Virtually secure: Implementing a VPN leads to learning curve

January 30, 2002

With HIPAA on the horizon, healthcare is recruiting a variety of solutions to secure the perimeter around sensitive medical images and patient data. Among the most popular to emerge is the virtual private network (VPN), which offers healthcare

With HIPAA on the horizon, healthcare is recruiting a variety of solutions to secure the perimeter around sensitive medical images and patient data.

Among the most popular to emerge is the virtual private network (VPN), which offers healthcare facilities a means to enhance security, lower costs, and expand accessibility of information, according to a paper presented Tuesday at the HIMSS meeting.

"Many industries have derived benefits from VPN technologies, although healthcare has yet to harness the same level of benefit," said Gerald M. Nussbaum, a senior manager at Kurt Salmon Associates in Chicago. "The technology is well developed, so healthcare has a stable base from which to draw."

VPNs are especially appropriate for providing protection to institutions wishing to secure off-campus links. In the world of wireless mobile devices, VPNs also enable secure communication over the airwaves, thereby enhancing access while protecting patient privacy, he said.

As a case study, Nussbaum presented the experience of a major academic medical center struggling against an archaic dial-up system often facing bottlenecks due to capacity limitations. Solutions such as ISDN were considered but dismissed as too expensive or too limiting in the number of users serviced. Eventually, the medical center determined its best strategy was to use internal efforts to build a VPN infrastructure robust enough to support 5000 to 10,000 simultaneous users.

Nussbaum offered several lessons from this experience:

?Vendor support is key: these systems are complicated and it's difficult for any customer to master the entire scope.
?Ongoing communication with key end-users is crucial. The ability of department heads to push for continued funding helped keep the project on track.
?Obtaining support for Macintosh platforms, which form a large percentage of desktop systems within academia, can be a challenge.
?Educating senior management about the costs of continually 'switching horses' must be integrated into the project plan. A number of vendors who had not been selected lobbied upper management to reverse the decision based on improvements to their products not previously available.
?Phased rollouts are best. The center rolled out its VPN incrementally, providing support for Windows 95/98 first, then NT, and finally Windows 2000.


"Though this caused a level of negative feedback, it allowed a controlled process that provided incremental improvement of the overall user experience. A Big Bang supporting all platforms at one time would have been a disaster," Nussbaum said.