VA med center keeps a watch on Web traffic
- By William Jackson
- Aug 15, 2002
The Long Beach, Calif., VA Medical Center wanted to put more patient services online.
'We have an older clientele,' said Michael Mitchell, information resources management chief at the Veterans Affairs Department facility. 'But the interest level is still high' in online services.
For more than a year, www.long-beach.med.va.gov
had been ready to provide online services. It already had telephone services for appointment reminders, call-in prescription refills, and copayment and medication information. And the telephone services contractor, Mumps AudioFax Inc. of Malvern, Pa., had designed similar Web applications.
But security concerns, such as ensuring that pages being served up had not been tampered with, delayed implementation until this year.
'We want to be sure the information is secure and correct,' Mitchell said. 'The No. 1 issue is that authenticated information is being displayed.'Validated Web data
VA adopted exit-control technology from Gilian Technologies Inc. of Redwood City, Calif., to ensure content integrity. The company's G-Server appliance uses digital signatures to validate outgoing Web data.
It has worked well so far, Mitchell said. An outside team hired to test server security in advance managed to break in and deface the site. But they could not see their defacement, because the G-Server would not display the defaced page.
'We've since fixed that vulnerability,' Mitchell said.
If firewalls, intrusion detection systems and antivirus software all fail, G-Server pays attention to what is going out. It sits at the gateway between the Web server and the Internet, inspecting all traffic to and from the server.
When an authorized person creates a static document, page or object, it is digitally signed with an encrypted numeric code tied to the contents. Whenever a site visitor requests the document, the G-Server creates another numeric hash of what is to be served up and compares it against the digital signature.
'If they match, G-Server will display it,' Mitchell said.
If they don't match, it means the content has been altered. The appliance instead serves up a copy of the last authenticated version from its encrypted cache. The administrator can receive an alert about the tampering by e-mail, phone or pager.
For dynamic content, G-Server looks at a digital signature on the script used to create the page. If the signature checks out, the page is served. If the script has been altered, a default page appears and the administrator is alerted.
The G-Server has no IP address and is invisible to hackers. It uses a proprietary protocol to communicate with the Web server, said Jeffrey L. Leeds, director of product marketing for Gilian.
It supports Microsoft Internet Information Server, Apache, Netscape and Sun Microsystems iPlanet server software. The administration and signing console runs under Microsoft Windows NT 4.0, Win 2000 and Win98.Safety net
For about a year before adoption at Long Beach, the exit control technology had been tested in the department's San Diego Healthcare System.
Besides its own Web site, the San Diego IT group hosts sites for the VA Southern Nevada Healthcare System and for the Veterans Integrated Service Network's 22 regional sites.
'It's inevitable that something is going to happen,' said Mike Wojcieszek, chief technology officer for the San Diego center. 'You need a safety net, a secondary defense. That's what this provides.'
Tests in a production environment at San Diego showed no appreciable service degradation from the appliance. After about a month, administrators began getting alerts that Web content had been altered. The altered pages were not displayed. Administrators tracked down and corrected a virus infection.
Keeping such a system from backfiring requires close attention by those who post new content, however. In tests at Long Beach, 'there was an omission where the webmaster did not update the authentication on a new page,' Mitchell said. Without the digital signature, the new page could not be displayed.
The Long Beach center is counting on its online services to reduce pharmacy and scheduling workloads while making life easier for patients. At least one freestanding kiosk will go into service at the center for patients' use.
William Jackson is freelance writer and the author of the CyberEye blog.