Doctors drop VPN for Web access

Catholic Health System wanted patients' records protected by the security of a VPN, but setting up every doctor's home PC was too great a burden. Web-based access brought the doctors online.

Long before IT departments heard the term 24/7, it was the typical workweek for medical professionals and was known more commonly as being on call.

An on-call physician would receive phone calls and go to the hospital center to deal with patient emergencies--to verify test results or lab work, order new medication, or conduct surgery--at all hours of the day.

While doctors still have to be in the operating room for surgery, advancing technologies--from cell phones with Web access to home desktops linked to medical center databases--are helping many medical professionals avoid late-night trips to work.

The idea of accessing patient data from any location at any time is obviously a welcome advancement for doctors and patient care and medical facilities, such as the Catholic Health System (CHS) in Buffalo, NY.

"We had to get clinical information into the hands of the people who needed it fast, and easily," said Doug Torre, director of networking and technical services for CHS.

CHS wanted physicians to be able to log in to the system for consultations on x-rays or lab results--from potentially any PC in western New York, at any time.

Establishing such a connectivity network posed several challenges before CHS found ultimate success.

Point-to-point problems
CHS's 8,000 employees and 1,200 physicians serve more than 200,000 patients throughout a network of five hospitals, nine primary care centers, nine diagnostic and treatment centers, and a freestanding surgery center. In addition to acute-care facilities, CHS runs 11 long-term care facilities, adult homes, home care agencies, counseling services, social service, and behavioral health programs.

Torre's first tack in April 2002 to solve CHS's networking challenge was to install a point-to-point virtual private network (VPN) that physicians could use to access data either from the external clinics or from home.

The value of a VPN, of course, is its security features; CHS wouldn't be broadcasting private patient data over the Internet, explained Torre.

With the VPN, time wouldn't be wasted on travel, and quicker patient care would be achieved. The system, which was to be rolled out to 500 doctors, would also allow physicians instant access to lab results, transcribed reports, and patient health-care information at any time from any place.

User issues hurt deployment
A VPN installation requires software to run on the client machines. That's not a big deal if all the users have laptops that can be dropped off at the IT shop for system setup and implementation. It's not a great scenario if most users will access the medical network from home-based PCs.

"People were unhappy because we couldn't come out to their house and install software on their PC. They just wanted access--they didn't want to configure a PC," explained Torre.

While some sophisticated users were able to install the VPN software on their home machines, others required visits by a third-party system integrator--which brought additional costs into the project.

In addition, members of Torre's team had to develop support documents, procedural manuals, and self-install CDs to help the deployment. In some desperate cases, the IT team even configured PCs and gave them to doctors to take home. That clearly wasn't a good solution, for cost or manpower, said Torre.

"That doesn't scale well unless you have deep pockets," said Torre. "There may be some hospital systems with deep pockets, but we're not one of them."

It was at that point that Torre realized the solution was causing more pain than the original access problem, and that the VPN effort wouldn't be viable for physicians' off-site access needs. Torre reset his sights on finding a better, more workable solution. In the end, Web-based access was chosen.CHS' primary database used Siemens' Hospital Information System (HIS) software, but because it ran on top of Microsoft's Internet Information Server (IIS), which has suffered from security issues in the past, Torre was concerned about the ability to guarantee the privacy of data. This was more than a general concern; once the Health Insurance Portability and Accountability Act (HIPAA) goes into effect, CHS is legally bound to ensure that data is tamper-proof.

Torre began an investigation into the security features of Web servers. "We wanted a Web proxy that would be both secure and authenticated," he explained, "but would also be easy to use." After testing several Web application servers in April of this year, he learned of the Mountain View, CA -based company Neoteris, whose PartnerAccess software offered what the company described as an "instant virtual extranet." It was essentially a secure Web server, sending data via traditional HTTP and also via encapsulated Secure Sockets Layer (SSL).

"It wasn't the first product we tried, but it was the easiest. We had its fundamental configuration up and running with our application on the network in half an hour," related Torre. "We discovered it could make our internal Web servers secure, and it was a more manageable way to distribute back-end Web services."

In its initial deployment, the Neoteris software is being used by 20 doctors at CHS. When users access the secure Web site running on the Neoteris server, their identity is authenticated with a two-tier system. The user puts in a user name and a PIN, and then adds a pass code that appears on a key fob supplied by RSA Security. Torre described the key fob as a pillbox-sized device with an LED display that changes every minute.

A healthy payback
Torre considered having a third party host the secure Web sites, but feared a future state of complexity in which each outsourced vendor might require him to deploy separate access methods for each system. Instead, he chose to have CHS manage the system itself.

"Putting this framework in place allows us to redistribute Internet-based solutions systems securely," he said. "Now that the infrastructure's in place, we can leverage it for other things, and there will be collateral benefits for HIPAA."

Torre calculates a one-year ROI for the Neoteris project, in part based on no longer having to deal with the VPN.

"There's definitely a return in terms of [decreased] support issues, potential hardware and software issues, and help desk calls." He added that it's impossible to measure the value of not having the radiologist come to the hospital in the middle of the night, but there's value in it nonetheless.

Ready for the future
Torre plans to have the Neoteris capability deployed to 500 of CHS's doctors by the end of this year. The only stumbling block, apart from the extranet, is a shift in the way outpatient data is collected so that it can be incorporated into the HIS database. He hasn't yet determined the schedule for putting the rest of CHS' 1,200 physicians on the system.

Torre and his team know they'll be ready for HIPAA, but stressed that government regulations weren't the only project motivation.

"Proliferation of this kind of data-sharing for health care is a requirement to operate now," said Torre.

"Getting the right data to the right people efficiently is what IT is all about. That's how all business runs today, not just health care. In my opinion, you have to do it effectively or die."

Complications killed health system's VPN access effort
First published on November 13, 2002
By Howard Baldwin

Is an extranet a realistic solution over a VPN for your company? TalkBack below or e-mail us.