Thin clients a malware-free desktop option

A Maine health care provider sheds its spyware-ridden, burdensome PCs for a safer, more manageable thin client environment.

This article can also be found in the Premium Editorial Download: Information Security magazine: Compliance vs. security: Prevent an either-or mentality:

Managing, maintaining and securing PCs always has brought some level of agony for security professionals. Whether it's a virus, worm, spyware, corrupted files or incessant patching, something always is bringing PCs down. That's a headache David Barter, technical services manager for Androscoggin Home Care & Hospice of Lewiston, Maine, knows all too well. "Systems in four of our remote offices were breaking often," he says. And part...

of the problem was that those Windows-based PCs were getting bogged with spyware.

That just wasn't acceptable for Androscoggin, considering the increased reliance on electronic health records to deliver care, the security requirements associated with HIPAA, and just how much care Androscoggin delivers each year. More than 375 physicians utilize the hospice and home care services the non-profit provides. And, in 2005, Androscoggin served more than 8,000 patients and families, and provided more than 140,000 home care and hospice visits.

"The PCs were just killing us," says Barter.

That was just part of the challenge he faced. Andro-scoggin's electronic medical record system was aging. Care providers didn't always have the most up-to-date patient information when they visited offsite, and they were often forced to re-key redundant patient and medical information. So Androscoggin streamlined its operations with an upgrade to a new integrated clinical and financial information electronic medical records (EMR) system, HealthWyse. For that implementation, Barter had a choice: install the application locally on 150 separate desktops, each with an ODBC (Open Database Connectivity) connection to the backend database, or centrally deploy the software on a handful of servers that could be accessed by thin clients deployed throughout Androscoggin's five offices.

Androscoggin went thin.

"We knew it was time to move the entire organization to thin clients," he says. Androscoggin deployed Citrix Access Suite, including Citrix Access Gateway Standard Edition and Citrix Password Manager for the installation. Initially, Citrix Access Suite was deployed with Microsoft Windows Server 2003 on two HP ProLiant and four HP Blade servers. The rollout took about six months; now, 500 clinical and administrative employees access about a dozen applications, including Microsoft Office, Adobe Acrobat and Photoshop, a medical monitoring system, and others. Soon that access will be expanded to include accounting, human resources and payroll software using HP Compaq t5525 thin clients and HP iPAQ handhelds. "I no longer had to worry about staff downloading things they shouldn't. No more spyware. None of that exists in the thin client world," says Barter.

Streamlined Access, Improved Accuracy
Androscoggin isn't alone. Security, centralized management and lower maintenance costs are big drivers for centralized computing and thin clients, says Gartner analyst Mark Margevicius. "This centralized computing makes perfect sense in areas such as health care, finance and government. They're all great targets for a more controlled approach to their computing infrastructure," he says. Gartner expects thin client shipments to grow quickly over the next few years, as security and data protection become even higher priorities for organizations.

This wasn't the first Citrix implementation at Andro-scoggin. A limited Citrix Presentation Server installation was used to virtualize a homegrown EMR system used by a few administrators spread across several remote offices. "It worked well," says Barter. But the same couldn't be said for an IPsec virtual private network that was set up for remote access. "The system was slow when it worked, and when it broke, it broke big."

The new centrally managed system, however, gives visiting nurses the ability to provide updated patient information securely, using their HP handhelds. In addition, the system was leveraged to provide on-call nurses the ability to securely retrieve medical records from HealthWyse. Before this implementation, on-call nurses had to go to the office to retrieve those records.

"No more paper documents for an on-call nurse to do her job," says Barter. The result has been streamlined access from patients' homes and improved patient record accuracy. "This system allows us to deliver information faster and more smoothly, which in turn enables staff to provide better care," Barter explains.

In addition, Androscoggin bolstered security and HIPAA compliance with the deployment of Citrix Password Manager to enforce workstation password protection, including required password changes every 60 days and 10-minute timeouts. Initially, the new password capabilities were put into place for high-end users and administrative assistants, but now that capability is being phased in for everyone who accesses HealthWyse.

PC Blades Another Alternative
By Michael S. Mimoso

Thin clients aren't the only way to alleviate desktop security concerns. The John C. Lincoln Health Network of Phoenix replaced a chunk of its traditional PCs with PC blades, an architecture similar to thin clients where local hard drives are eliminated and put on centrally managed, rack-mounted blades.

CIO Rob Israel says his users interface with traditional peripherals--keyboard, mouse, monitor--but rather than a thin client, the desktop image is accessed via a device called an iPort from vendor ClearCube. The iPort connects via a direct a cable or Ethernet to the blade, which supports four simultaneous connections (400 blades have been installed). Israel says security and management of the blades were paramount to the decision to remove traditional desktops.

"Increased security is tremendous," Israel says. "We no longer have computers sitting in the hallways getting accessed or stolen. There were no longer hard drives out there, saving stuff."

The network (two hospitals and 11 clinics) also supports home-based transcriptionists, who access and transcribe audio files via a dedicated network. With sensitive patient data potentially saved on a home computer, the iPort deployment to these remote contractors eliminated potential HIPAA compliance issues.

"Having a hard drive is a security hole, a risk," Israel says, adding the cost of the iPort deployment is more than a traditional PC upgrade, but the benefits outweigh that burden. "Anything that provides users with the response time they're used to, but takes away the potential for us to show up on the front page of The Wall Street Journal, is quite beneficial."

