RedCreek Communications has announced a new virtual private network (VPN) product that it says can help health care organizations comply with rigorous new privacy standards quickly and inexpensively.

RedCreek's 3VPN Authenticator is a Java-based applet that securely forwards the identity of users as they try to access remote applications and servers. While any company that needs strong authentication and access control could use the product, RedCreek is targeting health care organizations that must comply with regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA). RedCreek says the product can help eliminate one of the most costly software programs necessary for the health care companies as they seek to comply with HIPAA.

VPNs enable companies to save money on leased lines by carving secure channels across the Internet to link sites within a single organization, or to connect to business partners and customers. But VPNs establish secure channels only between sites. To meet HIPAA requirements, additional tools are required to determine who is at each end of the connection.

"You need to limit who can use the physical machine," says Avi Rembaum, director of industry marketing for RedCreek. "Our authentication allows that to happen."

The authenticator binds an individual user on a RedCreek VPN to a specific desktop computer by regularly challenging the user with a username and password prompt. The challenge comes not from the end user's computer, but from a central server. Only users who can successfully answer the prompt are allowed access to the VPN and any sensitive files. Alternatively, the product can be used with tools such as RSA Security's SecurID tokens, which implement a challenge/response mechanism.

Jeff Phillips, a director with consultancy TeleChoice, Inc., in Tulsa, Okla., says the Authenticator would be useful for any company that requires secure communications with partners or offsite workers, such as consultants working on projects at a customer location. The product offers a simplified way to grant access to specific individuals at a given location, as opposed to everyone at the site, as is the case with plain vanilla VPN offerings based on the IPSec protocol.

"The biggest thing Authenticator does is simplify the requirements for applying and differentiating access control down to the individual user level," Phillips says. "Also it's Java-based, so you only need one version of it to address various operating systems."

The VPN Authenticator also lets one health care organization connect securely with multiple others simultaneously via a single RedCreek Ravlin VPN appliance. For example, a medical office could link to a health insurance company, a hospital and a transcription service at the same time, providing each party was using the 3VPN Authenticator.

As HIPAA regulations have not yet been finalized, Rembaum says,"We have designed our systems so that when the regulations are finalized, we [will] meet the Internet community's standards. We are tracking and keeping ourselves up to date as best as possible."

The 3VPN Authenticator comes packaged with RedCreek's Ravlin appliances. The Personal Ravlin 2, an appliance for up to five users, with Internet sharing and firewall is $550. The Ravlin 7160, with support for an unlimited number of users and throughput of up to 70Mbps, costs $8,900.