Healthcare group picks SSL for remote access

Secure Sockets Layer-based remote access has been just what the doctors ordered – and more – for Virtua Health in Marlton, N.J.

The company, which operates four hospitals and two clinics, was looking to simplify doctors’ access to network resources after a standard browser upgrade made the existing system unworkable.

Installing an SSL remote-access system from 3-year-old start-up Netilla has given doctors the access they required. What’s more, it has helped Virtua slash its software licensing costs, provide more employees with intranet access and more than doubled the number of applications available to remote users.

“We’re finding new uses for it all the time,” says Andrew Gahm, Virtua’s network architect.

The Netilla Service Platform relies on the SSL technology found in most Web browsers and used to protect Internet credit card transactions. Rather than granting access directly to servers, databases and other resources protected by corporate firewalls, Virtua has situated the Netilla appliance behind the firewall, where it provides access to protected company resources over the Internet via SSL.

Virtua looked into Netilla because 400 physicians and other users were having trouble accessing the Siemens Shared Medical System (SMS) healthcare application they were used to reaching by Web browser.

The problem arose last year when many doctors upgraded their browsers to Microsoft’s Internet Explorer 6.0, which was not supported by the SMS application or the VeriSign digital certificate used to authenticate remote users. Doctors rejected the workaround of reverting to Internet Explorer 5.5 and using proprietary Siemens security tokens.

The Netilla box can set up secure links with Internet Explorer 6.0 and proxy to a Microsoft Terminal Server containing the SMS Web page, solving the problem.

Once Virtua installed the Netilla gear, it wasn’t long before the company discovered other uses for the product. These include using it as a less-costly alternative to expanding its use of Citrix’s thin-client-based remote-access technology.

Virtua has used Citrix’s Web-based ICA client software to give some employees easy access to a handful of networked applications, such as those from PeopleSoft and Per-Se Technologies. Citrix software on remote machines and the servers being accessed lets end users run Unix, Windows and Java applications that are located on servers in Virtua’s network.

But expanding its use of Citrix would have required purchasing secure gateway software that would cost more than the $40,000 to $50,000 Virtua already had spent on its Netilla box, 400 simultaneous user licenses and a maintenance agreement, says Tom Pacek, assistant vice president of technology for Virtua. With the Netilla technology, Virtua has increased the number of applications it makes available to end users from between 10 and 25 to more than 50, he says.

Another benefit of the Netilla setup is that Virtua has tightened security by cutting the number of firewall ports left open, Gahm says. Before Virtua bought the Netilla appliance, Citrix users would access the network via one firewall port for authorization and then access the servers running the desired applications through other firewall ports. “All our Citrix servers were exposed to the Internet along with the Web page that led you to them,” Gahm says. Now those ports are closed, and all traffic comes through the SSL port leading to the Netilla box.

“It made our security consultant very happy because we closed a lot of ports that were open to the Internet,” Pacek says. “Not that they weren’t secure, it just gave people more opportunity to hit us.”

Virtua still is trying to convince some end users who rely on Citrix – or other remote-control software such as pcAnywhere and Carbon Copy – to access Virtua servers to give the combination of a Web browser and the Netilla appliance a try. But Virtua still needs to convince these users that the technology is secure, Gahm says.

Another unexpected benefit of installing the SSL-based appliance is that Virtua has given its 3,000 employees who access e-mail remotely the ability to use the full Microsoft Outlook rather than the more limited Outlook Web client.

Because Netilla can proxy to any Web-based server application, such as Outlook, it makes the Outlook Web client unnecessary, Pacek says.

By virtue of Netilla’s gear, Virtua has avoided using IP Security (IPSec) VPNs and the inherent hassles of distributing client software to remote machines.

“Just in playing around with [IPSec VPNs], we had all sorts of support problems with the PC and people changing things on their desktop and causing conflicts with the VPN,” Pacek says.

“It became a support nightmare in pilot mode. We decided to go away from the VPN until we’re absolutely required to do it,” Pacek adds.