Home > Blogs > VMware for Healthcare IT

Healthcare Security and Storage: Transformation Better Together

EMC IT Transformation SurveyIn a recent EMC survey, Healthcare acknowledged significant gaps in IT Transformation potential as well as a strong desire to bridge those gaps.

Historically, bridging gaps has required significant investment, but as capabilities such as security and storage migrate up out of hardware solutions and into software, we can add those capabilities and lower the total cost per application at the same time, building a more secure, robust platform with a lower TCO per application.

Healthcare Infrastructure Needs

  • Security: Patient Information and Systems
  • Reliability: Consistently available, self-healing, continuous between sites
  • Performance: Delays reduce productivity and affect satisfaction
  • Value: Persistent pressure, flat budgets despite growth

Healthcare needs an application platform that addresses its most profound infrastructure challenges: security, reliability, continuity, and value. In order to deliver those outcomes, we need new capabilities that take full advantage of your virtual infrastructure as the hub of information in your environment and apply policies where they matter most: to the applications themselves.

VMware marshals your most sensitive Healthcare data all day long: on its way to and from storage and with other systems inside and outside of our environment. That makes VMware the most efficient place to implement security and storage policy, and in doing so, we can simultaneously reduce the risk of the modern breach, add reliability and performance to the storage on which all applications depend, and reduce the total cost per application. And as we look to a future where the boundaries of the datacenter become increasingly flexible, and we look to leverage compute from a variety of cloud providers, we need to apply the policies to the applications directly, to the VMs themselves, to ensure that wherever the applications and data move, the security and performance policies move with them.

Security and storage are the two critical infrastructure components most in need of overhaul, and the technologies necessary to address so many of the modern challenges are already available, delivering an application platform with better security, greater reliability and performance, and lower total cost on the order of 30-50%. It’s powerful, it’s simple, it’s affordable, and it’s in production right now.

Security

Recent headlines tell intimidating stories about ransomware holding patient data and critical systems hostage with encryption until a fee is paid to obtain the decryption key. Prior to that, stories of high profile health record breaches dominated. Breaches are an outcome of present architecture limitations, and what is missing from the headlines are recommendations that point to architectural solutions to reduce the attack surface of applications and systems that house PHI.

Breaches are most often effected by phishing and malware that then exploits the typically absent internal boundaries between systems in an environment. An important element of any modern security strategy requires that we draw purposeful lines around our applications and systems to control what traffic is permitted on a very granular scale, but that requires that we have a new security capability, a new place to effect policy. VMware is already in the path of that data and is the most logical place to implement that policy.

Traditional policies are based on IP and Port, and defining a complete list of permissible traffic in an environment using IPs and Ports is simply infeasible to build and manage. As a result, no one does it – that is why phishing and malware work.

Securing the internal environment requires policy be applied to applications directly. Since nearly all applications run inside VMware VMs, that is the best place to apply those policies. And because we manage the VMs, we can apply new kinds of security policy: we can apply sophisticated policy to groups of VMs by naming convention, group membership, tags, OS versions, etc. It’s an entirely new way to implement internal Zero Trust where traffic can only flow when specifically permitted. We can also apply policy to AD users and groups so that only traffic by authenticated users will flow.

This outcome of Zero Trust is the result of using NSX Distributed Firewall, a core feature of the VMware ESXi hypervisor that runs almost all of your critical applications, and this is a key component of a modern comprehensive security policy.

Reliability

Nearly all VMware infrastructure today leverages shared storage and fibre channel.

Nearly all VMware infrastructure leverages shared storage, fibre channel.

Healthcare is one of the few industries that has lives at risk in the event of system failures, which makes the application platform absolutely critical to the delivery of care. With that in mind, we should focus on the elements of infrastructure most prone to issue and that can be simplified through innovation and transformation.

Almost all virtual infrastructure today leverages shared storage; it was an essential component of architecture that in itself has become a single point of failure whose risk requires significant capital to mitigate. The era of shared storage is rapidly coming to a close because it is complex and expensive: it accounts for roughly 50% of virtual infrastructure capital, and by its very nature, it is prone to failure with very high operating cost. The policies to manage storage are so distant from the applications themselves that when things go wrong, it takes three different skill-sets to fully surround the potential issues and resolve them.

With lives on the line, why would we allow that to continue if we have a better way?

By moving storage into the compute layer, we reduce complexity and cost while increasing reliability and performance.

By moving storage into the compute layer, we reduce complexity and cost.

VMware VSAN is the solution to the reliability. It’s a core capability of the VMware hypervisor, and by moving the storage into the compute layer and allowing VMware to manage it all directly, we gain new redundancy options, new business continuity options, reduced complexity, and we apply storage redundancy and QOS policies directly to the VMs. There is so much less to go wrong in this distributed storage model, and it is the way all virtual infrastructure will be built. Our customers who have transitioned to this design, some of whom have been operating this way for more than two years tell us they cannot imagine running their infrastructure any other way.

