems, some ... threats are quite difficult to protect against. For example, it is very difficult to assert with any level of certainty that a single user system which permits the downloading and running of arbitrary applications from the Internet has not been compromised, and that a covert application is not monitoring and interacting with the user's data at any point in time. "

Security personnel at [company name] therefore prefer that at least a minimum amount of security precautions be implemented on the home PC and be practiced by the VPN user. Such precautions and practices are imperative in order to protect the availability and integrity of our patient's information.

Security Precautions and Practices

* VPN users are to perform reasonable security precautions and are expected to maintain a secure environment for the operation of the VPN client software. This is not limited to, but at a minimum must include, the following:

* VPN users are to have PC firewall and antivirus software configured and running on their home PC.

* VPN users are to make every effort to keep antivirus and firewall software up to date with the latest updates and patches as provided by the software vendor.

* VPN users are to attempt to keep the OS of their PC as secure as possible. For example they should not allow shared drives or devices over the Internet, should not allow other users to access or remote control their PC over the Internet, etc.

* The user and group passwords are never to be stored on the client device.

* The user and group passwords are never to be written in a location that is easily accessible to others.

The functionality of the VPN user's PC firewall may be tested by [company name] security personnel at their discretion. Should a firewall appear not to be functioning and the individual is not willing to implement minimal security practices then the user's VPN account will be disabled.

The machine authentication (group) name and password are not to be shared with other potential VPN users. Such sharing shall result in the immediate revocation of the user's VPN account and disciplinary action according security policy guidelines.

The VPN account is never to be used by anyone other than the user to whom it belongs. VPN account sharing shall result in the immediate revocation of the user's VPN account and disciplinary action according security policy guidelines.

Authorized VPN Client Devices

Users are only to access the internal network through the VPN from a PC in their home that they personally control. That is, they are not to connect from a PC at a friend's house, a kiosk machine, etc. Since the trustworthiness of such a machine is unknown, several potential problems arise:

* Passwords might easily be captured.

* There is no way to know what type of activity the machine might initiate with hosts on the internal network once the connection is made.

* There is no way to have any control over the actual information that might leave the machine. Hence bogus e-mails might be generated, etc.

* There is no way to be sure that the connection has actually been terminated after the user walks away.

* The user may forget to disconnect and thus leave the machine connected to the [company name] network for another person to use.