HIMSS Webinar Delivering Secure, Point-of-Care Access ...VDI Implementation –Before: •450 Wyse...
Transcript of HIMSS Webinar Delivering Secure, Point-of-Care Access ...VDI Implementation –Before: •450 Wyse...
Delivering Secure,
Point-of-Care
Access - Anytime,
Anywhere
HIMSS Webinar
© 2014 Teradici Corporation.
> Introduction
> VMware® Point of Care™ Solution
> PCoIP® Zero Clients Secure End Points
> North Kansas City Hospital Solution
> Questions and Answers
Agenda
© 2014 Teradici Corporation. 3
Today’s Webinar Participants
Tisa Murdock
Director End User Computing
Solutions VMware
Ziad Lammam
Director Product
Management, Teradici
Geoff Schillare
Manager Information Technology
North Kansas City Hospital
© 2014 Teradici Corporation.
> #HealthcareVDI
> #HIMSS14
> #PCoIP
> #VMware
> #Imprivata
> @VMware
> @Imprivata
> @NKCHospital
> @Teradici
4
Hashtags & Handles For Social Sharing
© 2014 Teradici Corporation.
Tisa Murdock, Director End User Computing Solutions VMware
5
VMware AlwaysOnPoint of Care™ SolutionTisa Murdock, Director, EUC HC Solutions
Healthcare Transformation
Device Proliferation, Consolidation, Remote Access, OS
Migration - Continue to Accelerate Change
Caregivers Work Differently with High Expectations
OS ACCESS
DEVICES APPS
Transition to a New Clinical Computing Era Has Begun
Access
• Technology should be invisible
• No Tolerance for Downtime
Apps and Data
• New web-based and
SaaS apps
• Secure Collaboration
Devices
• Multiple Devices, Zero Clients,
Thin Clients, Mac, PC…
• I want to use an iPad! What is
next?
Business and Technology Transformation are Connected
Healthcare TomorrowHealthcare Today
Legacy HIS Apps New HIS Apps SaaS Apps/Svcs
Analytics
Industry & Infrastructure Transformation
Data/Application Transformation
Consumption & Delivery Transformation
1980-?
Healthcare IT’s Journey to Connected Care
2010 2013-Beyond
Complex & Brittle
Client/Server App Silos
Healthcare Infrastructure Technology
Hybrid Legacy/SaaS
Any Device
Secure Collaboration
Connected
Care
Healthcare must be able to adopt the cloud
in a non-disruptive and evolutionary way
Cloud Based Clinical Desktop
Adoption
Empower with AlwaysOn, Anywhere Access
Fast, Secure Access to Patient Data
Native Experience From Any Device
Enterprise Apps
SaaS Apps
3D Apps A New Clinical Desktop
Transform: Simplify
desktops, diverse apps
and data into
centralized services
Deliver: Empower
clinicians with flexible
access across devices,
locations and connectivity
Next Generation Workspace
Broker: Manage & Secure
centrally and broker services
to your workforce by policy
Access depending on
device, location or group
Connected Clinicians
VMware Horizon Suite - Integrated Workspace
My Apps, My Desktop, My Files
Must Haves for Point of Care Solution
Availability
Paperless demands continuous service
“Care Contract” now includes IT
Downtime – Planned or unplanned not acceptable
Mobility
Workspace must roam – on or off premise
Device agnostic
Quality of life /faster decisions
Security
Generic or auto-log-in, shared passwords are not
compliant
Patient care trumps all …
Must be lightweight yet strong
First Step – Deliver Clinical Workspaces as Managed Service
Persona
Applications
Operating System
Centralize
Management
Data, Desktops,
Applications
Display to
Any Device
A Managed Service Model
With VMware Horizon View
All Apps Available from Single Workspace
The Clinician Login Experience with SSO
Steps
1. Sign in to desktop
2. Wait for Windows
3. Authenticate to Virtual Desktop
4. Select Application
5. Authenticate
6. Treat Patient
Tap Card
5 -7 Second Reconnect Time
from Terminal to Terminal*
*Forward Advantage Independent 3rd party testing – August 2011
VMware AlwaysOn™ Point of Care Solution
http://www.vmware.com/files/pdf/solutions/VMware-AlwaysOn-Solution-Datasheet.pdf
Tested / Validated
Multi – Path
Constant Replication
End to End
Redundancy
Stateless Desktop
User
authenticates
and connects
to Site A
Site A Fails
Users' View
Session
Drops/Fails
User re-
authenticates
User is
automatically
connected to
Site B
Infrastructure
Security
Single Sign On
Broad Eco-system of Partners
Zero Clients
Resources
TCO/ROI Calculators and Assessment tools
– http://roitco.vmware.com/vmw/
More information on VMware AlwaysOnPoint of Care Solution
• http://www.vmware.com/solutions/industry/healthcare/point-of-care.html
• Booth #2535 at HIMSS 2014
Follow us on Twitter, Blogs, and Facebook
@ VMwareHIT
http://blogs.vmware.com/healthcare/
http://www.facebook.com/vmwarehit
Thank You
Transforming the Cost, Quality and Delivery of Patient Care
© 2014 Teradici Corporation.