Performance

By moving the storage up into the compute, VMware can make critical decisions about how to cache it for rapid repeated retrieval. It still lands on the same spindles and flash as it would with a SAN, but by moving storage to the compute layer and giving VMware control, we get great performance benefits and gain scale benefits by distributing the Iops among the compute nodes.

A modern SAN is designed to scale, but the storage processors in a SAN become bottlenecks over time. Eventually, we reach a point where our applications are performing more transactions than our SAN can process, regardless of how much flash is present behind the processors. This creates significant growing pains as both capital spend and operating complexity.

Distributed storage, on the other hand, scales with you. A modern compute node using NVMe Flash as a cache drive can sustain ~120,000 Iops. As our applications grow and we add compute nodes, we are consistently adding additional Iops, up to 120,000 per node. This architecture by its very nature addresses the single greatest performance challenge of shared storage, and as flash become increasingly affordable, spindles are fading in favor of higher Iops infrastructure without the SAN bottlenecks that have plagued us for years, delivering three to ten times the Iops presently available in customer environments.

VMware VSAN alleviates so much of the performance challenges of storage architecture. The idea that there are no LUNs and no tiering is a radical concept for storage engineers, but it works so much better. My customers who run hybrid configurations using a combination of flash and spindles report no performance challenges for nearly two years.

Value and Cost Control

Did I mention this improvement in reliability and performance also costs less? By simplifying the entire stack, we eliminate capital infrastructure and commodity hardware markup. When we consider the total capital cost of virtual infrastructure, hosts with shared storage cost about 30-50% more per VM than using our distributed storage solution. This is leading to a rapid evolution of infrastructure architecture that began over two years ago but has accelerated dramatically in the last six months. With the ubiquity of commoditized compute and local storage that complies with Ready Nodes (from Cisco, Dell, Fujitsu, Hitachi, HP, Huawei, Inspur, Lenovo, Quanta, Sugon, and SuperMicro), and the launch of VxRail/VxRack HCI from VCE/EMC, there are so many excellent platform options to gain all of these benefits and realize substantial savings.

With these savings so very real and these benefits so very tangible, why would you build your infrastructure any other way?

The Solution: NSX and VSAN

VMware’s Security and Storage solutions are wonderful complements, addressing so many of the infrastructure challenges in Healthcare today. The savings versus your current model will fund the new capabilities, reduce the attack surface of applications, and resolve critical storage challenges all as part of a single transformation event. Healthcare applications have never had such a secure, reliable, performant, and cost effective platform.

Securing and Simplifying M&A with NSX

Securing and Simplifying Mergers and Acquisitions with NSX
You have just been pulled into the planning process for the most recent M&A.  Hundreds of items need to be addressed… The first question is always “when will the new executive team have access to email and critical corporate business systems?”  Followed quickly by “how long will it take and how much will it cost to merge their systems into ours?”

M&A activities are complicated, fast paced and emotional times for organizations.  The temptation to move fast and merge the organizations often leads to technical and cultural missteps that threaten the success of the merger.  Financial pressures grow, costs are estimated, monitored and managed putting pressures on already overburdened IT shops to work their magic.  Being able to merge networks and systems in a timely and secure manner is a key part of controlling these costs.

The Risks
You have walked through and seen the IT operations of the newly acquired organization, but do you really know what is under the covers?  Sure they look like they have some semblance of ITIL process and a half way organized data center, but what about the discipline in day to day operations that are so important to maintaining a safe, secure and clean IT environment?  Do you really know if they have sound policies and procedures, solid security technologies and defenses or have they educated their users on the shared security responsibility?  A lapse in any one of these areas or a thousand others could mean that their systems are compromised with malware or have undetected data breaches.  Do you really want to risk bringing an unknown system directly onto your network and risk exposing your corporate data?

The ongoing financial and operational pressures of M&A can often times put IT shops in the position to move fast and risk the integrity of their existing systems.

Protecting with VMware NSX
The benefits of the Software Defined Data Center (SDDC) are many.  Defining, creating and managing in software allows for nimble and more cost effective operations than the traditional hardware based approach of data center operations.  This holds true for networking and network security.  Inside your data center NSX allows applications to be firewalled from each other (micro-segmentation), securing the east-west traffic and allowing only authorized communications between internal systems.  NSX operates inside your already deployed VMware hypervisor, so the foundation is there today. In addition to security, NSX also provides software based load balancing, routing and switching.

microsegmentation

During M&A, the micro-segmentation approach allows for additional benefits.  First, your own internal data center infrastructure and east-west traffic is secured.  This lessens the risk that a compromised system brought in during the M&A process can infect your existing systems.  Secondly as part of the M&A work you can extend this NSX protection into the acquired data center prior to connecting them to your network.  This allows the IT shop to add another level of security by micro-segmenting the acquired data center and gaining greater visibility into the infrastructure.  Applying NSX partner applications such as Trend Micro Deep Security provides additional peace of mind by adding intrusion detection/infection prevention scanning, log scanning, and automatically isolating infected machines prior to merging the networks.

