Www.positivenetworks.com | Toll-free: 1-877-932-8671 1 How to have both Productivity and Security for Remote Access Solution in a HIPAA Environment Tom.

1 www.positivenetworks.com | Toll-free: 1-877-932-8671

How to have both Productivity and Security for Remote Access Solution in a

HIPAA Environment

Tom Nielsen – Director of Business Development

Positive Networks

[email protected]


Remote Access is critical for both patient care and to employee happiness• Physicians, administrators and other healthcare employees need access

to critical information all the time from many locations.

• Most healthcare facilities are not prepared to provide the necessary security that should be a part of serious remote access.

• Most facilities demand more than one remote access alternative– Full-time telecommuters need a rich experience– Convenience is paramount for occasional travelers – Kiosks demand web-based access


Security is critical, but it cannot be at the expense of productivity – must work together

• IT professionals need security and end-users want it to be simple

• If it is not simple and productive, then end-users will search for ways to “beat” the system, or will not use it at all.

• If it is not simple an productive for end-users, then it will turn into a support nightmare for the IT department than one remote access alternative


The Positive Networks Solution

PositivePRO Healthcare Service

• Hosted, managed remote access service (Anywhere & Anytime)

• No hardware install

• Web-based provisioning and installation

• Remote Print capabilities

• Customized policy enforcement and customized work experience for each user in any location

• Automatic updating for each remote PC

• Productivity apps for remote work

• Real-time end user support

• Real-time endpoint security (Firewall, A/V, Spyware, Critical updates)

• 2-factor Authentication available

• Site-to-Site


Is Your VPN the Weakest Link?Your network is only as secure as its most vulnerable entry point

• No matter what industry you’re in, you want to protect corporate data– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SAS70

• VPNs can create more security issues than they solve– Complexity creates problems– Virus incidents are the most common – Worm threats

• Cost of a security breach is high– Hundreds of thousands to millions (KPMG)

• All types of VPN deployments are at risk – when mistakes are made– In-house, outsourced, appliance, SSL, IPSec


Security Mistake #1Skipping Real-time Endpoint Security Monitoring

• Problems– Most VPNs just do a one-time limited security check– After the user signs on to the VPN, security policy violation occurs– User remains connected to the corporate network– Problem mitigation cannot be verified

• Things you need to do:– Real-time integrated monitoring of antivirus software– Real-time monitoring of client firewall with no user interface– Automate problem resolution and quarantine user until

compliance is verified– Develop reporting to monitor violations– Require users to be fully patched with Microsoft Critical Updates

before they can connect through the VPN– Distribute and update anti-spyware software, require frequent

spyware scans– Automate problem resolution and quarantine user until

compliance is verified


Security Mistake #2Relying on passwords along for secure authentication

• Examples– Recent survey: 1/3 of employees write down their password– Plain text passwords are often easy to guess, share, lose– Keystroke loggers can record your password

• Things you need to do:– Combining two or more authetication factors significantly

improves unauthorized authentication– Consider mobile users needs and device limitations– Who really wants to carry another device?


Security Mistake #3Leaving Critical Servers Accessible from the InternetAlso known as: The portal myth

• Problems– IT administrators are in conflict: Ease of

Use vs. Security– Don’t use your DMZ as a free pass to

ignore security!– Your company leaves web mail, Extranet

web sites, and application servers reachable from the Internet


Security Mistake #4Assuming Citrix and MS Terminal Server Eliminates the Need for Endpoint Security

• Problems– Forget what they told you: data doesn’t

really stay on the server!– Thin clients do nothing to secure the

endpoint– So, you’re sending all of your information

over a nice, encrypted tunnel to a completely insecure endpoint.


Security Mistake #4Assuming Citrix and MS Terminal Server Eliminates the Need for Endpoint Security• Examples

– Real world: Cerner at Columbia St. Mary’s– Doctor views confidential patient information

using the Terminal Services Client while someone monitors his activity with Back Orifice or VNC

– IT admins leave Citrix/nFuse readily accessible on the Internet for exploits and port scanners to discover (6 published Citrix exploits in the last 12 months)

• Things you need to do:– Fully authenticate the user and lock down the

PC, even if the user is connecting with a web browser, before you let them begin communicating with your critical Citrix or Terminal Servers.


Security Mistake #5Depending on Employees to Never Use Untrusted PCs For Work

• Problems– IT admins ship out preconfigured

corporate laptops and cross their fingers, with no assurance that the PC will remain secure

– Users will forward emails and files to their personal email accounts on their home PCs, but your IT staff is unwilling/unable to support home PCs – ignorance is bliss!

– You need the capability to do change security policies and apply updates for remote users in real-time, not just “whenever the employee brings the laptop in”


Remote Network Enterprise Solution

• VPN Remote Access…PositivePro

• Remote Print Agent - enabling backend printing

• Site-2-Site (WAN replacement)

• 2 Factor Authentication


Access path to match the application(s):

• Full Client (client based VPN LAN extension)– All the benefits of an IPSec client solutions without the limitations– Simple access from behind the firewalls, proxy servers and home networks– All software configuration elements are automatically supplied by the system

• SSL (WebTop…a complete personalized access portal)– Uses 192 Bit AES encryption & the local machine which is wiped clean upon

closing the browser (nothing is cached)– Dynamic Application Tunneling allows non web-enabled applications can be

ported through the SSL VPN making investment in web-enabled infrastructure and design unnecessary

– Web-based access from anywhere

• Remote Desk Top– Integrated in both VPN Client and WebTop – nothing to administer or setup, and

no additional software licenses to buy– Useful for bandwidth intensive applications outside of Citrix/Terminal Services

• If you can get internet access you can get connected.


A New Breed of Outsourced Remote AccessDesigned with service in mind

Positive’s Hosted Network Architecture


PositivePRO… Hospital & Cerner Applications Work Seamlessly Together…Access, Security and Support


PhoneFactor Authentication

How it Works

• User enters their username & password within the application

• Instantly, the user receives a phone call and enters a PIN number (password)

What Is It?

• Cellphone-based two-factor authentication service (also works with land lines)• Key to protecting data and patient confidentiality• Low cost• No equipment to purchase (no tokens or USB devices)• HIPAA compliant• Works with all applications


Acrobat Document


Site-2-Site


Sign Up for a Trial• Call: 1-877-932-8671• Visit: www.positivenetworks.com• Email: [email protected]

Positive Networks: Hosted, Managed Remote AccessFree Trial – No Hardware

Free Trial Offer

Complete Solution - Remote Printing - Tokenless 2-factor authentication - Full VPN Client - Web-based SSL VPN - Remote Desktop - Software-based Site-to-Site Key Features - Integrated real-time endpoint security - Built-in productivity features - Unlimited, live, free technical support for your end users


Questions?

Www.positivenetworks.com | Toll-free: 1-877-932-8671 1 How to have both Productivity and Security for Remote Access Solution in a HIPAA Environment Tom.

Documents

security mistake

security breach

security dont

security issues

necessary security

endpoint security problems

security policy violation

internet slide