Catholic Health Systems’ (CHS) initial attempt to provide remote access to its 1,200 doctors in western New York via a VPN didn’t fare well. The biggest stumbling block was rolling the client application to doctors’ home-based PCs.

While the Buffalo healthcare services provider has the VPN for the few users with laptops, it forged ahead to find a better solution to provide physicians with remote data access. Doug Torre, CHS’ director of networking and technical services, decided to investigate Web-based access.

Heading to the Web
CHS’ primary database used Siemens’ Hospital Information System (HIS) software, but because it ran on top of Microsoft’s Internet Information Server (IIS), which has suffered from security issues in the past, Torre was concerned about the ability to guarantee the privacy of data. This was more than a general concern; once the Health Insurance Portability and Accountability Act (HIPAA) goes into effect, CHS is legally bound to ensure that data is tamper-proof.

Torre began an investigation into the security features of Web servers. “We wanted a Web proxy that would be both secure and authenticated,” he explained, “but would also be easy to use.” After testing several Web application servers in April of this year, he learned of the Mountain View, CA -based company Neoteris, whose PartnerAccess software offered what the company described as an “instant virtual extranet.” It was essentially a secure Web server, sending data via traditional HTTP and also via encapsulated Secure Sockets Layer (SSL).

“It wasn’t the first product we tried, but it was the easiest. We had its fundamental configuration up and running with our application on the network in half an hour,” related Torre. “We discovered it could make our internal Web servers secure, and it was a more manageable way to distribute back-end Web services.”

In its initial deployment, the Neoteris software is being used by 20 doctors at CHS. When users access the secure Web site running on the Neoteris server, their identity is authenticated with a two-tier system. The user puts in a user name and a PIN, and then adds a pass code that appears on a key fob supplied by RSA Security. Torre described the key fob as a pillbox-sized device with an LED display that changes every minute.

A healthy payback
Torre considered having a third party host the secure Web sites, but feared a future state of complexity in which each outsourced vendor might require him to deploy separate access methods for each system. Instead, he chose to have CHS manage the system itself.

“Putting this framework in place allows us to redistribute Internet-based solutions systems securely,” he said. “Now that the infrastructure’s in place, we can leverage it for other things, and there will be collateral benefits for HIPAA.”

Torre calculates a one-year ROI for the Neoteris project, in part based on no longer having to deal with the VPN.

“There’s definitely a return in terms of [decreased] support issues, potential hardware and software issues, and help desk calls.” He added that it’s impossible to measure the value of not having the radiologist come to the hospital in the middle of the night, but there’s value in it nonetheless.

Ready for the future
Torre plans to have the Neoteris capability deployed to 500 of CHS’ doctors by the end of this year. The only stumbling block, apart from the extranet, is a shift in the way outpatient data is collected so that it can be incorporated into the HIS database. He hasn’t yet determined the schedule for putting the rest of CHS’ 1,200 physicians on the system.

Torre and his team know they’ll be ready for HIPAA, but stressed that government regulations weren’t the only project motivation.

“Proliferation of this kind of data-sharing for health care is a requirement to operate now,” said Torre.

“Getting the right data to the right people efficiently is what IT is all about. That’s how all business runs today, not just health care. In my opinion, you have to do it effectively or die.”