By Salvatore Salamone
March 10, 2003 | New security products from Aventail Corp. and HealthAgent.Net promise to help companies conducting clinical trials to meet next month's Health Insurance Portability and Accountability Act (HIPAA) deadline.
The two products are designed to meet HIPAA compliance when it comes to electronic transmission, offering security features such as user authentication, access control, and encryption that ensures the confidentiality of patients' medical records as mandated under HIPAA by the U.S. Department of Health and Human Services. Organizations that deal with patient records, including hospitals, research universities, clinical research organizations, and pharmaceutical companies, are required to have HIPAA-compliant systems that ensure the privacy of patient records in place by April 14.
Products from Aventail and HealthAgent.Net can help, but industry experts point out that HIPAA compliance requires more than IT solutions. "HIPAA is not about technology," says Jon Bogen, CEO of the consultancy HealthCIO Inc. "It's about cultural change and people change."
For example, Bogen notes, people can walk into a hospital without a pass, go into a conference room, sit in on meetings, and hear and see things. "What good does encryption do you in a case like that?" he asks, adding that employee training is the other key piece of HIPAA compliance.
Aventail's EX-1500 hardware appliance taps the encryption capabilities within a common browser -- Secure Sockets Layer (SSL) security -- to establish secure communications channels over which patient records can be accessed. On a network or the Internet, the EX-1500 sits between a user and the application server that maintains patient records. When a user wants to access patient information, the EX-1500 authenticates the user to make sure that he or she has permission to view or modify the records. Once authenticated, the user's request is passed along to the application server. All communications, including the sending and receiving of any patient data, are over a secure and encrypted SSL link.
Products such as Aventail's that authenticate a user's request and then use the SSL security feature within a browser to secure data transmissions set up what are called SSL-based virtual private networks (VPNs). Use of VPNs for HIPAA compliance is growing. A recent study by the networking consultancy Infonetics Research Inc. found that Q3 2002 worldwide revenue for VPN and firewall hardware and software products grew 4 percent to $668 million. That number is for all uses of VPN and firewall products; however, the study found that one major factor driving VPN usage is the need to meet HIPAA compliance requirements. The study also noted that the 4 percent is respectable in what is typically a slow quarter, according to Jeff Wilson, executive director of Infonetics Research. And Infonetics predicts revenue will increase by 30 percent to $874 million by Q3 2003.
Until now, SSL-based VPN systems offered access to data in only Web-based applications. Aventail's EX-1500 has a feature called OnDemand that uses a Java applet to open up access to client/server applications such as Lotus Notes, Citrix MetaFrame, and TN3270 emulators.
The OnDemand capability (i.e., SSL-based access to client/server applications) is something new in the remote access market and has some desirable benefits. "You won't have to change a user's machine to give them access to client/server applications," says Jeffrey Bernstein, network engineer at Overlake Hospital in Bellevue, Wash. In the past, giving users secure access to a client/server application using a VPN required special client software on each user's machine.
Such client software is tricky to set up and configure and often needs to be updated on a regular basis, all of which adds to the burden on an IT staff. "We're very much against managing remote desktops," Bernstein says. For that reason, Overlake is beta-testing the OnDemand feature of the EX-1500. The hospital already uses Aventail products to provide secure access to Web-only applications for more than 200 doctors and about 500 medical staffers.
The EX-1500, available now, starts at $24,000.
HealthAgent.Net takes a different approach. Its product, HealthAgent, consists of client and server software that allows managers to set up secure peer-to-peer (P2P) networks. Each computer that is to be part of the secure P2P network needs to have the client software loaded onto it. A server component, called HealthAgent Server, authenticates users who want to set up a secure P2P connection between two computers. Once a user is authenticated, usually by providing a user name and password, the server passes each individual’s IP address and cryptographic keys to the other user's PC. The keys are then used to encrypt and decrypt all the data flowing between the two machines. HealthAgent.Net uses 256-bit public key encryption.
After this process has been completed, users can share files, communicate using instant messaging (IM) software, and even run applications on a remote computer -- all in a secure manner. Additionally, managers can opt to have all IM chat threads automatically archived. That means a life science company could use a third-party reporting tool to produce IM audit trails, which would likely be needed to meet other data-handling regulatory requirements such as 21 CFR Part 11.
HealthAgent is available now and priced at $299 for a single user and $149 per user for 1,000 or more users.
HealthCIO’s Bogen notes that IT solutions are useful in meeting HIPAA requirements. "There are many products that give you access control and auditing features," he says. "But the key requirement is cultural -- you need to find out who requires legitimate access to [patient records]." And people within the organization handling the data need to be aware of what's required of them. For instance, everyone needs to know not to share passwords or pass confidential information to friends or family members.
Some of this is common sense, but Bogen and others say both IT solutions and cultural change are needed to meet HIPAA requirements. To that end, "every employee in the hospital had to take online HIPAA training," Overlake's Bernstein says.