Michael S. Mimoso is editor of Information Security.

Not Without Resistance
"There definitely was initial pushback from a physical perspective--what the thin clients actually looked like," says Barter. He tried several tactics designed to overcome any objections to the thin clients, including building education and awareness. "Everybody knows what a PC will look like. They know what's inside of it and what it will do for you. But when you put a thin client in front of them, you get a funny look that says, 'What's this tiny box? How can it be as powerful as what I already have?'"

So Barter started slowly, and provided a few HP Compaq t5525s to a high-end user in each office.

"I asked them to give this a try and to tell me what they thought," he says. "We also improved the deal by adding new flat-panels. When they saw that, they forgot the whole PC thing." The result was certainly faster performance than the previous SSL VPN connection, and because sessions could be shadowed, Barter and his team could fix anything that broke. "They no longer had to wait for two hours," he says.

Androscoggin's IT team also objected at first to the new password rules.

"It's a cultural thing. They were so used to being able to turn around and do something for 20 minutes and then go back to work. Now that doesn't happen; you go do something else for 10 minutes and you have to sign in with your password again," he says. "They didn't like it. But they grew to understand and appreciate it. They know the HIPAA requirements. They're used to covering paper medical records. They learned that they have to treat this no differently than paper, and have the proper security in place."

The Payoff
The centralized architecture has dramatically cut IT costs for hardware and support for 150 PCs. "That's 150 fewer chances for something to break. We now have six Citrix servers that I update for 150 people," Barter says. "That's six updates versus 150."

While that efficiency is considerable in itself, it doesn't count the hours that Barter and his team spend imaging and installing PCs, the ongoing support and maintenance, and eventual secure disposal. In addition, the refresh cycle is longer. "With PCs, there is a replacement cycle of about 18 months. With thin clients, we have six years at least. So there's more than a doubling of the hardware ROI right there," he says. And each thin client doesn't require antivirus, firewall or licensing for a full-blown endpoint security suite.

The new architecture also is valuable in the event of a potential disaster. "Disaster recovery is critical anywhere, but it's especially so anywhere along a coastline," Barter says. "The fact that you can redeploy an office with traditional PCs in a matter of hours versus days, or a week, is a big deal. Imagine if you had to move an office 100 miles inland, to where connectivity was available. With this architecture, that would entail a few hours of driving, then a couple of hours of setup, and you'd quickly have a fully functional office. There's no way to pull that off in the fat client/server world."

Gartner's Margevicius says those savings are typical of thin client deployments. "Something around 45 percent of all PC costs are a result of user action--installing bad drivers, downloading viruses and spyware, just generally breaking the system. And they end up rebooting six times a day just to get their system up and running. That's a big problem, and these are really big costs that you avoid when you move to server-based computing," he says.

IDC estimates that growth of thin clients will maintain a clip of 21.5 percent through 2010. "But that doesn't show many of the alternative thin client options, such as virtualized PCs. There's a big movement underway toward centralized management. It cuts costs and improves security, and secu-rity is the biggest driver," says IDC analyst Bob O'Donnell.

Despite the success and cost savings associated with 150 users relying on thin clients, Androscoggin still uses a considerable number of PCs. "For various reasons, we didn't provide thin clients to supervisors, the executive leadership, or to high-end mobile workers. We have some very specific areas with applications that only will work on a fat client, that aren't supported in Citrix," he says.

Nonetheless, as a result of the sizable number of employees shifted to the Citrix and thin client architecture, Barter estimates Androscoggin's IT support costs will plummet by 75 percent a year. And the move toward a thin client/centralized computing architecture has cut the need for two additional full-time IT workers. "The ROI is just huge. We can manage things so much better, so much more centralized," Barter says.

Barter heralds a day when newer technologies, such as desktop and application streaming, will arrive and even more users either will be using thin clients or accessing centrally managed virtual desktops and applications.

With desktop streaming, an entire desktop environment, or a single application, is provisioned from a server and published to either a thin client or a full-blown PC, thereby getting all of the benefits of centralized computing and thin clients, while also making it possible to leave PC horsepower at the end user's disposal, if needed.

"It depends on how good the technology gets. When it comes to Citrix, application streaming could keep us from having to install applications on our Citrix servers. I could dedicate one server as an application streamer. This would make managing applications even easier," Barter says.

Margevicius says the hybrid approach of desktop and application streaming to PCs and thin clients holds promise. "I think eventually many organizations will choose a mixed, hybrid approach of thin clients, PCs and virtualized delivery of applications and entire desktops. It all will depend on what they need; transaction workers may do their entire work on thin clients, while others will have PCs because they'll require that flexibility for their jobs," he says.

Despite the promise of better security manageability in thin clients, Margevicius doesn't think the PC as we know it is dead. It'd be closer to extinction if Barter had his way, though.

Androscoggin is considering enabling nurses and other medical workers to share wireless thin tablet PCs at some locations. By leveraging the Hot Desktop functionality of Citrix's Password Manager, users will be able to share notebooks and workstations, and skip lengthy log-in/log-off procedures to access their specific applications.

"I think that as this progresses and the technology improves, more people will overcome their psychological hurdles to thin client architectures. They'll see it for what it is--a godsend for manageability and security," Barter says.

This was first published in March 2007

Dig deeper on Client security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close