Linux in the Medical SOHO

Linux in the Medical SOHO 1

Linux in the Medical SOHO:

The Application of Linux in the Small Medical Office

Steven Marcus

East Carolina University DTEC 6870

Summer 2005 Linux in the Medical SOHO 2

Abstract

This paper examines the small medical office and its balance of a need for internet connectivity with ever increasing security demands for medical information. This balancing act is nothing new and can be approached with excellent solutions from numerous vendors. However, these solutions, although effective, are many times cost prohibitive for a small office with only a few employees. The Linux operating system has been growing steadily in use for the past decade driven partially by the fact that the operating system itself is free. This paper considers whether Linux is an appropriate tool to use in the small medical office for controlling access to the internet, protecting the office and its information from intruders, and for connecting virtual private networks to remote hosts and networks. Linux in the Medical SOHO 3

Linux in the Medical SOHO:

The Application of Linux in the Small Medical Office

The past decade has seen drastic changes in the ways that information is handled, stored, and used. Perhaps nowhere is this seen better than in the medical profession. Information has traditionally been vital in medicine, but against a backdrop of today’s legal climate for medicine, medical information takes on a whole new level of importance. Historically, medical offices stored huge amounts of data in paper format, and medical transcription was done at the office. The PC revolution allowed records to be stored digitally and made medical transcription an ideal job to be telecommuted to the home office. Broadband internet connections now allow medical offices to quickly share information with transcriptionists, hospitals and other offices. Although these advances have been seen as a boon to the industry, security quickly became an issue to be addressed.

Adding to the complexity of data in medicine, on April 21, 2005, medical information security moved from being just an ethical issue to a legal one. This was the deadline for compliance with HIPAA. (Amatayakul, 2004, p. 58) HIPAA is the Health

Insurance Portability and Accountability Act. The federal registry states that the integrity, confidentiality and availability of health care information must be assured.

(Federal Registry, Feb. 20, 2003). For this reason, all health care fields including insurance companies are now very concerned about the security of their data. The web site for the American Medical Association describe penalties for violations that range from small fines to very large fines and prison time. For example, the penalty for willingly disclosing individually identifying medical information can be a ten thousand dollar fine and a year in prison. The more serious offence of disclosing or selling Linux in the Medical SOHO 4 individually identifiable medical information for personal gain or to harm someone allow for fines of up to two hundred fifty thousand dollars and ten years in prison. Clearly, these examples indicate criminal intent which more than likely would not be present in the average small medical office, but the examples do serve to show the seriousness of lawmakers. Compared to criminal penalties, civil penalties can range from one hundred to twenty-five thousand dollars per year. Even the Department of Health and Human

Services can exclude any entity that does not comply from participation in Medicare.

Since there are very few offices where all patients pay entirely in cash, this alone is a very big reason to devote whatever effort is necessary to comply. (HIPAA Violations and Enforcement, 2005)

In light of these security violation penalties, businesses are responding. The

‘CIO Decisions’ web site reports that ‘over 60% of small to medium sized hospitals will increase their IT staff in 2005, largely to comply with HIPAA.’ (CIO Decisions, July

2005) Accordingly, even the way that medical office technology and transcription is taught in community colleges is changing due to HIPAA. According to Donnah Cole,

RHIA, instructor at Asheville Buncombe Technical Community college in Asheville,

North Carolina, instructors now have to spend a proportion of class time teaching this subject, which did not even exist five years ago. (personal communication, June 2005).

Given these security problems, network administrators in the health care field have many different options to attack this challenge. Most of the large networking companies such as Cisco, Lucent, and Microsoft offer hardware and software solutions that are robust, reliable, and work out of the box. These solutions work well for larger hospitals and companies with budgets that can withstand the large price tags of the products, but there are many smaller businesses in this industry. For these companies, Linux in the Medical SOHO 5

Linux, a free operating system with the ability to perform the job of firewall and router

(as well as others), can be an attractive solution.

Linux is an operating system that has grown steadily in the past decade mainly within the computer science community, but now with backers such as IBM and Novell,

Linux is gaining serious ground in the business world. In 1991, Linus Torvalds wrote a kernel for the unix-like operating system and joined it with many existing software programs from a project named GNU. The project all together took on Torvalds’ name and grew quickly on the internet as Linux. From the onset, the whole project was open- source and free. The fact that it is free makes it appealing from a fiscal standpoint, and the fact that it is open-source means that everyone can read the code that programs are made from, meaning anyone can improve upon it or find problems. Many would argue that this makes Linux more secure.

In order to connect a local network to the internet, the routing function must be performed, a service for which Linux is well suited. A router keeps local packets local and passes packets with remote destinations out to the internet. Linux can perform routing at the kernel level as long as two or more network interface cards are installed in the computer and configured correctly. Using RedHat Linux, a file named / proc/sys/net/ipv4/ip_forward is set to 1 and this begins the process of routing. To make this permanent, the file /etc/sysctl.conf must be modified to turn this on at boot time.