Simpler Network Extension
After ensuring that your networks and systems are protected from the unknowns of the acquired data center you will then have to figure out the combining of the two IP network spaces.  One option is to provide new IP addresses to the acquired systems.  This is a very labor intensive and tricky operation that could have major disruptions to patient care and business operations.  The IT team will need to touch each system in this case and the risk is that poorly engineered critical systems will break because of hard coded IP addresses in systems and integrations.

With SDDC and VMware NSX the network can be dynamically changed in software, rather than at the machine level.  The acquired systems maintain their original IP addresses and are encapsulated with the new IP addresses.  This allows for the simpler integration of systems into your network without the IT staff manually changing IP addresses and risking the availability of critical applications.

Efficient Operations and Better Outcomes
VMware NSX is already making a large impact in security and network operations across the healthcare industry.  Reducing risk, simplifying the operational component of mergers and driving down costs are all powerful benefits of NSX in healthcare.  At the end of the day healthcare is about managing the health and improving outcomes for patients. Anything we can do to make operations simpler, adoptable and cost effective allows our organizations to focus on the most critical aspect of healthcare, the patients.

IT is the Foundation, not the Point of Healthcare Information Technology

Four key themes continue to resonate with healthcare provider CIOs in almost every meeting that I’ve had this year:

Empowered Clinicians – Right information, right device, right time

Engaged Patients – Enable patients to manage their own care

Support a Community – Scale to support a community not just a hospital

Secure Patient Information, Persistent Availability – Intrinsic security, stability, performance, and agility

Yet, as much as CIOs want to focus on these key areas, many cannot because they don’t have the right technical foundation in place to enable these complex, highly-integrated initiatives.

The last several years have seen most provider organizations implement systems and technology at a break-neck pace to support a wide range of initiatives. This includes internal projects, expansion and service line development, Federal initiatives, Meaningful Use and on-again, off-again, on-again ICD-10. They’ve seen their organizations stretched, and operational costs swell, while systems complexity has increased exponentially. The healthcare organizations we work with are focusing on driving value out more mature EHR deployments through analytics, and driving down the operational costs that have crept up as many legacy systems and processes haven’t been able to be retired at a pace commensurate to implementations Meanwhile, healthcare security risks are increasing at a disproportionate rate compared to other industries nationwide. To make matters worse, many provider organizations do not have a solid infrastructure to rely upon as they begin these initiatives.

The transition to software-defined infrastructure through the widespread use of virtualization technology from the data center to the desktop is well underway, and will continue to accelerate in the coming year to enable provider organizations manage spiraling infrastructure expenses as well as increasing healthcare security concerns. Most notable, healthcare IT will increasingly leverage a software defined data center architecture, with network virtualization as its foundation, to deploy clinical systems as services that are continuously available, highly secure and rapidly scale as business dictates.

Most organizations have a single core EHR, but they also have multiple other clinical applications which are required to manage ancillary functions or specialties. These applications have to work together, but by their very nature, increase IT complexity and create security vulnerabilities. By creating a software-defined foundation by virtualizing the network, healthcare IT can deploy security that is native to the infrastructure and can facilitate highly secure, micro-segmented East-West server-to-server communications between every clinical system. Network virtualization and the software-defined data center enables provider IT teams to deploy a Zero Trust network architecture, only allowing explicitly permitted communication between disparate systems. This enables an unparalleled level of secure clinical computing.

VMware sees the opportunity to break down the silos within healthcare IT and change how infrastructure is managed enabling, organizations to focus on patients, not IT. Software-defining IT enables clinical applications to be deployed as a service where security, monitoring and management are fundamental to their delivery, not bolted-on afterwards. This reduces the need to focus on managing physical devices and physical security. Instead, IT can focus on clinician performance employing tools to actively manage overall system performance, as well as that of a single user, with the same toolset. After all, the point of healthcare information technology is to enable the clinician to care for the patient in the most efficient, effective way possible – even to the point of keeping them out of a traditional care setting – not technology.

