Mobile and wireless security horror stories abound. Even the once beloved Apple iPod has become a corporate scourge. Highly vaunted research firm Gartner is advising enterprises to ban the music devices, along with all other MP3 players, “digital cameras with smart media cards, memory sticks, compact flash and other memory media.” These gadgets can be used both to download proprietary data and upload malevolent code, recently prompting the British Ministry of Defense to ban iPods from its facilities.
How real are these threats? In these times of ever-evolving security technology, it seems the most dangerous threat is investing thousands or even millions of dollars without carefully assessing the risks at your company. We found two enterprises that thoughtfully weighed their options and are deploying savvy solutions that not only mitigate their security hazards, but also integrate strategically into their business processes.
When it comes to scalability, John Willars at Mission Hospital is pushing the envelope. Willars, the MIS director of this private, not-for-profit medical center, is managing the dizzying effects of free trade and globalization at this border hospital in south Texas. The 138-bed facility near Brownsville provides healthcare to citizens of Mission and Western Hidalgo counties. According to Willars, the metropolitan area has recently been growing at a clip of 20 percent per year, and the hospital is sprinting to keep up.
In 1997, Mission Hospital celebrated expanding and renovating 60,000 square feet of space. The emergency department was tripled in size, the labor and delivery/obstetrics unit was doubled and other areas were enlarged. Now the facility is again on course to double in size, Willars says, adding more than 135 beds by August 2005.
On the leading edge of this dynamic growth, Willars and his IS staff are charged with not only deploying technology to manage hospital and patient records, but also with keeping staff connected. Willars’ choice for networking is a wireless LAN running throughout Mission Hospital’s campus. By employing the state-of-the-art for both records management and wireless connectivity, Willars strategically governs growth, while keeping his infrastructure secure from outsiders.
The Kassebaum-Kennedy law, also known as the Health Insurance Portability and Accountability Act, or HIPAA, began to revolutionize medical care when it was passed in 1996. The federal legislation was intended to help consumers buy and keep health insurance, even if they have serious health problems, by setting requirements that health plans must meet. But HIPAA is perhaps better known for requiring health care providers to protect individually identifiable health information from improper access, alteration or loss. Now that medical providers of all shapes and sizes are embracing mobile and wireless technology, protecting this patient information has become mission critical.
At Mission Hospital, nurses use wirelessly equipped Dell Inspiron notebook PCs mounted on InfoLogix carts to input and retrieve information from the enterprise network. There are nearly 70 of these carts wandering the hallways. “These laptops roam everywhere, so we have to make sure our bits and bytes are secure,” Willars notes, “not only to stop people from using us an as ISP, but to protect medical information.” Willars has made it a priority to lock down his Dell WLAN access points and Cisco routers to keep unwanted surfers from using the hospital’s network to access the Internet.
Perhaps more importantly, Willars must secure patient information residing on hospital servers, particularly as his staff rolls out a new online patient information system. Working with Meditech of Westwood, Mass., Mission Hospital is soon launching Meditech’s Enterprise Medical Record (EMR), which acts as a single portal for examining all relevant patient data from every facet of clinical care—throughout the hospital. Using the wireless laptops, nurses and other staff will be able to view complete visit histories for each patient over the course of an entire lifetime. Every piece of data, from current care and clinical information to historical patient information and test results, will run through the system. All information will be accessible online in HTML through a secure Internet gateway.
Like any MIS director, Willars has enabled the standard security features of his 802.11b wireless LAN. But “standard,” whether it is WEP, TKIP or PEAP, is not sufficient for him. “We didn’t think it was good enough because it has lots of holes in it,” he says.
Willars and his staff are currently testing client/server-based WLAN software from Perfigo, a San Francisco-based provider of network security and control solutions that claims more than 500,000 end users. Perfigo’s applications authenticate, authorize, assess and repair devices logging into a corporate network.
“In the enterprise there is a false sense of security, a false sense of being able to control the laptop more than you do,” contends Rohit Khatrapal, Perfigo’s president. “As long as the end-user can install anything and is surfing on a constant basis, you will get problem.”
With Perfigo software installed on every laptop at Mission Hospital, including those used by administrators, over-the-air data is encrypted using IPsec-based VPN technology to guard it from prying eyes. The application also enables the hospital to offer role-based authentication and authorization. Doctors, nurses, staff, human resources professionals and even patients can be offered separate and distinct portions of Mission’s servers.
“Because of NAFTA, we have some large companies located here,” Willars explains. “So we get executives who bring their wireless laptops to get on the Internet.” Willars’ staff can use a Web console to build access lists for guest users, who can surf preauthorized portions of Mission’s pipe seamlessly. “They don’t need a guest account. That’s the beauty of this system—it is transparent to the user,” notes Joe Pena, a Mission Network analyst. “It shields them completely from our network. We just set up a DHCP pull on the user’s end.”
