When Genesis Health Systems started making plans to aggressively expand its wireless capabilities, it had several security challenges to consider. Among them: how to deploy patches over a wireless network where reception is better for some than others, and how to keep the connection from falling victim to data hacks and malware downloads.
"We have more than 200 wireless laptops in the environment and we want to roll out more," said Kevin Stanfield, client device administrator for the Davenport, Iowa, medical center. "The problem is making them secure while also providing for functionality."
Patching was one of the bigger challenges. "Wireless can be tricky because you can lose the connection," he said. "You don't want the problem where you're trying to download an entire patch, the connection goes down and you have to start over again."
When considering how wireless technology will help Genesis improve patient care, however, the security headaches are a small price to pay, said Todd Hazen, the senior systems administrator responsible for wireless deployments. Nurses are starting to use wireless laptops by patients' bedsides to update their medical records or order medicine. They can also contact doctors and other nurses using small wireless devices they wear around their neck. Produced by Cupertino, Calif.-based Vocera Communications Inc., the gadgets work like those communicator badges from the Star Trek universe.
"You tap a button on the device and say, for example, 'Call Sally Smith,'" Hazen said. "The device communicates with that person's badge. You don't have to pick up the phone if someone's heart rate needs checking. You can have instant communication with someone, no matter which campus they are at. You can use the device to get a nurse who may be in the lunch room."
There are currently two nurse stations where the entire staff is wearing Vocera badges, and multiple nurse stations have budgeted for them in the next fiscal year, Hazen said, adding, "We probably have 65 Vocera devices in use now. People are continuously asking for them."
Using Kansas City, Mo.-based Cerner Corp.'s Millennium architecture, the Vocera concept will be extended to the personal digital assistants (PDAs) used by doctors, said Joe Murray, another senior system administrator on the IT team. "This functionality will allow our doctors to access patient information normally accessed on a PC or laptop via wireless PDA," Murray said.
By eliminating the time it takes to dial a phone number or walk to a workstation to access patient records, hospital personnel can treat people more quickly and efficiently in the Genesis environment, which includes 5,000 employees, 50 doctor's offices, four hospital campuses across Iowa and Illinois, 2,700 workstations (including 250 laptops) and roughly 300 servers. In a business where time can mean the difference between life and death, Hazen said it doesn't take a rocket scientist to understand the benefits.
"This is all about making everyone and everything more mobile," he said. "It's about reaching a point where we're no longer relying on computers plugged into one place."
Finding the right security tools
While the benefits of wireless outweigh the security headaches, the organization has invested a lot of time, money and manpower to keep mobile devices protected against malware and compliant with the regulatory demands of HIPAA.
Stanfield said the 70-person IT department has found the best tool to manage security from a Redwood Shores, Calif.-based company called iPass Inc. The company's mobile connectivity services allow IT shops to enforce security policies over all connections, including those from public wireless hotspots. Among other things, Stanfield said the company has helped his organization overcome the patching challenge.
Using elevated privileges, the IT staff can use the iPass technology to install software and patches on remote devices in pieces instead of all at once. "That way, you don't have the problem where you try to download an entire patch when the wireless connection goes down and you have to try again," Stanfield said. By installing it in pieces, they don't lose all the work if the connection is lost, he said.
The iPass services also allow the IT department to check on all the mobile devices in its inventory every 15 minutes. If a device hasn't checked in after a few days, the team can use iPass to track it down and determine if there's a security problem. If necessary, the department could remotely encrypt the hard drive or limit the device's wireless connectivity.
The vendor has also helped the organization battle spyware and other malcode. "We use a spyware detection tool called Stinger and we can run it on devices across the wireless network using the iPass service," Stanfield said. "We [also] use dynamic groups to identify affected machines and then advertise scripted fixes to ensure that any device that meets the criteria of an infected machine will execute the repair/removal of the problem."
The lesson of Sasser
Coincidentally, the IT team was testing the iPass service in late April 2004, when the Sasser worm ravaged networks across the globe. "We were getting serious about our wireless deployments and we knew we needed something to help ensure security, so we were trying out the demo," Stanfield said. "With Sasser it was all hands on deck for three days. We had people going PC to PC, cleaning machines out individually. We had half the laptops we have now, and they were all recalled for cleaning."
Now, he said, with one person and one click of the button, "we can do what took 70 people three days to do." What's more, he said the department learned that wireless connections can be used as a security measure in and of itself, since patches and other software can be deployed to remote devices.
With mobile devices, there's always the risk someone will pick up someone else's laptop when it's still logged on to the user and "duck into a room and access what they shouldn't be accessing," Hazen said. "To prevent these scenarios, sensitive data isn't stored on the individual devices. Most of our applications run in Citrix sessions so there is no data stored on the local devices. The end user only sees the screens."
There are also time-outs that require reconnections with the proper credentials. Some devices have 30-minute timeouts, some are two hours, Stanfield said.
While the department is taking every security measure it deems necessary, Hazen said there will probably be new threats and maintenance challenges to contend with as the wireless network grows.
"We are in the process of adding a public VLAN and having the ability for patients and vendors to connect to the network," Hazen said. "How you achieve it without the threat of being hacked or the wrong people getting access is something we really need to be careful with."