Hands on with Secure Healthcare Desktops

        Security breaches cost healthcare companies millions of dollars every year.  We continue to become more innovative with our security, but often times focus on the server and perimeter networks.  When it comes to the desktop, security is all to often a small piece of a larger design, something focused only on the operating system.  The best way to design a better secure desktop experience is to get hands on experience with secure healthcare desktops. VMware Healthcare would like to enable you to experience a secure desktop to improve security without sacrificing performance by experiencing our new Healthcare Secure Desktop hands on lab.  Join us and look at Just-In-Time application deployment, Identity based dynamic firewall services, and compliance and regulatory data security to see how VMware’s secure healthcare desktop can help you.

Just-In-Time Application Deployment

        By abstracting the application from the virtual desktop image, VMware App Volumes enables stateless pools of virtual desktops.  Within this section of the lab, you will see how providing applications in real time will help providers, simplifying your desktop engineering and management process.

Identity Based Dynamic Firewall Services

     Moving the security as close to the user as possible allows for threats to be stopped before they can propagate.  The Identity based dynamic firewall services portion of the lab demonstrates delivery of dynamic access controls based on a logged in user, even in a stateless virtual desktop infrastructure, adapting to changing requirements.

Compliance and Regulatory Data Security

     Security goes far beyond simply firewalls and applications.  Compliance monitoring and remediation of violations become far more important in the heavily regulated healthcare world.  The final portion of the lab demonstrates a realistic response to policy violations, triggering automated actions preventing data loss and compliance violations.

     Albert Einstein said, “We cannot solve our problems with the same thinking we used when we created them.”  Security in healthcare is a growing problem, solving it is going to require healthcare IT professionals to rethink architectures, and test out new and innovate ideas.  Get hands on experience with secure healthcare desktops and prevent security incidents before they occur.  Take advantage of VMware Healthcare’s Hands on Lab environment today, and learn how you can deploy secure healthcare desktops in your environment.

Introducing the Digital Clinical Workspace

You may be reading this blog post (please, let somebody be reading this blog post) on your:

  • work computer (this is research)
  • tablet device while sitting having breakfast (assuming you’re single)
  • cell phone while driving on a bus or a train

You may be using a browser, or a mobile app. Collectively, being able to access information when we want it, how we want it lets us use our time to its fullest potential – gathering knowledge, applying it to situations to accomplish goals. The device we use is whatever is most convenient for the task that you want to do, or just what we have to hand. It’s how everything is done now – right?

Not in the industry where split second informed decision making is more important than any other.

I started in the application virtualization industry 15 years ago. Even then, the message was about remote access to applications and information. So why then, 15 years later do so few doctors have always on anytime anywhere access to patient information? And no, a nurse describing symptoms or test results of over the phone does not count.

I get it, remote access to a paper chart was a fax machine – but we’ve been digital for a while now haven’t we? And yes, there are most certainly security concerns of what devices are accessing or storing protected health information (PHI). And there is certainly a generational shift in the attitude to and comfort with different mobile devices (Damn it Jim I’m a Doctor, not an IT guy!). And yes, healthcare IT is under a tremendous amount of pressure to deliver the projects that will meet Meaningful Use goals. But the benefits to patient care of always on access are self evident and the platform to deliver this same user experience – the one that we demand is available across all of our devices so we can see what a friend of a friend had for dinner last night – is available to healthcare.

Anytime anywhere access to PHI

VMware Workspace ONE unifies user, desktop and mobile management to enable a Digital Clinical Workspace that moves with care providers throughout their day.  From the out of hours emergency call to the bedside consult, the Digital Clinical Workspace enables secure simple access to patient information from the right device for the right task at the right time.

Although healthcare is still dependent on Windows applications, there’s a huge amount of innovation taking place in mobile apps and mobile devices for both providers, and patients. When that emergency call comes in the Digital Clinical Workspace enables providers to securely access the right information from the right application be it Windows mobile or web, and from the right device. Whether they are in a deer hunting stand in Vermont (true story), on a family fishing day on a boat on a lake (true story) or in the parking lot having just left for the day (of course a true story).  EMR vendors and startups alike are innovating for providers and patients re-examining clinical workflows and the equipment required – do I really need to push round a WOW or can I replace that with a small handheld device and a lightweight label printer?

Transforming the patient experience

Hang on. Did I say patients? Twice? Yes I did. CMS has tied reimbursement to HCAHPS scores with 2 percent being at risk by 2017. Patient engagement will be a big theme at HIMSS next week. Mobile devices and applications are being used to transform the patient experience. On Tuesday James Sturiano from Ohio Health and Frank Nydam from VMware will present on how Ohio Health are Using Mobile Apps to Create Active Patient Engagement. A mix of patient specific information through Epic MyChart Bedside and entertainment such as Netflix and Angry Birds is being used to alleviate the inevitable stress that comes with a hospital admission and start patients on their way to understanding their care to facilitate engagement and ultimately lower re-admission rates.

