Healthcare warms to remote access

Some hospitals are sidestepping traditional IPSec VPNs for newer SSL-based products.

The scenes are stereotypical. The phone rings in the dead of night, rousing the doctor from his sleep. He throws on some rumpled clothes, kisses his wife and promises to be back soon. Or, a doctor is enjoying her 10-year-old daughter’s softball game when the beeper goes off. Game over.

The notion that healthcare professionals tend the sick and injured at all hours of the day and night is a comfort, even romantic – as long as you’re not the doctor. While medical workers are inherently mobile, much of the old way they work – relying on phones, pagers and paper files – ensures they waste a great deal of time in transit between hospital and office, or mucking through paper charts, with little or no time left for a life.

While patient privacy concerns have made the healthcare industry slower than others to deploy remote-access products, new technologies are forcing it to play catch up. Spurred by doctor requests and induced to reduce costs and increase efficiencies, network executives are finding VPNs based on Secure Sockets Layer (SSL) technology suits their remote access needs in many cases better than IP Security (IPSec) VPN offerings.

SSL-based products and services from Aventail, Neoteris, NetSilica and others let users access data from any browser-based device, so long as it can authenticate to the central server. Network executives can configure the VPN to provide remote users access to a clinical records database, protecting the rest of the network from breach. Because SSL firewall ports typically are left open, there’s little need to reconfigure the firewall, easing configuration and management.

Regardless of technology, network executives are finding fashioning doctors into teleworkers creates challenges. A rare early adopter, Doug Torre says his first attempt to roll out IPSec VPN to a group of radiologists at Catholic Heath System in Boston last year was a “miserable experience.”

To maintain control over the remote systems, Torre, the director of networking and technical services, provided the doctors with ready-made PCs loaded with an IPSec VPN client. However, the complexity of the system had users frustrated. “But we still had to send integrators to their homes. These are not low-grade users, but they don’t have a lot of patience. Their time is precious and very valuable,” he says.

Bruce Elkington, CIO of Overlake Hospital in Seattle, knew a VPN could improve patient care and business processing, but quickly came up against policy questions. Before settling on Aventail, he considered traditional VPNs. “But I pulled the plug on that right away. As soon as we start putting client software on doctors’ remote systems, we become responsible for supporting them,” he says.

Rick Jerothe, director of enterprise infrastructure at North Shore Long Island Jewish Health System in New York, faced similar issues. “Do we give doctors a machine or let them use their own, and how does that affect patient confidentiality?” he asks.

Using Aventail.net, the company’s SSL-based VPN service, solves the problem. Jerothe manages only the internal PCs, and doctors are free to access network applications using any device.

With the right technology, Jerothe and his team can concentrate on helping doctors improve patient care while adhering to privacy standards. They’re using Aventail.net as the basis for its new Web-based enterprise application that lets doctors access patient information culled from a variety of databases.

At Overlake, Dr. James Leggett, a cardiologist, often sees patients after they’ve been to the emergency room the day before. “Before Aventail, invariably, I’d end up seeing the patient before her paper chart made its way down to my office. That’s very frustrating. Now I have instant access to all the emergency room data,” Leggett says.

North Shore’s security team is building systems that comply with the Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996, HIPAA establishes national standards meant to ensure privacy in electronic healthcare transactions. While comfortable with the security of Aventail’s managed services, North Shore has chosen to keep in-house the strong authentication piece of the system, which is not specific to remote access.

At Catholic Health System, Torre rolled out two-factor authentication for the IPSec and Neoteris Instant Virtual Extranet users, and says it was a “no-brainer” to put RSA security on top.