When Seconds Count, Hospitals Favor Quick, Secure Logins

Most of us log on to our computers once or twice a day; so infrequently that we scarcely think about it. But contemplate how tedious it would be if you had to log in 40 or 50 times a day in multiple locations. Now, imagine the extra stress that would accompany knowing that your deftness at logging in could literally be a matter of life and death.

That's pretty much the picture with virtualized desktop infrastructure in hospitals and other healthcare settings. VDI is becoming popular in healthcare for some of the same reasons it’s gaining favor everywhere else. Capital costs and administrative expenses are lower. Data is securely stored in a central location. And with the right infrastructure, graphics -- which in hospitals means images from radiology, cardiology and other medical departments -- show up on virtualized desktops as quickly and crisply as on regular ones.

In hospitals, client devices are scattered about the facility: in patients' rooms; at nursing stations; in offices and, in the case of mobile devices, in hands and pockets. Doctors, nurses and other healthcare workers constantly move among them. Combining convenience with security, so that the right people and only the right people get access to a patient's records, is a job for Identity Access Management (IAM), which is increasingly becoming an important part of healthcare VDI.

Logging In All Day Long

"Virtualized desktops changed the way we deliver apps in healthcare," said David Ting, founder CTO of Imprivata, of Lexington, Mass., a leader in the IAM market that is used in nearly 2,000 hospital systems. "It was a great technical advance, but often a very poor user experience. We would find some nurses who would need to log on more than a hundred times a day."

The pre-IAM world was especially vexing, said Ting, because users would often need to log in as many as three times on each machine: Once for the core VDI software, once for a Windows session, and once for the specific applications they were required to use.

In a typical IAM solution, by contrast, users log on once a day at the start of a shift. Then, when they need to access a patient record on a machine, they most commonly tap a reader with an RFID-equipped identity card. Logging into tablet-based devices, which are increasingly popular in healthcare, is just as simple.

Smart Access Management

Ting said that depending on the sensitivity of the application, added log-in steps might need to be included; for example, a computer dispensing narcotic painkillers might prompt users for a PIN number even after they've tapped in with an ID card.

A good IAM system has a lot of built-in "common sense," said Ting. If a doctor or nurse walks away from a terminal without logging out, it knows enough to "time out," keeping out later passers-by who don't belong at the keyboard. Conversely, if a doctor's session with a machine is interrupted, the system has the intelligence to bring the patient's record back up as soon as the doctor is once again ready for it.

Ting said that a proper identity management solution can free up a quarter of an hour in a healthcare worker's day, time that can be spent with patients instead of keyboards.

There are also certain benefits that can't be quantified, including patient satisfaction. Ting tells the story of one emergency room doctor who was trying to log on to a VDI system where identity management hadn't yet been implemented. The IT department had just performed its periodic password change, and the doctor was struggling to remember his new access code.

Minutes went by, with the doctor clearly getting flush with anxiety. The patient, though, had no idea of the reason for the physician's concern. "Tell me, doctor," he finally asked. "Is my condition that bad?"

Focus on Privacy

The overriding security concern of everyone in health-related IT is, of course, the Health Insurance Portability and Accountability Act, or HIPAA, which strictly regulates the confidentiality of patient records. It is out of concern for HIPAA, said Ting, that many hospitals are turning to VDI in the first place.

But there's another reason unique to the physical environment of healthcare that attracts IT administrators to thin-client architecture. Hospitals are vectors for all manner of infectious diseases, and Ting said that many IT departments have little desire to upgrade a personal computer whose fans have been inhaling dust from a hospital ward for many years.

"The IT department might need to remove a disk drive to preserve the integrity of its data," Ting said. "But some of these old systems get really funky after a while, and people just don't want to have to deal with them."