HIMSS 2016

At the VMware booth (booth #2221) this year, we will be demonstrating how the Digital Clinical Workspace, enabled by Workspace ONE and vCloud for Healthcare is enabling  leading healthcare organizations globally to mobilize healthcare in this transformation for both providers and patients. Together with partners including Dell, Imprivata, Clockwise MD and Gozio Health we will be demonstrating how the Workspace ONE platform goes beyond desktop virtualization providing the management, security and flexibility to deliver Windows, web and mobile applications to any device any where, helping healthcare organizations transform the cost, quality and delivery of patient care.

Healthcare M&A, the New Norm

Mergers and Acquisitions (M&A) are happening more routinely and quicker than ever in healthcare.  These events are extremely complex and challenging for people, process and technology.  With the right foundation and operational models in place IT can greatly reduce the risk, cost and complexity of these changes.  Executing on a Software Defined Data Center (SDDC) and Virtual Desktop Infrastructure (VDI) are the foundational platforms that enable this.

In 2015 alone there are huge mergers in the payer space with the Aetna purchasing Humana and Anthem announcing they will be buying Cigna.  Healthcare systems are heavily involved in M&A as well.  This year Barnabas Health and Robert Wood Johnson Health System in New Jersey combined systems, forming New Jersey’s largest health system.  Community Health Systems is spinning off 38 smaller facilities and forming Quorum Health Corporation with the goal of creating a company that can acquire hospitals in small markets.  Hundreds of smaller acquisitions never make the news, but they are just as disruptive to those practices and healthcare systems.

M&A Challenges

These mergers and spins are very challenging for organizations.  Supply chains, HR, financial reporting, payer relationships, governmental reporting and all other processes are impacted.  What is one key area that underpins each and every one of these operations in a modern healthcare system?  You guessed it, IT.  Add the complexities of merging disparate systems along with the stress and emotions that can accompany these deals, and you have a recipe for a very complex and risky program.  If not executed well the IT mergers can be a source of patient care issues, large scale security risks, large financial impacts and lead to long term challenges in the merging of cultures.

From an IT perspective no matter how large or complex the transaction there are four basic questions that have to be answered for every merger:

  • How quickly can I get the newly acquired leadership onto e-mail?
  • How quickly can we connect the network to enable the sharing of business critical applications and data?
  • How much will the IT integration cost?
  • How do I comply with local, state, federal and accrediting organization’s data retention standards?

vCloud for Healthcare – Enabling M&A

VMware is uniquely positioned in technology and healthcare to enable quicker, smoother and more secure transitions for organizations going through M&A activities.  The vCloud for Healthcare architecture with its Software Defined Data Center (SDDC) architecture can eliminate physical moves and wrap those efforts into software based activities.  These activities are supported by

  • Security
  • Compliance
  • Mobility
  • Private Cloud
  • Hybrid Cloud
  • Public Cloud
  • Underpinned by Network, Compute and Storage virtualization technologies

hc2

M&A activities are disruptive to even the most efficient operationally sound organization.  Decoupling IT operations from the physical world, moving the infrastructure management into software allows for flexibility, agility, security, and reporting like we have never had before in the industry.

Over the next several blog posts I will expand on how each of these technologies build a platform that allows for the flexibility and agility needed to take IT infrastructure worries out of M&A.

The Healthcare Security Conundrum

It seems like ages ago the HIPAA guidelines were adopted. It got a bit more complex as the HITECH requirements and financial implications increased. Following that, Meaningful Use Stage 2, encryption and the like is creating some additional technical challenges. Protecting patient data and secure it using best practices that your organization can muster has been the goal. Fast-forward to today, all of the rules still apply, but the game has changed, hacking and breaches from unidentified and even foreign organizations and their intent is even murkier has raised the ante. They know the value of healthcare records and they have had some success at capturing them.

There was a Dustin Hoffman movie from the 1976, ‘Marathon Man’ (yes I am exposing my vintage); the simple question by the antagonist was ‘is it safe’? Poor Dustin Hoffman did not know what, where, how, why and when. He, as well as the audience was the receiver of the pain and fear. We find ourselves a similar situation; instead of diamonds it is our health records at risk. There is financial value in our health records, but the bad actors may not be out for only financial gain, it also affects brand value and reputation. The risks and stakes are high and the intruders may already be in our systems just looking around for something interesting.

So the ‘fear, uncertainty and doubt’ routine has reached our executives and they want to know ‘What can we do to prevent this from happening to us?’ Our teams are doing their best to train our consumers of IT services not to ‘click on that link’. The intrigue and creativeness of the hackers are sometimes unbelievable.

