Healthcare Information Security

Cybersecurity News

The importance of a secure VDI delivery model in healthcare

By Bill Kleyman

- Virtual desktop infrastructure (VDI) has matured and has finally found its place within IT over the past few years. Is it the ultimate answer to the desktop question? Probably not. However, can it find some solid, secure, uses cases within the healthcare world? Absolutely.

With VDI, it can truly come down to how the virtual desktop is presented and how well it is performing. This is especially the case with healthcare institutions since there are potentially so many different associates that may be utilizing the system. There’s little doubt that VDI can bring a certain value and ROI to healthcare environments. Still, the delivery model, security and how the desktops appear to the end-user can make or break a deployment. Having a clear understand of the various components that fall into the virtual desktop process can help administrators deliver the most powerful – and secure – solution possible.

When designing a VDI platform for a healthcare organization, it’s important to analyze the components that fall underneath the technology. Also important is to have a good structure for the resources which will be delivered using VDI. Healthcare administrators aren’t just delivering a virtual desktop – they’re deploying a new user experience.

Begin with the end-user - As with many organizations, in the healthcare field, the end-user is one of the most important elements in the VDI model. Administrators must start with the end-user in mind to clearly understand their computing experience. Once that has been noted and researched, developers and implementers can design their VDI model directly around those needs. Whether it is a lab setting or creating a new teacher desktop pool, the delivery model will change based on the user’s needs. When a desktop is created around the end-user, the delivery of that desktop will be easier since the transition will seem more seamless to those using VDI.

Application delivery - Many times healthcare IT admins will try to install all necessary applications into a virtual desktop image and delivery it as such. Although sometimes this may work – it’s not recommended to have a thick desktop image delivered via VDI. Instead application virtualization and streaming is highly recommended. In combining two technologies – desktop and application virtualization – administrators are able to segment and control each respective infrastructure element.

READ MORE: How Healthcare IT Teams Bring Value and Security to Providers

Here’s where security and identity federation come into play. By seamlessly tying in applications based on user security policy permissions, the end-user will see their apps load seamlessly though single-sign on (SSO) technologies. Furthermore, this delivery model allows administrators to deliver application through a portal, independent of the virtual desktop environment. This gives the associates the freedom to use either a full virtual desktop or just a given application to complete their work.

Building the secure healthcare virtual desktop images - As mentioned earlier, building an efficient image means delivering a light virtual desktop infrastructure. In a healthcare setting, there is little doubt that there will be multiple departments in the mix. So, creating the right image for each department is important. It’s not uncommon to see a desktop image for the following:

- Labs (set as a pooled image)

- Executive staff (set as a persistent image)

- Healthcare contractors (set as a pooled image)

READ MORE: OIG Finds IT Weaknesses in MA Medicaid Management Info System

- Department-based workers (set as both pooled and persistent images)

Each of those images will have its own set of policies catered towards who the end-user will be. From there, applications are delivered through user groups and these images can stay clean and light. By creating secure master golden images, administrators are able to set updates to one master image (in the respective department) and update that instance. From there, a reboot cycle for all the secondary images pointing to the master will allow for updates to take place. This type of management helps simplify the VDI delivery model and allows it to be more controlled.

Optimizations (LAN, WAN, SAN) and security (DLP, IPS/IDS) - When delivering VDI, small optimizations can go a long way. This means researching certain optimizations for a given technology. Since VDI can be resource intensive, creating and environment built on optimizations and efficiencies can help reduce cost and increase ROI. In line with optimizations, building in a direct security model can keep images and the entire VDI infrastructure secure. Consider the following:

Local Area Network (LAN) – Switch-level QoS can help direct VDI or application-related traffic to the end-user much more effectively. If a certain type of traffic needs more bandwidth, using intelligent networking configurations can help with workload delivery.

Wide Area Network (WAN) – Many times schools decide to delivery applications or even desktops over the WAN. In this case, it’s important to ensure that there is enough bandwidth at the school data center to support this function. If the pipe becomes saturated, other workloads outside of VDI may feel the effects.

READ MORE: Unauthorized EHR Access Potentially Exposes 14K Records

Storage Area Network (SAN) – As mentioned earlier, VDI requires a certain amount of resources to function well. One of these major resources is the storage infrastructure. Optimizations around SSD and flash technologies can help offload boot and processing storms to resources which are capable of very fast reads/writes. By freeing up resources from the spinning disk, school IT administrators can re-provision those IOPS to other vital workloads.

IPS/IDS/DLP – Next generation security technologies have helped healthcare security administrators protect their environments from more evolving threats. Intrusion prevention/detection services (IPS/IDS) as well as data loss prevention (DLP) are all logical engines that can be run on top of next-gen security products. This means that these appliances can be virtual and located within various parts of the healthcare VDI infrastructure. Furthermore, antivirus has progressed a long way. Now, healthcare administrators can deploy AV engines directly at the hypervisor level. That means no clients or agents which have to site at the virtual desktop layer. Not only does this increase security – it also helps with keeping a lean virtual image.

Creating the right model for a healthcare institution is crucial for a number of reasons. One of those is agility. Many hospitals are at the forefront of technological innovation and using VDI has helped these institutions grow. VDI has the capability to help organizations scale to their needs quickly and efficiently. The only way that type of growth is possible, however, is when an IT department has a clear understanding of the VDI model to be delivered.

Bill Kleyman, MBA, MISM, has heavy experience in network infrastructure management. He has served as a technology consultant and taken part in large virtualization deployments while be involved in business network design and implementation. He is currently the Virtualization Architect at MTM Technologies Inc. and his prior work includes Director of Technology at World Wide Fittings Inc.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...