Ziad Lammam, Director of Product ManagementTeradici
22
© 2014 Teradici Corporation.
Teradici PCoIP Provides the Richest, Most Secure Remote Desktop Experience
Over any network
…to any device
23
© 2014 Teradici Corporation.
PCoIP Essential Features and Benefits
24
Provides a rich
user experienceHost Rendering1
Optimized bandwidth
and image quality
Optimized
Multi-codec2Automatically
delivers best possible
user experience
under changing
network conditions
Dynamic Network
Adaptation 3Data stays secure
Only Encrypted
Pixels are
Transmitted4
Features Benefits
© 2014 Teradici Corporation.
> Conform to corporate security mandates
> Maintain control over sensitive user data
> Endpoint management
• Security updates
• Anti-virus
• OS patches
> Ensure uncompromised
user experience
What Challenges Does the Administrator Face?
Maximize your
desktop virtualization
strategy with PCoIP
Zero Clients
© 2014 Teradici Corporation. 26
Zero Client Benefits
Features Benefits
Powerful hardware
decode1 • Teradici TERA
processor for PCoIP
Multiple form factors2 • Available from 50+ vendors
Zero maintenance3 • No OS, browser or drivers
• No codecs, patches
or viruses
Ultra secure4• No local storage,
just a 5MB firmware
• No attack surface, no
application data, just pixels
1MZEROCLIENTSHAVE ALREADY SHIPPED
to enterprises worldwide
© 2014 Teradici Corporation.
> No local storage
> Only hardware decode for encrypted PCoIP data
Centrally managed persistent data
Highest Level of Securityand Ease of Management
27
Persistent application data
locked down in VDI server
Encrypted PCoIP pixels are sent
No application data is ever
delivered to PCoIP Zero Client
© 2014 Teradici Corporation.
> Best VDI client on the market for security-critical deployments
> No Windows/Linux OS and no hard drive
A Comprehensive Suite of Security Features
SECURITY FEATURE SECURITY BENEFIT
No Windows/Linux OS No viruses or spyware, no patches, no maintenance
No persistent user data No local storage to lock up at night
No application data sent over network Only fully AES-encrypted pixels are sent over the network
SIPR hardware token support Supports secure SIPR authentication mandated by DoD
802.1x network authentication Allows network devices to be authenticated before use
Fiber support (100BASE-FX) Fiber option to further secure endpoints on network
IPv6 Ready Ready for government mandates for IPv6 deployments
Support for CAC/PIV smart cards Supports a variety of CAC/PIV smart cards required by
federal and government agencies
28
© 2014 Teradici Corporation.
> Streamlines Workflow
> Strong Authentication
> Ease of management and rich user experience
Single Sign-On (SSO) with Imprivata
Security with Rapid Access
29
• Care Providers
• IT Department
• Clinical LeadershipNO CLICK ACCESS
Manual entry of
USERNAMES and
PASSWORDS are
replaced with our
Just TAP YOUR BADGE
and our authentication and
single sign-on does the rest.
EVERYONE
BENEFITS!
Imprivata enhances care delivery by providing FAST, SECURE ACCESS to patient information
© 2014 Teradici Corporation.
Wide Industry Adoption of PCoIP Technology
3
HEALTHCARESecure patient data in the data center, provide flexible access
throughout facility, provide high-resolution lossless viewing
capability for medical images
EDUCATIONEngage students with rich secure computing experiences
Focus on teaching not troubleshooting, simple to deploy and
manage.