There are many examples both inside healthcare and other industries; however, healthcare is a target since the value of a health record is more than just a credit card number. In case you are interested: (HHS Breach Report). The net result is the top ten breaches for the last about 3 years is responsible for 136 million records. At a value of $ 150 per record has a potential street value of $20 billion.

Hence the fact that healthcare is a target.

How does VMware approach this area:

First, it is not a product; it is an approach, a layered approach that involves different organizations. Not one company can solve this complex area alone.

Our approach starts with an assessment to help to understand your security risks. We also work with several organizations that can help you assess your risk. We provide free tools to provide some immediate feedback. We follow that with a ‘Hardening Guide’, which is a step-by-step approach to remediating the risks to your virtual environments. One of the capabilities allows for workloads be better isolated through distributed firewall. This approach may include hardware, software and or services.

We have just completed a white paper for you to explore the VMware concept of Security and Network Virtualization for Healthcare (VMware Healthcare Security Whitepaper) and although we may not be able to catch the villain of this story, but we can ‘protect our house.’

The next generation clinical workspace – making for a better Digital Health experience.

We have already entered the era of digital health. However, today it is far from an efficient model.  Interconnectivity standards are more proprietary than open, resulting in a fragmented and ineffective model.  Currently, Digital Health itself is not healthy.  Digital Health is a rapidly evolving agglomeration of applications, interfaces, devices, workflows, along with other related technologies and communication patterns to address improving health along with “usual” and critical health issues for individuals and the communities we live in.  But because it is still evolving, it is both very unstructured and siloed, and yet very open to influence and thought leadership.

VMware is developing strategic partnerships with many of the leading healthcare vendors. These are beginning to both demonstrate how our technologies benefit theirs, along with beginning to build integrated solutions that are beginning to play more prominently in healthcare.  A good number of our solutions are now influencing and shaping how Digital Health will mature.  We must focus on making it easier for physicians, clinicians, and support staff to work with patients and their electronic health data.  The technologies that we are building are the future enablement of delivering the next iteration of Digital Health.  We are rapidly becoming the portal, the preferred clinical workspace, for healthcare.

Instead of re-hashing all of the known issues as to how it is broken, I want to focus on what will the clinical workspace for healthcare will look like in a few years from now. This is important for all of us who are charged with delivering EUC healthcare solutions to help drive the solution forward and make it meaningful.

First of all, the right approach to answer this question is from the caregiver perspective. What are their requirements, their needs, of the workspace?  My reasoning for this approach is that the caregiver is the data entry point for most of a patient’s electronic health data.  Physicians struggle with being reduced to be “data entry specialists”, because they are also a primary consumer of their patient’s health information.  This especially drives the need for the clinical workspace to be re-designed.

Short version: they need a single unified view to the correct mix of applications, to collect and reference relevant health data, including available digitally enabled devices, to engage only the relevant clinical workflows, to diagnose, establish the correct care pattern and meet the patient’s unique healthcare need, from any location, and at any specific moment of their day from any type of technology available to them.

The technology involving the clinical workspace is only the enablement of access to the application(s), it is an extension of the clinical workflow and care pattern in play. The behind the scenes technology must be seamless and invisible to those using it.  The technology must get out of it’s own way, and enable the clinician to do their job.  The caregiver should not be forced to think about the technology and how it is used.  I am being very deliberate to avoid describing a physical workstation.  Because ultimately, the care-giver needs to access their clinical workspace from any device at any time from any location.

In the not too distant future, the next generation clinical workspace will include the ability to:

    • Be highly interactive with the patient, the patient’s visitors, the location, the environment of the care being given, the care givers involved, the medical community at large. Based on prior authorized communications, along with immediate patient consents, the interactions will enable communications with all involved during the episode or care. It may even use social media circles to guide who can and who cannot interact with the patient.
    • Contextually secure the workspace, by being aware of those who are privileged and must have access to PHI to provide care, and equally aware to flag and report on any unauthorized access or information movement related to the episode of care in progress. Various forms of two-factor authentication mechanisms will be available, used to authenticate caregivers to the patient, creating a unified identity, to immediate family assisting in medical decisions, even to the patient’s visitors, guiding the caregivers to the level of detail of medical information that can be communicated.
    • Deliver the unique blended mix of applications and information that pertains to the patient, yet are designed to present the best workflows and patterns of care for caregivers to follow, or collaborate with other caregivers. The applications will sense and adapt to the endpoint being used to communicate the information in a consistent relevant format.
    • Support location based computing, with clinically oriented geo-fencing and real time locating systems, enabling contextually aware apps to appear/disappear from the workspace, based on the care required, along with the same app being dynamically reconfigured to access information relevant to the care the patient is receiving.
    • Display context enabled dashboards that pertain to user specific workflows. The dashboards indicate the next step in the workflow and the appropriate user(s) who are responsible for that task.
    • Use natural language processing as one of the primary data gathering mechanisms within the EHR and other critically relevant clinical applications along with a verbal command capability such as Siri or Cortana.
    • Use the camera of the mobile device as a data gathering and assist in diagnosis. Specific examples would be to take a series of pictures of a laceration to document the wound, it’s stitches and bandaging, or use an infrared camera to assist in diagnosing increased localized temperature from an internal infection or injury. The picture will include digitally augmented overlays identifying the size, depth and other unique observations of the wound.
    • Be technically aware of the immediate surrounding medical technologies available, based on either medical need or workflow, to wirelessly interface with required medically necessary data feeds and information sources. It will pre-authorize and enable connections to those devices and patient care workflows, and provide feedback that those are initiated and completed. It would including devices such as a Fitbit, or Apple’s Watch, or a patient’s smartphone that may be collecting biometric information prior and during an injury. This interconnectivity feature will differentiate the haves from the have-nots.
    • Access personally stored health data in our personal “clouds”. Just like us keeping our music in iTunes, critical files in Dropbox, and pictures in Instagram, we will begin to use the cloud for the amalgamation, or a digital timeline, of all of our healthcare events. This enables a consistent representation and communication of all our health events whenever and however needed.