Normally when connecting a local network to the internet, the local network is Ethernet, but the broadband connection to the internet can be several different things. Linux can use most any type of network card and many are available for connections such as T1, frame-relay and DSL. Linux magazines even advertise components for this purpose specifically. Linux in the Medical SOHO 6

The function of firewall must also be addressed. According to webopedia, a firewall is ‘a system designed to prevent unauthorized access to or from a private network’. (webopedia) Routers and firewalls both perform this function through the use of Access Control Lists (ACLs). An ACL is filter in the form of a statement that specifies either hosts or networks as sources or destinations, protocols and whether these packets should be passed or dropped. A typical ACL for a Cisco router would read:

access-list 101 permit tcp host 192.168.33.1 host

192.168.0.1 eq www

A similar access-list in linux would be something similar to:

iptables –A FORWARD –s 192.168.33.1 –d 192.168.0.1 –p tcp –

dport 80 –j ACCEPT

Though the syntax is somewhat different, it is fairly easy to translate from one statement to the other. In this way, the firewall can permit only web or e-mail traffic through and prevent hosts outside the network from making connections to hosts inside. The Linux computer itself can also protect itself from unwanted access through

ACLs or simply by turning off processes that have opened ports and are unneeded.

Since routers are normally stand alone appliances, they do not generally have as much power, storage, or RAM space as a computer would have. The larger platform is one of the reasons that Linux has a more robust filtering system.

A Linux computer can also perform the function of Network Address Translation or NAT. Sometimes called PAT or Port Address Translation (notably by Cisco), or IP masquerading, NAT translates all internal private network addresses into a single public address when sending packets out to the internet. This translation prevents computers Linux in the Medical SOHO 7 external to the local network from seeing the address of the local computers. A Linux computer would implement this with the command

iptables –A POSTROUTING –t NAT –o 204.204.1.1 –s

192.168.0.0/24 –d 0/0 –j MASQUERADE

In this instance 204.204.1.1 is the public interface connected to the internet and would be the only address seen by external computers and 192.168.0.0 would be the local network.

HIPAA specifies that data is to be encrypted if it leaves the local network, for example to go out onto the internet. HIPAA is intentionally vague about how this is to be done, but the task is obviously well suited to VPNs. A Virtual Private Network is a private network that is constructed using a publicly accessible network like the internet.

An alternative to a VPN would be to purchase point-to-point links from the local network to any remote hosts or networks. This solution, while very secure, can quickly become cost prohibitive. The concept of a VPN is simple: both sides of the VPN should have a connection to the internet, and then an encrypted ‘tunnel’ is built to pass information through. The tunnel is a conceptual construct that ensures that any information that is captured from the internet cannot be read. For a VPN implementation example, a medical transcriptionist would have a cable connection at home, and the small medical office would have a DSL connection. A dial-up connection is possible on the client end, but obviously the speed of the connection might become a hindrance. The home user in this instance would be considered the ‘client’ and create the connection by connecting to the internet, and then simply set up a VPN connection using the standard connection manager that comes with the later versions of Windows. The small medical office would be the ‘server’ or VPN concentrator (a Linux host in our example) and Linux in the Medical SOHO 8 would be capable of accepting multiple connections from VPN clients. Theoretically, many (hundreds) of VPN connections into the VPN server could be possible, with the limiting factors being the saturation of the incoming network connection and the processor load of the server machine. To help alleviate one of these issues, manufacturers like e-bullion (www.e-bullion.com) and evidian (www.evidian.com) produce hardware in the form of a card that can be installed in a server to specifically perform cryptographic calculations, relieving the main processor of this burden. Once the tunnel is created, the client computer behaves just as if it were directly connected to the remote network. It even receives an IP address for the remote network, just as if it were there. Files, printers, and all other network resources are available, but at a reduced speed. To consider the speed disparity, the average LAN runs at one hundred million bits of information per second. A broadband connection would run around one million bits of information per second. When using a VPN, the large amount of overhead for cryptography also must be considered that would not be necessary in a local connection. In spite of the disproportion in speed, if a VPN is used for simple text file transfers as would be the case in medical transcription, the speed difference would probably go unnoticed. It would only be necessary to move to another technology if large data files were routinely transported. In addition to allowing a remote host access to a network, VPNs can be used to securely connect two different networks, as would be needed when connecting two small medical offices, or connecting an office to a hospital.

