Remote control: North Carolina IDN chooses SSL access to ensure HIPAA compliance

Remote control: North Carolina IDN chooses SSL access to ensure HIPAA compliance – Security: case history

It’s hard, or maybe impossible, to find a healthcare organization not challenged by HIPAA mandates during the past year or two. Particularly hard hit have been integrated delivery networks and merged healthcare organizations, where an increased number of clinicians in geographically dispersed locations both require and expect access to patient information–and also expect the organization to simultaneously leverage IT and safeguard patients’ privacy.

Novant Health is an integrated healthcare system serving more than 3.4 million people in 32 counties across western North Carolina, northern South Carolina and southern Virginia, and it has grown considerably in recent years to meet the changing demands of its communities. Novant was created by the merger of Carolina Medicorp Inc. of Winston-Salem, N.C., Presbyterian Health Services Corp. of Charlotte, N.C., and Thomasville Medical Center in Thomasville, N.C. With more than 13,000 employees–including 372 physicians–spread across hospitals, physician clinics, outpatient surgery and diagnostic centers, rehabilitation programs, nursing homes and senior residential facilities, the not-for-profit organization experienced increasingly complex requests for access to protected health information (PHI).

Because caregivers and physicians move throughout affiliated facilities, Novant needed to provide clinicians with confidential PHI from remote locations while making sure access was granted in accordance with HIPAA’s security and privacy requirements.

Early Contenders

Initially, Novant used a remote access server secured with two-factor authentication to provide remote access to employees. However, access was via dial-up, and as the number of users and applications expanded, Novant needed a solution with more bandwidth.

Within two years, the organization deployed a virtual private network (VPN). The VPN offered a faster connection for employees to access lab results, transcription, radiology images and other essential applications from outside of their base offices. The VPN taxed Novant’s IT department with client-support costs and interoperability and usability issues, and the organization experienced complications with certain operating systems and firewall traversal issues from different networks. Also, users could access information only from machines with the VPN client installed.

To reduce client download costs, Novant created CDs with the VPN client software and distributed them to all users. This solved the problem of forcing doctors to download VPN client software from scratch or requiring them to bring their machines to the IT department for installation, but it remained time-consuming and expensive. Updating client software required at least a week of dedicated time by an IT staff member to correctly rewrite the scripts, and once completed, there was no efficient process to distribute the update.

Ultimately, Novant questioned whether it was an organization that required an IPSec VPN or if there was an easier path to access.

SSL Offers an Answer

In 2001, the Secure Sockets Layer (SSL) protocol now found in every Web browser gained prominence. This technology promised secure application-layer access to network resources from any Internet session, eliminating compatibility and client device issues, which in turn would dramatically reduce maintenance issues.

As SSL-based appliances evolved into maturity, Novant did deploy an interim technology in December 2001 as a bridge between the VPN and the new appliances. However, it required significant IT resources to configure and maintain it, and although it allowed users anywhere, anytime access, “it was limited with the ports that it could use, and it couldn’t deal with new applications, so it didn’t meet all of our changing requirements,” says James Kluttz, Novant’s chief technology officer.

Just six months later, the Novant IT team looked at three SSL-based secure-access appliances during a three-month evaluation process and selected the Instant Virtual Extranet (IVE) from Mountain View, Calif.-based Neoteris Inc. The IVE is a hardened network appliance that leverages secure Internet transport like VPNs in a secure manner because it offers application-layer access, not access to an entire network. As a result, it does not expose a network to outside threats, and it allows for granular access controls. The IVE also authorizes and authenticates users at any time from anywhere using a Web browser, so users don’t have to download a client or deal with network configurations.

“We were looking for a clientless solution, and it had to be a hardware appliance,” Kluttz says. “The solution also needed to deliver our applications and information seamlessly; we did not want to have to re-engineer our internal applications for external use.”

During the evaluation, Novant searched for SSL-based solutions that interoperated with its existing infrastructure and provided broad resource access for its employees and physician partners. At the top of the access list were a Dashboard clinical data physician portal, a neonatal fetal-monitoring system, radiology imaging and results, and lab results, as well as basic applications such as e-mail. The organization used Citrix NFuse servers to create a Web-based portal for accessing applications and information remotely, so it was crucial that any solution selected would have seamless Citrix support.

Novant also needed a solution that would interoperate with its human resources application securely via the Web. Because Neoteris allowed access to Novant’s critical applications and continued to expand the number of applications it supported, the organization could roll out differentiated access to all of its employees and partners while still securing PHI.

Controlled Access Prevails

Novant purchased the IVE in September 2002. Unlike previous access solutions, which took longer to implement, the IVE was running in parallel within 30 minutes and was fully customized for users and applications shortly thereafter. It also was easy to configure, according to Kluttz, and training was minimal, since most users were experienced with a Web browser. “There was essentially no learning curve for us or for our users,” he says. “The IVE didn’t require users to understand networking to figure out how to get to their applications.”

Since a full rollout of the IVE in November 2002, the new access method meets the needs of about 75 percent of authorized Novant users, says Kluttz. “If they can get access to the Internet and enter their user ID and password, they can get access to the resources they need. But because the IVE is an SSL appliance, they can’t print e-mails, for example, so we still use a traditional VPN for those people who need print capability.”

Additionally, since the Neoteris IVE has high availability and redundancy options, Novant was able to service more employees by deploying another appliance earlier this year. By replicating data across appliances, Novant scales and adds more users as needed. Currently, the organization has rolled out IVE access to more than 900 physicians, clinicians and administrative staff. Additionally, more than 13,000 employees now have self-service access to the human resources application.

Novant reduced costs by avoiding the need to configure users’ PCs, saving about $100 in wages per IT technician per PC, or about $90,000 for 900 users. This reflects a cost savings of approximately 20 percent to 25 percent compared to the amount spent for configurations required by the earlier VPN solution.

In the end, Novant found a practical solution that enables the organization to connect thousands of caregivers to network resources from any Internet-enabled device. Through the SSL-based appliance model, Novant has realized substantial cost savings and decreased a networking pain point for its IT department–all without compromising the security or privacy of PHI.

For more information about the IVE from Neoteris


James Kluttz

Chief Technology Officer

Novant Health Winston-Salem, N.C.


Instant Virtual Extranet

Neoteris Inc.

Mountain View, Calif.

COPYRIGHT 2003 Nelson Publishing

COPYRIGHT 2003 Gale Group