Running MDsuite Safely Over the Internet

Overview

The Internet is quickly becoming the connection of choice for remote access to business applications, because of its relatively low cost.

However, running "mission critical" business applications over the Internet, especially healthcare applications that store sensitive information, is not without its perils. It is not possible, nor will it ever be possible, to run healthcare applications with "absolutely impenetrable security" - and you should beware of software and technology vendors who make statements to the contrary.

With this in mind, it can be stated that it is possible to run a healthcare application such as MDsuite in a way that is secure to the point that it is virtually (but not absolutely) impossible for an outside intruder to view your MDsuite data over the Internet. This can be done by providing three features to your Internet connection to MDsuite: Network Address Translation ("NAT"), Double Authentication and 128-bit Encryption.

The first feature, Network Address Translation, should already be in place in any office that will run MDsuite (or any healthcare application) and will also have a constant ("broadband") Internet connection. Simply stated, NAT works to connect your private network to the public network (the Internet) in a way that essentially hides your private network's computers from the Internet. Please consult your networking technician to be sure that your network uses NAT, because it is essential for the protection of your data.

The remaining two features can be obtained by using one of four technologies, which will be described below: Virtual Private Networking (or "VPN"), Microsoft Windows 2000 Terminal Services ("WTS"), Citrix Metaframe, and SSL Certification.

All four of these technologies provide the first feature, Double Authentication, by first requiring users to logon to the Microsoft Windows 2000 domain at the central location, then requiring the user to logon to MDsuite. And all four provide the second feature, 128-bit encryption. The four options differ greatly however in terms of cost and capability. This document will briefly chart the positives and negatives of each of the four options. You are encouraged to choose one of the four technologies discussed here, and hire a computer networking professional -preferably one who certified in the technology that you choose.

Summary of Options

1. List prices for Citrix MetaFrame are accurate as of July 2002. Contact Citrix for up to date information.
2. List prices for Microsoft Windows Terminal Services are accurate as of July 2002. Contact Microsoft for up-to-date information.

Option 1: Virtual Private Networking

Overview

Virtual Private Networking, or "VPN," is a term used to describe the joining of two Local Area Networks ("LAN") into a private network over the Internet. This is done by encrypting all data that is passed between the two remote locations, and by requiring authentication for those who wish to join the VPN. There are dozens of VPNs to choose from, so if you decide to use this technology, expect to spend some time researching the variety of brands to choose from.

Description of Setup

To set up VPN, a VPN / Remote Access Server ("RAS") is set up in the central location (the one containing the MDsuite database). VPN client software is installed and configured on the remote workstations, as is the MDsuite workstation software. Those remote workstations are then able to connect "virtually" to the central location's private network - so they can connect to the MDsuite server at the central location just like any other workstations on that network.

Advantages

1. Allows users to access most Microsoft Windows applications from a remote location, not only MDsuite.
2. Some VPNs provide encryption reaching to levels of 168-bit.

Disadvantages

1. The first disadvantage is directly related to the first advantage: if an intruder gains access to your VPN connection, they may be able to access all resources on your network.
2. A VPN connection to MDsuite will only perform well if the Internet connection between the two endpoints is fast - at least 256kbps. However, a dialup connection to the Internet is not suitable for VPN.

Options 2 and 3: Microsoft Windows Terminal Services (WTS) and Citrix Metaframe

Overview

Both options 2 and 3 are operating system add-ons that enable a remote connection capability. WTS should be thought of as the built-in option that allows you to offer remote connections to your Microsoft Windows 2000 Server. Every copy of Microsoft Windows 2000 Server includes the software it needs to be able to act as a WTS server, although it may not be installed by default. Citrix MetaFrame is a third-party tool that adds additional features to those of WTS for offices that require more administrative control over remote connections and multiple operating system compatibility. Both WTS and Citrix provide fast, reliable connections to the central location and both provide sufficient data encryption.

Description of Setup

In this installation, a server is added to the network that will contain WTS (Microsoft Windows Terminal Services). If you choose to install Citrix MetaFrame as well, then MetaFrame is installed after WTS. Once the WTS/Citrix Server software is installed properly, the MDsuite Workstation software is installed on this server. You do not need to install MDsuite workstation software on your remote workstations; you only need to install the Terminal Services client or the Citrix client, depending on which option you chose to use on your server. If you are using Microsoft Windows XP on your remote workstations, the WTS client is already installed and can be located under Start > Programs > Accessories > Communications > Remote Desktop Connection.

Advantages

1. Allows system administrators to choose whether the remote users are able to access any application that the server supports, or only MDsuite.
2. WTS connections are easily managed from the WTS Server.
3. Both WTS and Citrix provide good data encryption.

Disadvantages

1. Requires you to hire an experienced WTS or Citrix technician to setup and to administer the system.
2. You should only try to support about 25 users per WTS / Citrix server.
3. If you do not already have Citrix installed, purchasing it in addition to WTS can be expensive.

Option 4: SSL/TLS Server Certificates

Overview

If you have ever purchased anything from a web site online like Amazon.com or Ebay, you may have noticed that during the most sensitive parts of the transaction a lock appears at the bottom of your web browser to let you know that your connection to that server is being secured. The security being used in most cases like these is known as Secure Sockets Layer security, or SSL. This technology uses "certificates" to allow a server to identify itself to the remote workstations that connect to it and vice-versa.

In its typical usage, a web server provides a "certificate" when a secure https: request is received. When the user's computer receives the certificate it automatically checks with a third party ("Certificate Authority") to verify that certificate's authenticity (the server "is who it says it is"). Once this certificate has been accepted and authenticated by the client, the client's data can be sent to the server using 128-bit or higher data encryption (the level of encryption used by e-commerce companies like Amazon.com and the military).

Transport Layer Security (TLS) is a newer, more secure version of SSL that may not be supported by all software just yet. It appears that it may overtake SSL in the future as a new standard for secure web-based connections but this is yet to be proven. Please check with your networking technician for more information about TLS.

Description of Setup

In this installation, you would install a SSL Certificate into the MDsuite Application server (which is running IIS) from a Certificate Authority (CA) such as Verisign. The CA issues the certificate to the server so that the server can prove its trustworthiness to the clients that connect to it.

Advantages

1. Very high security is provided whether you use SSL or TLS.
2. Once it is setup properly, it should provide seamless data protection for MDsuite users. No extra logins are required since the client workstation and the server exchange certificates automatically.

Disadvantages

1. Usually requires you to hire an experienced SSL or TLS technician to setup and to administer the system.
2. Can be expensive since certificates must be renewed annually.
3. Remote users can only run the applications that are published via the web server with the certificate; i.e., MDsuite.

Disclaimer

DSI does not support or guarantee compatibility with third-party software or hardware, even if DSI has recommended such products.

The information contained in this document is provided "as is" without warranty of any kind, and is subject to change without prior notice. Data Strategies, Inc. disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Data Strategies, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Data Strategies, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages, so the foregoing limitation may not apply.