When creating a VPN, there are several different protocols (and combinations of protocols) to choose from with different strengths and weaknesses. Probably the simplest way to set up a secure connection is with SSH or Secure SHell. This program Linux in the Medical SOHO 9 has long been used to log into remote machines securely for terminal access, but it is also capable of defining tunnels for single ports. SSH could be cumbersome if many different applications will be sent across the connection, but it can be efficient if defining each port does not cause too much administrative burden. SSH has been compromised in the past, but it enjoys a large base of maintainers and security patches are generally quickly available. The protocols PPTP (Point to Point Tunneling Protocol) and MPPE (Microsoft Point to Point Encryption) are a pair of Microsoft protocols that can be used together to create VPN connections. PPTP does the job of setting up and maintaining the connection itself and MPPE is the encryption protocol. This is reasonably easy to set up, with the only caveat being the fact that encryption is handled at the kernel level, so it might need to be recompiled. The more popular and secure protocol choice is IPSEC. IPSec is a protocol that is included in IP version 6 that has been back ported to version 4 and is implemented by the FreeS/WAN and OpenS/WAN packages. (Bauer, 2005)

Aside from the functions of firewall and router that could be obtained from dedicated appliances, a firewall built with Linux offers more features. A Linux computer can serve as a secure file or web server with large amount of inexpensive storage space. Network services such as DHCP and DNS are easy to configure. An open source program named squid can be used to cache web pages or control access to web sites. Virtually any of the thousands of pieces of software developed for Linux can be ran without problems as long as ports are not unintentionally opened on the public side of the firewall.

Finally, to truly compare a Linux based firewall/router with application specific hardware appliances, the platforms themselves should be considered. Out of the box Linux in the Medical SOHO 10 solutions such as Cisco’s PIX are built to perform a specific task while running on a very specific piece of software with limited RAM and storage space. There are advantages to this design. Normally a firewall should only perform the function of being a firewall.

Other processes that are running that are not vital to the firewall function can be sources for compromise for intruders. Since these appliances do perform only a set number of functions, they are generally fast. Disadvantages are also numerous; the most obvious being cost. Where a simple PC running Linux with a couple of network cards can be as cheap as four or five hundred dollars, most good firewall / router appliances are in the thousand dollar and up range. Expandability also proves to be costly. Almost all components including interfaces, RAM, and storage space are more expensive on dedicated equipment if it can be upgraded at all. The advantages of the

PC running Linux are numerous. The most obvious advantage, cost, stems from the fact that the vast majority of the components are standard PC parts that are easily available, and mass-produced to the point of affordability. The configurability of the

Linux kernel also allows features to be added or removed as needed, or stripped down to run on hardware that is less than state of the art. David Gartner of Foundation

Technologies in Asheville, NC claims that over the last four years he has configured

Linux firewalls for thirty to forty small to large size businesses, most of which were internet service providers. Gartner also says that none of these firewalls have suffered a serious security breech despite the fact that no dedicated firewall software was used.

(2005, personal communication)

Cost can come in many forms that are not always apparent. Stating that Linux is entirely free can be considered oversimplification. If a business implements a Linux firewall, it must also support it through personnel in house or have an outside provider Linux in the Medical SOHO 11 perform administration. This may or may not be a drawback. Another drawback to the

Linux firewall solution can be its complexity. This feature that allows for so much customization can be more complicated to administer than a stand-alone solution.

Those who enjoy extensive service agreements might also balk at the lack of direct support for Linux. If a PIX fails, Cisco sells 24x7 service agreements to resolve problems anytime. With Linux however, the support is up to the installer and his own personal knowledge of Linux. Some distributors of Linux, such as RedHat, now provide service agreements, but since Linux is not built specifically for firewalling, the support’s expertise is likely to be more general.

Whether searching for security solutions or fifty pound bags of potato chips at a discount warehouse, a bit of knowledge is required to discern a good deal from a bad one. Linux is no exception, and the same arguments have followed it from its beginning. If a company has personnel or access to personnel with a good knowledge of Linux, a Linux firewall is a great way to save a lot of money and implement a secure, upgradeable, configurable security solution. In the instance of small medical office, this support would possibly come from a local service vendor, or acquired through cooperation of several offices. As Linux grows as an operating the number of qualified people will grow making the Linux firewall a more viable option for smaller businesses.

In the short term, Linux is a good option for those who are willing to trust in less popular solutions. Linux in the Medical SOHO 12

References

Amatayakul, Margaret (2004, May) The HIPAA security shopping list. Journal of

American Health Information Management Association, 75, 58.

Bauer, Mick (2005, January) Paranoid Penguin – Linux VPN Technologies. Linux

Journal. Retrieved July 9, 2005 from

http://www.linuxjournal.com/node/7881/print

CIO Decisions (2005, July) Retrieved July 10, 2995 from site

http://cisdecisions.techtarget.com/magItem/1,291266,sid86_gci1100990,00.html

Federal Registry (February 20, 2003)

http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.g

ov/2003/03-3877.htm

HIPAA Violations and Enforcement (2004, December 12) Retrieved July 11, 2005 from

http://www.ama-assn.org/ama/pub/category/11805.html

Webopedia (n.d.) Retrieved July 9, 2005 from

http://www.webopedia.com/TERM/f/firewall.html