the next big thing

Published: 16/01/2003, Volume II3, No. 5838 Page 16 17

Virtual private networks promise secure communications. Sally Whittle reports

The need for cost-effective and secure communications is driving a new generation of networking technology that promises faster, simpler and cheaper links between remote offices.And for once, the health service could find itself at the IT cutting edge.

Before virtual private networks were invented, there were two ways to connect to two offices.You could pay tens of thousands of pounds for a dedicated, high-speed leased line that would run between them. Or you could pay for a regular internet connection, and suffer all the performance and security glitches this entails.

The first generation of VPNs emerged in the 1990s and offered a third option. Companies could use software to encrypt data traffic and 'tunnel' it securely through public networks without the longdistance charges associated with leased lines.

Spending on VPN technology has rocketed in recent years.However, few healthcare organisations have deployed the early type of VPN. The technology simply doesn't meet their needs, says Imran Shafiq, NHS and local government consultant at Harrier Zeuros consulting.

'There was concern about whether the products were truly secure, and how the lack of standards between the security protocols used by different vendors would affect data, ' he says.

This uncertainty prompted the NHS Information Authority to ban VPN data from NHSnet until it agreed standards with vendors, something that is expected to happen early this year.

Forrester analyst Galen Schreck admits that the technology has important limitations. Information passing through a VPN can never truly be described as private, since it will be routed through several computer systems outside the sender's control.

VPNs also put sensitive data at the mercy of the internet - with its unreliable performance and inconsistent bandwidth.

Despite this, some industry experts still expect healthcare organisations to be at the front of the VPN adoption curve. This is because a new generation of VPN services is emerging with improved security, encryption and performance.

Sometimes called internet protocol VPNs (IP-VPNs), these services run over the networks of telecom providers rather than the public internet.

This improves security. Investment bank UBS Warburg recently signed a three-year, $40m contract with Cable and Wireless that will see all the bank's voice, data and internet traffic move to an IP-VPN.

This type of VPN is still cost-effective because it uses standard internet technologies and shares the costs of building the system between many customers - but there are additional benefits.

Because the network is privately owned, it can offer guaranteed levels of service based on the customer's requirements, for example. And many IP-VPN providers also offer additional services such as anti-virus and firewall software.

An IP-VPN is also simpler for end users. A doctor working in a hospital can access data held in a GP surgery, for example, with the same levels of performance and security as he or she would expect from their hospital's network.

One of the first trusts to use an IP-VPN service is United Bristol Healthcare trust, which signed up last summer. The new service allows doctors in the hospital to share files with local GPs, and sends xrays securely over the internet to consultants who may work in different buildings.

The service has dramatically cut the cost and time of patient care, says Professor Narasimha Shastry, the consultant leading the project.

In the past, the hospital used couriers and internal post to distribute files and x-rays, because this was the only way to do it safely.However, that could take up to six weeks. 'Now It is virtually instantaneous, ' says Professor Shastry.

United Bristol bought the IP-VPN from Telewest Business along with a package of added IT services, such as security software and network monitoring, which ensures performance remains high.The trust also pays for guaranteed service levels for different applications - voice calls are prioritised over less sensitive e-mails, for example.

These sorts of managed IP-VPN services are widely available from a number of other companies including Cable and Wireless, BT and Equant.

They are more expensive than traditional internet VPN because IT departments have to pay the supplier to manage and monitor their network for them - Telewest Business says managers should expect to pay a premium of 25-50 per cent.

However, in the long term, a managed service should be cheaper because the customer doesn't need to hire as many network staff.

This doesn't mean there is not a role for the traditional internet VPN. Peter Hankinson, business solutions manager for Your Communications believes the technology is ideally suited where organisations are not worried about getting very fast performance or watertight security. 'For e-mail and other non-urgent communications, It is great.

There is an argument for both sorts of technology in different situations, 'he says. l Getting the message across: VPN in action The great advantage of managed virtual private network services for healthcare managers is that they are not restrictive. Jim Laird, telecoms manager at Aintree Hospitals trust, uses VPN services from Cable and Wireless, Telewest Business and Your Communications.'It doesn't cost anything to join, and once you're a member, you do not have any obligations other than to send them some network traffic every so often, 'he says.

Aintree is an acute trust with one large site in Liverpool and five smaller sites around Merseyside.These sites are linked using leased lines, rather than VPN technology, because the distances involved are short enough for this to make financial sense.However, the trust uses a VPN to carry voice data between its network and other hospitals, primary care providers and GPs' surgeries across the region.

'The Telewest service makes sense where we have a very small office in a GP surgery and we do not want to put in a dedicated link, ' says Mr Laird.'It means that they can dial into our network without any problems, and they have access to all the functionality that we have.'

However, Telewest doesn't operate in Greater Manchester, so Aintree trust has joined a VPN service operated in that region by Your Communications.The network was set up initially to connect the medical school at Manchester University to local medical experts and has now been extended to organisations in Birmingham and Merseyside. It mainly carries voice data, allowing hospitals to make freephone calls to other sites on the network, though a monthly service fee is payable.

Mr Laird believes that the savings in this area alone have cut telecoms costs by 20 per cent, but the service also allows mobile workers to dial in to the hospital's servers using freephone numbers, dramatically cutting both telecoms and management costs.

Finally, Mr Laird is connected to the national VPN, NHSnet.This carries both voice and data, but the service is still immature.

The key issue in VPN adoption is education, Mr Laird says.As chair of the NHS's communications management group and the Telecom Managers'Association health forum, he is a keen advocate of VPN technology.'Most small clinics and GPs are just going to BT for their phone line and their ISDN and are not really aware of the alternatives, 'he says.'It is up to the larger hospitals and industry bodies to help the smaller sites get on-board and see the benefits and the savings of VPNs.'

What is a virtual private network?

Most IT systems are based on a private network that can only be accessed by people physically connected to it.However, this presents a challenge for organisations with multiple sites or branch offices.Physically extending the network to connect these sites is expensive, but using the internet to provide dial-in access could compromise security and performance.A VPN is a compromise: it provides access that looks like a physical 'private'network over the internet or phone system, but it uses special software to improve security.

How does it work?

A VPN relies on software installed on the network at all the sites it connects. Each site has a short amount of cable that connects the corporate network to the internet or local phone network.The sites also install software that encrypts data using a technique called 'tunnelling'before sending it off across the network.The software at the other end retrieves the data and unscrambles it.

Main types of VPN The first VPNs used the internet and tunnelling to link sites to the same network.The problem with this sort of VPN is that it puts the users at the mercy of the internet - if there is a blackout or a pipeline somewhere collapses, your network could collapse with it. For this reason, internet service providers and telecoms companies developed internet protocol VPNs.This means using standard internet technology to build networks over which VPNs could run.The advantage for customers is that they get the benefits of a VPN but without the risks, because the telecoms can monitor and control the network.