Securing Healthcare Information

with Virtual Desktops

Aivars Apsite

Technology Strategist

Metro Health

What do we use at Metro Health

How do we secure it at Metro Health

What are the benefits to Metro Health

Plan the Next Steps

Agenda

VDI overview

Access your desktop from any device

Wireless WOW

Thin Client

Laptop

Remote Physicians Office

Nurses Station Desktop

Tablets / iPad / Mobile Devices

Remote Access from home

Jan

2007

Oct

2007Feb

2010

MetroAnywhere

Development

Begins

MetroAnywhere

Go Live when

Metro Health

Moves into its

New hospital

MetroAnywhere

With TCX

Video playback

USB support

v1 v2Feb

2011v3

Oct

2011

Cisco

VXI

Purchase

MetroView

MetroAnywhere

VMware View

V4.6

v4Dec

2012

MetroView

VMware View

V5.1

1100 PCs

900 Wyse Thins1400 PCs

1100 Wyse Thins

300 Wyse Laptops

1320 PCs

1800 Cisco Zeros

310 Wyse Laptops

$1,610/client

$1,140/client

$588/client

Desktop Virtualization Timeline

Broker -

Vmware View2000

Zero/thin

Clients

Internet

Various

Endpoints

3000

Pooled

VDI XP

Sessions

1200

Thick XP

Clients

Metro

Cisco IP

Network

10Gb core

100MB to floors

Plazas:

100Mb

10Mb

VMWare ESX

Servers

- Physicians

- Home

- Travel

UserUser

User Windows

2003/2008 Servers

Unix Servers

SANPrinters

Metro Health Topology

Cisco 2211

Wyse x90

HP 8200s – 8300s

HP 4200s, 3035s. 4345s

300+Tb

HP P9500/ NetApp FAS2240

(55) ESX hosts

(38) servers

(410~) servers

• (32) Cisco B250 M2 Servers

• Dual Intel X5680 Processors (3.3Ghz,

6 cores)

• 192GB RAM

• (4) Cisco B200 Management Servers

(Dual X5670s, 24GB RAM)

• (2) Netapp FAS3240 Storage System

(64TB raw/50 TB useable)

• (4) Nexus 5010 Switches with (4) 10Gb

uplink connections to core network.

VDI “in a box”

3000

Pooled

Users

Pod A Pod B

What do we use at Metro Health

How do we secure it at Metro Health

What are the benefits to Metro Health

Plan the Next Steps

Agenda

• Reconnect to active desktop in 10 seconds or less

• To a FULL Windows desktop

• Access to ALL opened applications simultaneously

Secure Roaming with Fast Reconnects

The full Windows OS is running

- Security patches applied

- Antivirus is up to date

- OS is locked down to users

- All centrally managed

- Timeout scripts enabled

- At logoff, all sessions recloned

- Meets compliance standards

- Quick reconnects

All PHI* in our Data Centers

Encryption

in flight

Levels of security

AD login

AD permissions

Application

Encryption at rest

is possible

NOTICE – the PHI* data is not

stored on the local desktop

* Patient Health Information

• Only one image to manage –View session

• Zero client “imaging” process takes less than 5 minutes

• No driver management on Cisco VXCs

• Enhanced USB support in View 5.1

• 60+ applications converted to SSO

Zero Clients and Imprivata Single Sign On

3200+ End Points

PCoIP remote access provides our users a

simple, secure remote connection and

authentication to their desktops outside of

the firewall.

Remote Access

What do we use at Metro Health

How do we secure it at Metro Health

What are the benefits to Metro Health

Plan the Next Steps

Agenda

What do we use at Metro Health

How do we secure it at Metro Health

What are the benefits to Metro Health

Plan the Next Steps

Agenda

Lessons Learned

Not enough Imprivata user licenses – some users could not log in

No SSPW option from zero clients. Set up a generic user with access to SSPW page.

Zero clients do not come with a connection bar. Limited functionality

Added RocketDock to provide some functionality

Big Concern – if we loose our connection servers, no brokering to View sessions

Possibly looking at developing a Teradici RDSH solution for DR purposes

• An alternative broker for zero clients

• Imprivata Epic connector to Exam Rooms

• Imprivata “walk away” locking

• SSPW native access from Zero Client

Next Steps

Questions?