The implementation of electronic healthcare systems creates a huge challenge for IT. Not only do IT personnel face the challenge of implementing the application itself, but they also have to integrate it with ever-changing healthcare processes.
With many technologies, implementing and enforcing new processes can prove to be a big challenge. IT must find ways to create processes that minimize negative impact on users to ensure compliance. This is especially true when these processes have the potential to impact the revenue-generating portions of an organization.
In healthcare, every second counts. Anything that slows down a healthcare professional means a loss of revenue and potentially even a loss of life.
The current state of desktop computers and usage in many hospitals is abysmal. It can take a long time for a doctor or nurse to log into a computer and all of their required applications – longer than many want to take. As a result, and because time is money, they find a way around doing this. Many users simply won’t log in or out of a computer. They will just leave computers logged in as the last person who was there, and use it as is. If IT is empowered to enforce security policies to prevent this, healthcare professionals still find a way around needing to log in and out of all of their various applications. Far too often, there will be a Post-it Note somewhere with the password to unlock the screen or log in. Just look on the monitor or under the keyboard.
This creates a number of compliance nightmares when trying to implement EMR/EHR, two of the biggest being the ability to secure patient data, and the ability to audit patient care. If the computer is always logged on, or if the password to unlock it is taped to the monitor (or someplace else easy to find), then it’s just as insecure as if it wasn’t locked at all. Policies need to be written and enforced to secure applications and data, preventing unauthorized access. However, these policies can be difficult – if not impossible – to enforce; when they impact clinician productivity, they are often viewed as obstacles. The goal is to remove these obstacles or minimize them to the point where they are so minor that the clinician is not challenged by them.
When it comes to the ability to audit patient care, healthcare organizations need to be able to track who did what and when they did it. If a nurse administers medication to a patient, the medication, dosage and time it was administered need to be accurately recorded. The same thing is true when logging any other procedures. If everyone is working off a single user account that never gets logged out, it becomes impossible to have that accountability. This can create an expensive nightmare if the organization is audited or involved in a lawsuit. Not only is the healthcare organization at risk, but the individual healthcare professional whose account the procedure was logged under could be blamed for improper care.
However, to enforce a desktop policy that is perceived as slow or painful can be near impossible. If a healthcare professional can treat 10 patients an hour, that is what the hospital can bill for. If the introduction of password policies reduces his ability to treat patients to five an hour, that’s lost revenue – not only to the hospital, but also to individual doctors who may bill separately from the hospital for their services. It’s hard to make a case for security and compliance when the money makers of the organization are impacted by that policy and want it to go away. In many cases, security and compliance vs. revenue, IT will most likely lose. The problem is, when an audit or lawsuit happens, who’s going to take the heat?
To add to these challenges is the ever-growing popularity of tablet computers. Regardless of whether it’s an iPad or an Android-based tablet, more and more doctors want to be able to use these instead of, or in addition to, hospital-supplied computers. The challenge with this is how to ensure patient privacy. What happens if that device is lost or stolen? How do we ensure patient privacy and that no data was cached locally to the device?
How do we ensure compliance, streamline log in/log out processes and lay a solid foundation for an EMR/EHR deployment? Virtual desktop infrastructure (VDI) can be the answer in many cases. VDI enables organizations to transform the way desktop services are deployed and managed. By taking a VDI approach to desktop delivery, desktop instances can be rapidly deployed within secure data centers and then accessed remotely by end users from a variety of endpoints, such as thin clients, walk-up kiosks, tablets and even smartphones – in addition to the traditional physical laptop and desktop endpoints, which now serve a terminal-like function. Also, because virtual desktop environments reside within a centralized datacenter location, access rights and security policies can be painlessly enforced over robust and secure end-user connections to protect the integrity of enterprise information. In addition, now that applications and data no longer reside on the endpoint, having replaced those with thin clients, the ability to “shortcut” the system is eliminated. Clinicians are forced to log into their own virtual desktop.
With a VDI solution, IT can enforce security and compliance policies that secure applications and patient data. At the same time, clinician workflows can be streamlined, making their job easier. IT now has the ability to enforce new security policies with minimal impact to clinician productivity. For example, connection timeouts can be enforced that automatically disconnect virtual desktops from the endpoint after a period of inactivity. Disconnecting means that the clinician’s desktop remains unchanged and any work in progress does not get lost. Even when this happens, a user’s virtual desktop stays logged in. When they need their virtual desktop again, their session is preserved regardless of what endpoint (laptop, desktop or iPad) they may have been using – even if they choose to transition between devices.
This process can be simplified even further with the integration of smart-card and single sign-on authentication technologies. Now, when clinicians arrive at the start of their shift, they no longer need to log into the operating system and then manually log into each application they require. They can use their smart card to enable automatic log in to their virtual desktop and the clinical applications they may need to use. When they have finished working at that device, they can use their smart card to automatically disconnect from their virtual desktop. This allows them to leave their desktop in a “ready” state, so that when they reconnect, their desktop and applications are already running and ready for use.
Processes such as this simplify clinician workflow, and, when implementing an EMR/EHR solution, help ensure accurate records of patient care are being recorded. With smart card technologies, the authentication process becomes dramatically simplified.
Moving to a virtual desktop delivery model is a complex journey with many decisions to be made along the way that affect the success of your transformation project. It requires a clear understanding of your end users, their compute requirements, access methods, security controls and other technical and process information to shape the correct design. But equally important, it requires end-user buy-in and support from key stakeholders, which in turn requires good program management and project planning.
Alex Weeks is virtualization practice manager, Kovarus. For more on Kovarus: click here.