VPNs

A 'Virtual Private Network' can be used by any remote user to securely access the internal servers at work. Remote users working for a medical center could include Information Systems support staff, transcriptionists, physicians and their staff, and others. A VPN creates a secure 'tunnel' through a public network (i.e. the Internet) by using encryption and authentication. A VPN can use a number of different protocols, but the 'IPSec' protocol is currently the most secure. However, IPSec is not perfect.

In a Microsoft Windows environment, a software-based VPN would have a specific WinNT, W2K or .NET Server on the inside network configured to allow a VPN connecting through its external internet connection. The remote user would then configure their Windows 2000 or XP system to connect to the VPN via the Internet, providing the IP address of the VPN Server. Proper protocol configuration should include the use of IPSec on both ends.

Alternatively, a hardware-based VPN appliance could be used and configured with appropriate internal and external IP addresses, protocols and user information. The remote user then installs software specific for the appliance and connects via the Internet.

In Healthcare Information Security-Newsletter of February 2002, Gerald Nussbaum makes the following recommendations ^{7 :}

• Do not use 'split-tunneling' while connected to the VPN. If the remote user is connected to both the internal network and the Internet simultaneously , it could allow an unauthorized user to gain internal network access if the remote user's PC is not properly configured or does not have its own personal Firewall.

• A VPN should be used in conjunction with all other security hardware

• Check into 'direct peering' from an ISP wherein: 'A user connects to the Internet and his packets are directed through a private peering point through to the ISP that connects to the organization's network and vice versa.'

The security assessment of a VPN can be done by running password cracking software such as 'John the Ripper' or other such programs. Be sure to get written permission first. As always, enable audit logs and check for signs of attempted or successful intrusion.

There is nothing about securing a VPN that is specific to the healthcare industry. InfoSec 'best practices' are recommended, but no special VPN configuration is required by HIPAA.