GOVERNMENTSecure sensitive information, provide secure remote access
and peripheral (USB) authorization
FINANCIAL SERVICESEliminate the heat and noise of multiple workstations, provide
immediate moves, adds, changes
MEDIA AND ENTERTAINMENTPrevent loss of intellectual property, eliminate heat and noise
at the desk, and support off-shore contract workers
MANUFACTURINGCentralize large proprietary CAD data files, eliminate heat
and noise at workstations, provide third party suppliers
secure remote access
© 2014 Teradici Corporation.
> PCoIP Healthcare Solutions
> What is a PCoIP Zero Client
> Using Imprivata Single Sign On with PCoIP Zero Clients
> Follow Us on Twitter, Facebook, and Linkedin
Resources
© 2014 Teradici Corporation.
Geoff Schillare, Manager of Information Technology North Kansas City Hospital
North Kansas City Hospital:• Independently owned acute-care facility with 451 licensed beds
and six centers of excellence in cardiac care, cancer care, women’s health, orthopedics, emergency services and minimally invasive surgery.
• Achieved national recognition, most recently in the US News & World Report’s 2013-14 ranking of the best hospitals in the metro area, a prestigious list showcasing only 15 percent of the nation’s approximately 4,800 hospitals.– NKCH was #3 out of 52 in the KC Metro area
• Located 7 minutes from downtown Kansas City, MO• 72-acre campus consisting of six main buildings• Opened for business March 30, 1958 as an 80-bed facility• 2900 employees, 600 physicians and ancillary professionals• Two wholly owned subsidiaries: NorthCare Hospice and Meritas
Health Corporation
34
North Kansas City Hospital IT is composed of:54 personnel divided into four main departments/components: • Infrastructure/Communications/Help Desk• Applications• Project Management Office• Security
• 903 (16.7 avg) years of IT experience with an average tenure of nearly 11 years at NKCH
Overall IT Support Footprint:24/7 support to over 4000 users3500 computing devices300 different clinical and enterprise applications to include multiple EMRs (Acute/Emergency, Ambulatory, Home Health, Hospice)• Cerner Millennium is hosted remotely and supported by IT and Clinical Informatics450 virtual servers, 200 physical servers spread among two data centers80 Network Infrastructure devices in 48 Telecommunications Rooms/Closets
35
Business and Technology drivers for VDI at NKCH:
– Increasing clinician flexibility/mobility/productivity• No more device-centric computing
– Improving user experience • Uniform, consistent, and streamlined experience with virtual desktops and tap-in,
tap-out access
– Optimizing point-of-care compute device type according to usage• 95% Task Workers accessing the same applications mostly delivered by web or
Citrix
– Decreasing cost while increasing useful life of endpoint hardware• Zero Clients less than Desktops, three vs. five/six year lifetime
– Decreasing desktop provisioning, support and management costs• Centralized management of images vs. individually imaged/configured endpoints;
every day is a new day/new VM, fewer components to break
– Accommodating requests for diverse client endpoints• Laptops, Tablets, Mobile Phones
– Increasing endpoint security (ePHI)• Sensitive data contained in data center vs. on endpoint
36
History of Desktop Virtualization at NKCH
– Spring 2008: NKCH Systems Engineers started using VMware VDM 2.0.
– Fall, Winter 2008: Preliminary research, testing environment evaluation and use case validation. Wyse V10L thin client hardware running XP-Embedded with the VDM Client installed.
– Summer 2009: VMworld conference announcement that VMware View 4.0 would feature a software implementation of PCoIP accelerated preliminary project planning.
– Winter 2009/2010: Official production pilot with View 4 and software-based PCoIP deploying 10 Wyse Thin Clients on nursing unit, then rolling out 10 per month for a few months at a time.
– Summer 2011: Technology advances involving Teradici PCoIP and Imprivata OneSign integration increased conceptual project planning.
– March 2012: Main project initiation– Aug & Sep 2012: Deployed 650 PCoIP Zero Clients in six weeks– Feb 2014: Currently have 800 Zero Clients deployed with another 150
or so devices accessing VDI via the View Client
37
Computing Device Endpoint Before/After VDI Implementation
– Before:
• 450 Wyse Thin Client X90L Laptops
– Management of a thin client with a Windows Embedded OS caused issues, constant viruses, etc.