Willars is also evaluating a Perfigo solution that will scan each device logging into the Mission network for viruses, worms and malevolent code. If the device creates network vulnerabilities, the user is denied access and quarantined. Users in quarantine mode are directed to targeted Web sites with instructions on how to repair their devices.
A Perfigo system similar in size and scope to the one rolling out at Mission Hospital would cost $TK, according to Khatrapal. But Willars refuses to boil down his decision to mere numbers on a spreadsheet. “The investment is minute compared to the possibility of litigation, network downtime or loss of productivity. Nurses don’t come cheaply around here,” he explains. “There is no way to put a dollar value on how important a security product like this is, especially for a non-profit hospital.”
Securing the Pipe
Sam Wilson offers some advice for companies wondering how secure SSL VPNs really are. “It’s the same technology that Amazon.com uses to run billions of transactions per quarter,” says Wilson, managing director for JMP Securities in San Francisco.
Wilson, who calls himself an equity analyst by day, wears an IT specialist’s hat while working closely with his CIO. JMP Securities is an investment bank founded in 2000. Like Mission Hospital, the firm has enjoyed tremendous progress: Revenues have skyrocketed, from $19.6 million in 2002 to $48.4 million in 2003.
With this growth has come the need to provide mobile professionals secure access to applications and files on corporate servers. Wilson has invested heavily in SSL VPN technology to carry much of his company’s sensitive information—but, interestingly, not its most volatile data.
In the past, JMP’s remote access toolkit consisted of Microsoft Outlook Web Access. “That had a lot of holes,” Wilson recalls, “but for getting e-mail, that was the thing.” As JMP’s client base and workload increased, the company installed Citrix remote access software to deliver applications and files from a central repository to traveling workers. To secure the remote connections, Wilson explored a client-server IPsec VPN. “We tried IPsec VPNs on notebooks and home computers, and it was a living nightmare,” he remembers. “We spent all of our time managing and configuring. We’d get a call at 8 p.m. saying, ‘Someone has to get in right now, and they can’t get in.’”
In search of a new solution, Wilson contacted SSL VPN providers, including Aventail, Neoteris (now NetScreen), Whale Communications and F5 Networks. An SSL VPN uses the encryption and authentication technologies integrated into Web browsers to enable secure connections to corporate networks. In late 2003, F5, which had just added SSL VPN functionality by acquiring uRoam, won Wilson’s business.
SSL VPNs don’t require client software: Wilson’s users securely log into a customized Web portal using their Windows NT user names and passwords. The system saves Wilson and his staff untold amounts of time. “I can have the SSL VPN installed in 12 minutes,” he explains. “It takes much longer to customize the look and feel of the portal.”
For JMP, its SSL VPN has become a harbinger of its future as a virtual company. Although JMP purchased a license for 50 concurrent users, all 140 employees utilize the system at one time or another. “We have customized portal access, with access to servers down to the file lever,” Wilson says. “We can use a kiosk at a tradeshow, and all we need is an NT user name and password.” Staffers also make frequent use of home computers. “Because of our capabilities to make anyone, anywhere an effective employee, if we have a great guy in Boca, we don’t have to ship him $40,000 worth of equipment,” Wilson adds. “We can have him manage the connection himself.” A typical 50-user license of F5’s FirePass controller sells for $TK,000.
Surprisingly, the SSL VPN negated the idea to buy 40 to 50 laptops equipped with VPN clients, saving tens of thousands of dollars in upfront hardware costs alone. (Wilson points out that several key executives use laptops, and the company does plan to outfit frequent travelers with them.)
Despite its benefits, SSL VPNs are not the end-all for JMP. The company still employs static IPsec VPNs for branch offices in New York and Chicago. And the most sensitive files are inaccessible over the Web-based network. “Parts of our data have to be over-the-top, fundamentally secure,” Wilson cautions. “We don’t put those on the SSL VPN. We have mergers-and-acquisitions files, and if those leaked out we’d be in deep kimshee.” Client records and executable trades are also verboten.
But one unexpected advantage has been the streamlining of JMP’s disaster recovery and continuity plan—a scheme required by regulatory agencies. If an incident required employees to abandon their offices, they could still access company files from remote locations. “We have no big back-up location with desktops and offices,” Wilson admits. “The disaster recovery plan is, ‘Go home!’”
Matt Purdue, former Editor-in-Chief of Mobile Enterprise, is a freelance journalist based in New York.