The next generation clinical workspace described above is not Digital Health, but instead what the core technologies of digital health need to look like. It will take the collective experimentation and collaboration of many to evolve the next generation of Digital Health.  It is very apparent that healthcare itself is no longer just provided in an inpatient, outpatient, or tertiary location.  Instead, it is wherever and however a patient and caretaker interaction occurs, including telehealth.

This is where the VMware Horizon ecosystem differentiates itself. From the caretaker perspective, it is the only highly integrated nascent technology that uniquely reduces healthcare workflow friction.  It aligns itself to a fast paced workspace, filled with interruptions, and seamlessly transitions healthcare workflows from user to user as they move from event to event, location to location, ultimately enabling patients to heal faster and return to their normal lives.

A call to action for those of us involved with delivering VMware solutions to healthcare organizations. We need to continue to deepen our relationships and integration with our EMR vendor partners.  We also need to continue to identify and align with new innovative healthcare and technologies vendors, to create new delivery solutions to meet the demands of the next gen clinical workspace.  Finally, as we meet with healthcare delivery organizations, we need to be listening to differentiating input and critique from the caregivers themselves on how best to implement digital health via a clinical workspace.   Together, collaboratively, we can bring about THE desired next generation clinical workspace for the healthcare industry.

The Changing Face of Healthcare Security – Leveraging a Zero Trust Model to Protect Your Critical Assets

Post for Chris Logan, Senior Healthcare Strategist, VMware, MBA, CISSP, by Tony Amaddio Senior Healthcare Strategist, VMware

The trend of health data breaches for 2015 is staggering. As of October 23rd, the breach tally has affected over 113 million individuals. More importantly, the top six breaches this year have impacted 109.6 million individuals, which accounts for 96 percent of the currently reported incidents so far. What I find to be intriguing about these recent breaches is they all involve hacking attacks, which up until this year, were a rarity in healthcare.

As of October 2015, the official tally of major healthcare breaches since September 2009 listed 1,374 breaches affecting a total of 153.8 million individuals. That means that this year alone, the six recent hacker attack breaches account for nearly 71 percent of all victims over the six year reporting period. One of those attacks, health insurer Anthem, affected nearly 79.8 million individuals, over 50 percent of the total number of individuals impacted since 2009!

This is new territory for healthcare. Could it be due to a lack of focus on cybersecurity or is it due specifically to our continued reliance on legacy systems? Older IT systems are rich with patient information and many times they are missing needed controls and are protected with outdated technology. The real issue is that Protected Health Information is an asset and it needs to be afforded the same level of protections as other assets such as buildings and equipment. Does anyone believe that a health care organizations would buy or build a hospital without fire suppression systems? Of course they wouldn’t so, why are they still relying on virtual fire exstinguishers to address cybersecurity when they truly need a much more comprehensive set of controls for their data?

So how is VMware addressing these issues? Consider first that security is not a one size fits all problem and VMware strives to understand our customers operating environment and how data is being used and delivered across your enterprise. Armed with that knowledge we look to build a platform for security by ensuring the protection and proper access of your key assets, your data. Across our portfolio we have many solutions which allow us to demonstrate layered security controls to protect our customers and partners digital assets which includes NSX for microsgemtation, vRealize for configuration and compliance management, AirWatch for mobility management, Horizon for virtual desktop and Identity Manager for application provisioning and conditional acess controls.