– Preferred Wyse ThinOS
• 200 HP Compaq dc5800, Pro 6000, 8200 Elite Desktop Workstations
– After:
• 650 Samsung NC190-1 PCoIP Zero Clients
38
Primary hardware• Servers: Five HP ProLiant BL460c Gen8 Blade Servers
– Two Intel Xeon E5-2670 8 core processors and 192GB of RAM each– Housed in HP c7000 BladeSystem enclosures split between two data centers– Supported by redundant HP VirtualConnect Flex-10 Ethernet modules connected to our
routed core and 8Gb FC modules connected to Cisco 9148 Multilayer Fabric Switches– Virtual Desktop Consolidation Ratio = 150 VMs/host– Five large main pools for clinicians and physicians, 10 smaller specialized pools for certain
departments
• Storage: Two EMC VNX2 5600 Storage Arrays– VDI Storage Pool consists of the following:
• 5 – 100 GB SAS Flash Disks in a RAID5 (4+1) Configuration• 20 – 15K 600 GB SAS Disks in a RAID5 (4+1) Configuration
– Automatic Storage Tiering is enabled between the two types of media – Average 880 IOPS per server for a total of 4300 IOPS
• Endpoint: Samsung NC190-1 and NC191-T, Dell Wyse P25 PCoIP Zero Clients– Samsung: 19” All-in-One integrated display powered by the Teradici Tera1100 (NC190-1)
and Tera2321 (NC191-T) processors– Dell: Small Form Factor P25 zero client only (no monitor) powered by the Teradici Tera2321
processor
• Access: RFIdeas pcProx HID USB Proximity Card Reader– No drivers required– Also use ExpressCard Proximity Card Readers for laptops
39
Primary software• Imprivata OneSign
– Main modules used: • SSO• AM • VDA• SS/PW
• Teradici PCoIP Management Console• Cerner Instant Access• VMware Horizon View• VMware vSphere• VMware vCenter Server• VMware ThinApp• Loadbalancer.org Load Balancer Virtual Appliance• Mission-critical applications accessible in production on virtual machines include:
multiple Electronic Medical Records, Picture Archiving and Communications System (PACS), clinical reference tools.
Guest operating system:• Windows 7 Professional
40
41
NKCH Virtual Desktops
Existing PCs/Laptops
NKCH LDAP
NKCH LDAP
Loadbalancer(vdm.nkch.org)
External Access
PC or Mac
Mobile Device (iOS/Android)
Cerner RHO
Zero Clients
Imprivata/SSO
View Manager 5.2
vdmcm01vdmrep02
vdmrep03vdmsec02
VDI Login Metrics, Benchmarks and Best Practices:
• Initial login of the day: 60-70 seconds, each subsequent login 5-7 seconds from badging in to working Cerner Millennium PowerChart.
• Prior to SSO/VDI/Zero Client/Instant Access implementation users had to login to the OS and multiple applications each time, taking up to 30 seconds per instance.
– 40 login instance comparison:• Pre-implementation: 20 minutes spent logging in over a typical day• Post-implementation: 4-6 minutes spent logging in over a typical day
• Benchmarks– Initial benchmarks haven’t changed much since system installation, haven’t
added any new servers, have added new/faster storage and additional virtual desktops.
• Clinician Best Practices guide– Optimal clinician workflows, tips, and standard operating procedures.
42
Measuring ROI for the NKCH VDI solution
• Higher CAPEX, Lower OPEX = Lower overall TCO over lifetime– Endpoint hardware and software costs are slightly lower than the desktop
model, but Server, Storage, and Network capital expenses are much higher.
• Some measurable specifics regarding the overall TCO:– Initial procurement cost
• Endpoint Hardware + Software cost over six year lifetime slightly better than Desktop PCs.
– Deployment Cost • For our standard NKCH task worker deploying a Zero Client takes 1/5 the time to
deploy; 20 min for Zero Client, one hour for fully configured desktop.
– Desktop Support Cost • 3 Desktop tickets to every 1 zero client ticket; averaged twice as many minutes per
desktop ticket (six months prior vs. six months after VDI deployment comparison).
– Power Consumption Cost • Zero Client: 36 Watts, vs Desktop + Monitor: 32+29=61 Watts; 40% power
consumption decrease over the 650 project-delivered and now current 800 endpoints.
– Tier II vs. Tier I Workload Distribution• Additional Server, SAN and Network administration but far less desktop support
43
Questions?
44
© 2014 Teradici Corporation.
Continue to Discuss and Share
@Teradici
facebook.com/teradici
linkedin.com/company/teradici