Better Remote Access, Secure Endpoints

An upgrade for an outdated remote access solution extends the network while bolstering endpoint control.

 Recently, Sunnybrook Hospital, of the Sunnybrook Health Science Centre, located in Toronto, found itself facing issues not uncommon to many hospitals—physicians and administrators were demanding easier remote access to the information systems of the healthcare organization, while simultaneously, our IT staff saw a need to increase protection for those very resources. With research, we discovered new technologies that could solve the challenges we were facing, such as e-prescription systems, proximity cards, biometric-readers, single sign-on (SSO) solutions, and secure sockets layer virtual private networks (SSL VPN) with endpoint control.

Our philosophy in the selection, and afterward, the implementation of the technologies we chose was to outsource as little as possible and manage most of these systems in-house. It was critical that we selected and deployed solutions that would meet these goals, were extremely easy to manage and required minimal helpdesk support. Implementing SSL VPNs was the first step toward developing enhanced network access.

Trust, But Verify
Sunnybrook places a strong emphasis on education and research and, as part of this commitment, became associated with the University of Toronto in 1966 as one of the University’s core teaching hospitals. In the early 1990s, the healthcare provider changed its name to Sunnybrook Health Science Centre. The seven principal programs/services on which the hospital focuses are Cardiac, Musculoskeletal, Cancer, Trauma and Critical Care, Neurosciences, Perinatal and Gynaecology, and Aging and Population Health. Today, Sunnybrook is a 1,209-bed healthcare organization with more than 11,000 staff, physicians, researchers and students supported by an IT staff of 50.

Beginning in 2003, we saw a surge of users wanting more access to our network from an increasing number of remote locations including private residences, wireless hotspots, partner offices and other university campuses. While we had previously implemented an Internet Protocol Security (IPSec) VPN in 2000, we realized that this solution was no longer adequate for our physicians, who desired the option to work remotely, nor would it provide the appropriate level of security that we considered essential. IT needed to verify that any remote endpoint computer had the latest antivirus signatures and critical operating system security patches, as well as an authorized user, before giving that machine access to the network.

However, only the computers at the network users’ homes could be verified, which was a time-consuming and significant management burden for Sunnybrook’s IT department. Further propelling us towards our SSL VPN implementation was a virus outbreak that infected our network. We traced the virus to a computer in a remote, affiliated clinic outside of Toronto. That computer connected to the Internet through a public ISP, then tunneled back to Sunnybrook through the IPSec VPN. However, that VPN did not provide endpoint control, and subsequently our system was infected within days. With this security threat, and the increasing amount of network access issues, it became obvious that we needed an alternative remote access solution to replace our IPSec VPN.

Evaluating Options
SSL VPNs appeared to offer many of the features and benefits we required that were lacking in our IPSec VPN solution, such as ease of deployment, robust endpoint control and broad multiplatform support. We evaluated a number of SSL VPN solution providers on a prioritized list of criteria. After our virus outbreak experience, we made endpoint control a pivotal factor for consideration. We therefore evaluated vendors’ abilities to interrogate devices to ensure certain applications were running, such as up-to-date antivirus software, and paired that information with user identity to determine access privileges.

We also prioritized ease of use and ease of management for access from both managed and unmanaged devices. With our IPSec VPN, it took a lot of resources to handle issues related to provisioning the client for unmanaged computers, and we wanted to eliminate those as much as possible. A third key criterion was the solution’s capabilities to handle all kinds of devices, access methods, and applications as a single gateway for all remote users. We found the SonicWALL Aventail SSL VPN to be our top choice and in 2006, we replaced our IPSec VPN with an SSL VPN. At the time of our evaluations, SSL VPN was still considered an emerging technology.

However, among the SSL VPN vendors we considered, SonicWALL Aventail had been in the SSL VPN business the longest, and was able to refer us to a number of successful SSL VPN implementations they had already completed for healthcare organizations worldwide. This became beneficial to us during our rollout, when some users initially experienced difficulty accessing an IDX client/server application over the SSL VPN portal. The support specialists immediately isolated the problem to a resolvable ActiveX issue, and we were able to provide our users the access they needed.

Benefits
Right from the start, our remote users who authenticated over the SSL VPN using SSO did not need to login separately in order to access their e-mail and calendar functions in Outlook Web Access. We also could scan all remote devices for malware and system integrity levels using the granular endpoint control features of the SSL VPN, and we are able to give our users easy, secure remote access without the training and the hassles of home installation. Our physicians and administrators can securely access MS Outlook, Windows file servers, a corporate intranet with financial applications, HR information, electronic patient records, and a digital PACS remotely from their home PCs, laptops and tablets.

Beyond endpoint security, Sunnybrook’s upgrade to SSL VPN for controlling remote network access has provided other benefits as well. As a large academic teaching hospital, Sunnybrook has many different clinical services, and numerous clinical systems. Sunnybrook can now provide remote access to facilitate vendor support for these systems. Because the SSL VPN can be deployed as a clientless solution over the Internet, IT no longer has to set up complex site-to-site tunnels or exception rules on firewalls, like it had to with our previous IPSec solution, to allow these vendors to conduct their support for mission-critical systems.

Expanding Remote Access
A significant factor among our selection of a solution was how the solution would fit with other strategic initiatives. With extensive multiplatform support, and built-in compatibility for integration technologies like SSO, it was easy to integrate the SSL VPN into our existing infrastructure as well as with our future IT plans. Sunnybrook also is rolling out both proximity identification and biometric authentication for physician access to the EDIS onsite, which assists with remote access control.

With proximity identification access, a physician is given a proximity card, which is read by a computer in the ED. The user doesn’t have to type in a user name, because the proximity card is detected by the computer, and automatically identifies who that user is. When the user is identified, the physician can put their fingerprint on the biometric reader instead of having to type in a password. It automatically determines the viability of the username/fingerprint match, and the user is instantly logged into the system.

In tandem, we are extending our single sign-on (SSO) solution across the hospital. This means that after the physician has been properly authenticated, the applications to which they need access, including the electronic patient records system, EDIS, the patient registration system and the scheduling system, all become available without the physician having to separately login to each of them. Another secure access technology for future application that Sunnybrook is currently deploying is an e-prescription medication order entry system for its physicians that will integrate with our new SSL VPN. Doctors can already order lab tests and medical imaging tests electronically and we plan to extend this functionality to medication ordering.

When considering any new-technology solution for updating an existing system, or as an initial implementation, it can be difficult to sort through all the hype. Our experience taught us that through diligent research, and by appropriately matching the technology to specific needs, finding the right secure remote access solution is possible.