The University Health Network might open its physical doors to anyone in need of care, but when it comes to wireless network access, it’s by invitation only.
The UHN, which comprises the Toronto General, Toronto Western and Princess Margaret
hospitals, says it has been forced to take a VIP approach to its wireless network due to the need to protect private patient data, said Dave Eagan, architect, infrastructure development.
“We had people bringing in their own access points and plugging them in, which I’m sure has happened in a few places,” he said. “We had to shut that down.”
Eagan said the UHN has been piloting wireless for a number of years. It started out using 802.11b and has since upgraded to 11g, and is in the process of rolling out a medication order system. That project, expected to be complete by the end of 2005, will require a high degree of mobile functionality, he said.
To wrest back control over the epidemic of random access, the UHN implemented an enterprise wireless gateway from Burlington, Mass.-based Bluesocket Inc.
“Bluesocket acts as gateway to our network,” Eagan said. “It presents a login screen and it verifies whatever is received with the domain controllers on our network. You don’t even get to that domain unless your wired equivalent privacy and your service set identifier (SSID) are presented as well.”
The UHN has about 150 Spectralink mobile voice over IP phones, as well as a number of mobile notebooks and mobile Wyse thin client devices and some PDAs.
And although some employees such as doctors do use their own devices, such as BlackBerrys, they would only be able to access the public Internet in wireless hotspots.
“There are a few Palm type devices but we have to know about them; we approve them ahead of time, so we discourage random access,” said Eagan. “Unless that is verified the device has no access to our network; they can’t browse or do anything.”
Privacy legislation is the driving force behind the UHN’s approach, he said.
“We’re putting clinical data over this network so it’s very important that casual access doesn’t occur and that we know not only the device but because of Bluesocket we know the person that is using it,” he said.
But while controlling access to the network is one issue organizations have to worry about, there is also the issue of what happens if a mobile device containing private personal data is lost, as is frequently the case, according to a recent survey.
The survey, by European mobile security firm Pointsec, found there were an estimated 11,300 laptops, 31,400 handhelds and 200,000 mobile phones left in taxis around the world in the last six months.
To protect that data, Addison, Texas-based Credant Technologies is touting its Mobile Guardian software. The product, explained Canadian-born Ian Gordon, Credant’s vice-president of marketing, works by allowing organizations to deploy to desktops software that can control whether users can or cannot synchronize their devices. If the devices are approved, they are forced to download the encryption software before the synchronization process can be completed. So if the device is lost, its data can’t be accessed.
“You can set it up by policy so when someone does try to synch it will automatically force our security agent onto the device,” Gordon said. “It walks the user though the configuration process where they pick how they are going to log in, whether with a pin or password, and after that the device is set up with the security software on it and it’s effectively controlled by our central server where it’s defined how that security software is going to work.”
The product currently supports Windows 2000 and XP as well as the mobile platforms used on Palm, Windows and Blackberry devices. The company is currently working on supporting the Symbian OS as well.
Gordon added it’s important to have more security than that typically found on most mobile devices because it’s so easy to get around most basic security measures.
“Most people feel pretty safe — they think they have their password and that must protect the information, but the reality is, if you know what you’re doing you can get by that Windows password in short order,” he explained. “For example, you can put a floppy disk or CD-ROM in and boot to DOS. Once you’re in DOS you can access the whole hard drive.”
As well, he added, there are other easily available tools to hack the Windows password.
“You have to make sure the data stored on that on hard disk, the data you care about, is encrypted so only an authorized user can get at it.”
For the UHN’s Eagan, however, Credant’s offering doesn’t provide enough peace of mind.
“We’re a Cisco shop, so we did look at Cisco solutions and other third parties,” he said. “Bluesocket was purchased 15 months ago and we haven’t reviewed it since because it’s working fine.
Credant’s software, he added, is a good solution, but although it protects the device, it encourages casual access to the network.
“We’re trying to be very prescriptive on how many people get onto the network,” he said. “If you’re downloading encryption from Credant, it doesn’t necessarily verify that it’s Dr. Smith getting on. With what we have I know it’s an approved device and an approved person.”