Linux in the Medical SOHO 1 Linux in the Medical SOHO: The Application of Linux in the Small Medical Office Steven Marcus East Carolina University DTEC 6870 Summer 2005 Linux in the Medical SOHO 2 Abstract This paper examines the small medical office and its balance of a need for internet connectivity with ever increasing security demands for medical information. This balancing act is nothing new and can be approached with excellent solutions from numerous vendors. However, these solutions, although effective, are many times cost prohibitive for a small office with only a few employees. The Linux operating system has been growing steadily in use for the past decade driven partially by the fact that the operating system itself is free. This paper considers whether Linux is an appropriate tool to use in the small medical office for controlling access to the internet, protecting the office and its information from intruders, and for connecting virtual private networks to remote hosts and networks. Linux in the Medical SOHO 3 Linux in the Medical SOHO: The Application of Linux in the Small Medical Office The past decade has seen drastic changes in the ways that information is handled, stored, and used. Perhaps nowhere is this seen better than in the medical profession. Information has traditionally been vital in medicine, but against a backdrop of today’s legal climate for medicine, medical information takes on a whole new level of importance. Historically, medical offices stored huge amounts of data in paper format, and medical transcription was done at the office. The PC revolution allowed records to be stored digitally and made medical transcription an ideal job to be telecommuted to the home office. Broadband internet connections now allow medical offices to quickly share information with transcriptionists, hospitals and other offices. Although these advances have been seen as a boon to the industry, security quickly became an issue to be addressed. Adding to the complexity of data in medicine, on April 21, 2005, medical information security moved from being just an ethical issue to a legal one. This was the deadline for compliance with HIPAA. (Amatayakul, 2004, p. 58) HIPAA is the Health Insurance Portability and Accountability Act. The federal registry states that the integrity, confidentiality and availability of health care information must be assured. (Federal Registry, Feb. 20, 2003). For this reason, all health care fields including insurance companies are now very concerned about the security of their data. The web site for the American Medical Association describe penalties for violations that range from small fines to very large fines and prison time. For example, the penalty for willingly disclosing individually identifying medical information can be a ten thousand dollar fine and a year in prison. The more serious offence of disclosing or selling Linux in the Medical SOHO 4 individually identifiable medical information for personal gain or to harm someone allow for fines of up to two hundred fifty thousand dollars and ten years in prison. Clearly, these examples indicate criminal intent which more than likely would not be present in the average small medical office, but the examples do serve to show the seriousness of lawmakers. Compared to criminal penalties, civil penalties can range from one hundred to twenty-five thousand dollars per year. Even the Department of Health and Human Services can exclude any entity that does not comply from participation in Medicare. Since there are very few offices where all patients pay entirely in cash, this alone is a very big reason to devote whatever effort is necessary to comply. (HIPAA Violations and Enforcement, 2005) In light of these security violation penalties, businesses are responding. The ‘CIO Decisions’ web site reports that ‘over 60% of small to medium sized hospitals will increase their IT staff in 2005, largely to comply with HIPAA.’ (CIO Decisions, July 2005) Accordingly, even the way that medical office technology and transcription is taught in community colleges is changing due to HIPAA. According to Donnah Cole, RHIA, instructor at Asheville Buncombe Technical Community college in Asheville, North Carolina, instructors now have to spend a proportion of class time teaching this subject, which did not even exist five years ago. (personal communication, June 2005). Given these security problems, network administrators in the health care field have many different options to attack this challenge. Most of the large networking companies such as Cisco, Lucent, and Microsoft offer hardware and software solutions that are robust, reliable, and work out of the box. These solutions work well for larger hospitals and companies with budgets that can withstand the large price tags of the products, but there are many smaller businesses in this industry. For these companies, Linux in the Medical SOHO 5 Linux, a free operating system with the ability to perform the job of firewall and router (as well as others), can be an attractive solution. Linux is an operating system that has grown steadily in the past decade mainly within the computer science community, but now with backers such as IBM and Novell, Linux is gaining serious ground in the business world. In 1991, Linus Torvalds wrote a kernel for the unix-like operating system and joined it with many existing software programs from a project named GNU. The project all together took on Torvalds’ name and grew quickly on the internet as Linux. From the onset, the whole project was open- source and free. The fact that it is free makes it appealing from a fiscal standpoint, and the fact that it is open-source means that everyone can read the code that programs are made from, meaning anyone can improve upon it or find problems. Many would argue that this makes Linux more secure. In order to connect a local network to the internet, the routing function must be performed, a service for which Linux is well suited. A router keeps local packets local and passes packets with remote destinations out to the internet. Linux can perform routing at the kernel level as long as two or more network interface cards are installed in the computer and configured correctly. Using RedHat Linux, a file named / proc/sys/net/ipv4/ip_forward is set to 1 and this begins the process of routing. To make this permanent, the file /etc/sysctl.conf must be modified to turn this on at boot time. Normally when connecting a local network to the internet, the local network is Ethernet, but the broadband connection to the internet can be several different things. Linux can use most any type of network card and many are available for connections such as T1, frame-relay and DSL. Linux magazines even advertise components for this purpose specifically. Linux in the Medical SOHO 6 The function of firewall must also be addressed. According to webopedia, a firewall is ‘a system designed to prevent unauthorized access to or from a private network’. (webopedia) Routers and firewalls both perform this function through the use of Access Control Lists (ACLs). An ACL is filter in the form of a statement that specifies either hosts or networks as sources or destinations, protocols and whether these packets should be passed or dropped. A typical ACL for a Cisco router would read: access-list 101 permit tcp host 192.168.33.1 host 192.168.0.1 eq www A similar access-list in linux would be something similar to: iptables –A FORWARD –s 192.168.33.1 –d 192.168.0.1 –p tcp – dport 80 –j ACCEPT Though the syntax is somewhat different, it is fairly easy to translate from one statement to the other. In this way, the firewall can permit only web or e-mail traffic through and prevent hosts outside the network from making connections to hosts inside. The Linux computer itself can also protect itself from unwanted access through ACLs or simply by turning off processes that have opened ports and are unneeded. Since routers are normally stand alone appliances, they do not generally have as much power, storage, or RAM space as a computer would have. The larger platform is one of the reasons that Linux has a more robust filtering system. A Linux computer can also perform the function of Network Address Translation or NAT. Sometimes called PAT or Port Address Translation (notably by Cisco), or IP masquerading, NAT translates all internal private network addresses into a single public address when sending packets out to the internet. This translation prevents computers Linux in the Medical SOHO 7 external to the local network from seeing the address of the local computers. A Linux computer would implement this with the command iptables –A POSTROUTING –t NAT –o 204.204.1.1 –s 192.168.0.0/24 –d 0/0 –j MASQUERADE In this instance 204.204.1.1 is the public interface connected to the internet and would be the only address seen by external computers and 192.168.0.0 would be the local network. HIPAA specifies that data is to be encrypted if it leaves the local network, for example to go out onto the internet. HIPAA is intentionally vague about how this is to be done, but the task is obviously well suited to VPNs. A Virtual Private Network is a private network that is constructed using a publicly accessible network like the internet. An alternative to a VPN would be to purchase point-to-point links from the local network to any remote hosts or networks. This solution, while very secure, can quickly become cost prohibitive. The concept of a VPN is simple: both sides of the VPN should have a connection to the internet, and then an encrypted ‘tunnel’ is built to pass information through.