One way to layer security over your critical assests is to implement a Zero Trust architecture. With the VMware NSX platform, a Zero Trust architecture is built as a baseline through microsegmenation. This concept was first proposed by Forrester Research and is intended to address security by promoting, “never trust, always verify,” as its guiding principle. With Zero Trust there is no default access or entitlements for any entity which includes users, devices, applications and network traffic regardless of the location, whether on or off the corporate network. By establishing Zero Trust boundaries, you can effectively microsegment your network allowing enhanced protection of your critical data from unauthorized applications or users, reducing your exposure to vulnerable systems, and preventing the lateral movement of malicious software across your network.

There is no single solution to this problem, it takes true focus to move past just ensuring compliance to guaranteeing the efficacy of the security program to both mitigate and remediate the risks inherent to the technology being employed. In this world of digitization, compliance is not security and security does not guarantee compliance, both need to work in harmony and meet the needs of each orgainzations goals. We must remain attentive in our efforts to help our customers protect their assets and that requires everyone’s diligence. As a trusted partner we must treat security as a team sport, supporting our customers and partners needs by helping them become aware and truly understanding the increasing threat to their digital assets and implementing solutions to solving this new epidemic.

Do you have that awareness today? VMware has significantly invested in the tools and expertise to meet the changing demands security demands of the healthcare industry. VMware is ready to help you address your new security initiatives and drive greater outcomes to the delivery of patient care by allowing your greatest asset, your data, to be used in an secure, effective and efficient manner.

** Statistical Data gathered from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf *

Secure by design: a healthcare IT imperative

Healthcare IT is different.  Problems don’t just cost money. With the Internet of Things in our hospitals and clinics, lives can often be at stake.  Designing a secure healthcare IT environment is critical not only to the business, but more importantly to the real end-user, the patient.    Security, in many Healthcare environments, frequently not considered as a part of the design process.  In order to properly design secure Healthcare IT solutions, it is imperative to consider Lifecycle Management of the application, Traffic Management between applications, and Configuration Management of the systems that support the application.

Lifecycle Management

While not always considered to be part of security, the lifecycle of an application, with its underlying Virtual Machines (VM), plays a critical role in security.  Consider a VM built for a specific application.  It is fairly simple to provision a VM from a template.  But then there is storage, networking, security software, application software, etc.  Even if everything is done correctly, and each team follows the procedure, one minor variation can have far reaching changes.

Once there, it is tough to completely remove.  In many environments, a VM might be decommissioned at the end of it’s lifecycle, but often times DNS, IP address management, firewall rules and many other systems are not cleaned up.  Many times the application may be upgraded, archived, or decommissioned, but VMs which are no longer necessary will continue to live on.  While this is inefficient, this also makes for more targets since these can fall out of monitoring systems, or can remain unpatched.

Building environments, the same way every time, removing the element of human error, and ensuring they are managed and retired or archived as appropriate provides for faster troubleshooting and a greater security since the systems are all treated similarly based on their security classification.

securebydesign1

 

Traffic Management

As I have talked about previously, traffic management becomes far more important in a virtual environment.  This is particularly important in highly regulated environments such as Healthcare.  When applications contain HIPAA or other critical data that must be secured, controls must be put in place to ensure proper traffic management.

Consider a traditional three-tiered application with web, application, and database tiers.  Ideally, in a secure environment, traffic should be inspected when traversing between each tier.  In our example below, notice that we are also using separate subnets with full layer 3 routers between them.  By doing this in software, we are able to simplify the rules as we discussed in Lifecycle Management. Policies are applied to the VMs at time of creation. Firewall rules exist in the form of a policy. Routing decisions are made locally, firewall rules are applied locally, and traffic never need leave the software environment unless it requires access to physical plant.

securebydesign2

 

Configuration Management

The importance of designing a secure system cannot be overstated.  Equally important to a secure environment is continuous monitoring of security.  Changes happen, whether a human or machine is the cause, configuration drift is a reality in every healthcare environment.  Time after time, audit reports show that a lack of configuration and patch management is the cause of numerous security breaches.

In the example below, configuration management extends to multiple types of environments.  While we often think of HIPAA in our regulated environments, there are often PCI or other areas which need validated, and all to often some of these can overlap.  Good Configuration Management means being able to show auditors a complete report on what the environment has looked like over time in addition to its current state.  This type of on demand reporting and remediation prevents the loss of patient data, while securing the environment and ensuring lifecycle management policies are enforced.

securebydesign3

 

Healthcare IT security should not be the security group setting policies in a vacuum.  Everyone in the healthcare organization is responsible for security.  It is the responsibility for Healthcare IT to provide a framework and manage appropriately so that security is a part of lifecycle, something which extends beyond just firewalls and VLANs.  Constant monitoring and remediation prevents malicious or accidental breaches, and provides the patients and providers alike a secure experience without impacting performance.