VPN: Very Problematic Network?
There are no translations available.

Amy RadonichBy Amy Radonich
Assistant Director, Imaging Services
University of California San Diego Medical Center.


At UCSD Medical Center, we are among a growing number of institutions that swap radiology files back and forth in the cloud. This approach has many advantages over the ways that files have traditionally been shared. My favorite benefit, though, may be the opportunity to wean my facility off of VPNs.

VPN stands for “virtual private network.” But in my view, a better description would be “very problematic network.” If you've used VPNs, you could probably find less polite ways to depict them that would be just as apt.

VPNs were probably first developed for large companies that had offices in far-flung places or employees working from home. A VPN is essentially a private, password-protected pipe that two entities set up between them so they can share data privately and “securely” (I'll explain those quote marks below) over the Internet.

Medical facilities have been using VPNs to overcome a problem that has plagued medical IT for years: how to exchange data between facilities whose IT systems don't communicate with each other. But hospitals have special challenges that make VPNs especially problematic.

  • Security risk 1: Open window. In the way they are usually set up, VPNs provide a window through which the two facilities at either end of the pipe – which we'll call Hospital A and Hospital B – can view each other's file structures. If they can't resist the temptation, users can open files beyond the file of interest. In other words, besides transferring Jane Doe's latest CT scan, a user at a facility connected to UCSD could take a peek at my radiation department's patient census and staffing data. So not just patient information but competitive institutional information may be at risk.

    It's kind of like inviting your friend over for dinner and then finding out they've been poking around your bedroom and home office. With our cloud service, only the file of interest, which both parties have agreed to share, is accessed. The sender uploads it and the receiver downloads it – period.

  • Security risk 2: Incomplete file transfers. Confidentiality of patient information can also be breached if there is an incomplete transfer while a file is in motion. In contrast, our cloud service has multiple layers of security and transaction auditing to prevent such problems.

  • Security risk 3: Unauthorized users. Even though it takes a password to access a VPN, I don't always know the person on the other end of a VPN- mediated file transfer, how they got that password, and whether they're a security risk. That makes me nervous about giving another facility access to my IT system. The cloud service has tight controls over user access. Each authorized sending institution controls a verified list of users that can receive exams over the cloud. Only a verified user or users can receive access to a sent exam. The parties to the transaction and the details of the transaction are audited and transparent. We know who took part, what they did, and when.

  • Clinical impact. To create a VPN file transfer, the file of interest is generally first burned to a CD and then the data from the CD is uploaded to the VPN. The burning time and the uploading generally take about a half hour. By comparison, a transfer using the cloud service can be completed much faster – in as little as a few minutes. Recently, we began using this service for trauma patients being transported to our Level 1 Trauma Center. The time we save can mean the difference in saving a life or preventing an injury from turning catastrophic.

  • Workflow. VPNs consume enormous amounts of staff time that could otherwise be allocated for other purposes. In our case, the technologist who is burning CDs and uploading them to the VPN could be available to the trauma team if she wasn't occupied with the VPN pipe. VPNs also take a significant, costly technician time to maintain and troubleshoot, because you need a separate VPN for every two institutions that are connected. In other words, Hospital A needs one VPN to connect to Hospital B and another one to connect to Hospital C.

    Before we started using the cloud service and were more dependent on VPNs for file transfers, we had six to seven of them to manage. I estimate that each one took one to two days of a technician's time per month. That's 7 to 14 working days per month! Because we now use a cloud-based subscription service, maintenance, upgrading, and so on are the vendor's job, not ours.

  • Cost. Do the math on the labor time I just discussed. The number is sky high. Labor time with our cloud service is negligible – a few mouse clicks. The subscription cost to use the service is also extremely modest, which is why we're letting go of every VPN that we can.

Finally, there's the evolutionary factor. VPNs are the IBM Selectrics of the file transfer universe. Why risk patients' health – and your institution's precious resources – on yesterday's technology? With cloud-based file sharing, you can improve patient care, cut costs, and get more efficient, all at the same time.
 
Admin Login