Alternative teleradiology architecture tackles security problem

March 25, 2002

DSL or cable communication protocols may promise faster teleradiology solutions, but they require security measures to protect sensitive data traveling over the Internet. A virtual private network (VPN) link between a hospital intranet and a PC used

DSL or cable communication protocols may promise faster teleradiology solutions, but they require security measures to protect sensitive data traveling over the Internet.

A virtual private network (VPN) link between a hospital intranet and a PC used for teleradiology in a physician's home can be used to protect the data. But VPNs create a backdoor vulnerability for the hospital intranet, according to Francisco Corella, a computer scientist and president of Pomcor, a startup firm in Danville, PA.

"A program running on the home PC has access to the hospital intranet as if the PC were part of that intranet," he said.

Hackers can easily run programs on other people's PCs. A hacker could therefore use a home PC to access the hospital's intranet, circumventing the hospital firewall, Corella said. This exposure is sometimes addressed by installing firewalls on the home PC.

"This is better than nothing, but an IT manager who deploys this solution may not fully realize that they now have an intranet with multiple entry points. One is protected by a $50K firewall maintained by specially trained security personnel, while the others are protected by free software controlled by ordinary users and their teenage children," he said.

A secure alternative architecture has evolved at Geisinger Medical Center, also in Danville.

"We upload images from the hospital to Web server hosted on the Internet and download them to a PC at the physician's home," said Dr. Karen P. Lewison, section chief of nuclear medicine. "Both transfers are protected by SSL Web security."

SSL (Secure Socket Layer, from Netscape) is the standard Web security protocol. Corella calls it the most mature, widely used, and highly regarded communications protocol.

The ability to upload files using a Web browser has been available for a few years. The Web server runs a simple Web "file repository" application, according to Corella. Users can upload files, list the files stored in the repository, and download files. Each user logs in with their own user ID and password. Once a study has been uploaded to the repository, on-call physicians can log in, download it, and view it on their home PC.

Multiple-file studies can be zipped together for transmission as a unit, with lossless compression as an added benefit.

"This approach allows physicians to take advantage of the transmission speed provided by broadband cable or DSL connections, while protecting data sent over the Internet," Corella said. "It avoids the vulnerability introduced by a VPN link to the physician's home."

Geisinger has measured download times of a few seconds for nuclear medicine studies and a few minutes for a CT study, Lewison said.