During this presentation, Kirk Larson, Vice President and Chief Information Officer at Children’s Hospital Central California, explains how the hospital uses a virtual environment to securely manage a BYOD (Bring Your Own Device) environment without jeopardizing sensitive data.
This presentation was recorded during Online Tech's Fall into IT seminar held Friday, September 14th, 2012.
April: All right everyone, we're going to kick off our second presentation of the day. I'm very happy to welcome Kirk Larson. Kirk is here all the way from California. He is the Vice President and CIO of Children's Hospital in California. Kirk is really on the pioneering edge in terms of his approach to culture, to the integration of information and technology, which if you talk with Kirk long enough, you'll learn is not the same thing and sometimes is an oxymoron. Kirk has managed to put together a HIPAA compliant and secure, Bring Your Own Device environment and with no further ado, let me welcome Kirk to share with you how he's done that.
Kirk: Thank you, April, for that introduction. I'm very glad to be back in Ann Arbor. I did my graduate studies here and before I get started I always have to chuckle. When I was a student, I would always laugh when people from the West Coast would come in to see us because they would come in flip flops or not bring the proper apparel and I thought that would never happen to me. Well, I moved out to California about four years ago, here I am in Ann Arbor on a September day, didn't bring my umbrella, but I brought my sunglasses. So I'm wet and I haven't used my sunglasses yet, but regardless I'm happy to be back here in Ann Arbor and back on the campus and to share with you a little bit about what we've done at Children's Hospital with Bring Your Own Device or, what the industry calls, BYOD.
Our agenda for this morning, I'm going to talk a little bit about who we are, Children's Hospital, where we've been because that sets up nicely what we've done with Bring Your Own Device, some policies, also some considerations that I'll share with you and a few things to think about because like most things in technology, there are several things to consider as you implement something such as BYOD and we'll take some time for your questions as well.
Who we are – the Children's Hospital Central California. We are a 348 bed pediatric hospital located in California Central Valley with a medical staff of about 525 physicians practicing in over 40 subspecialties, making us one of the 10 largest pediatric hospitals in the country. We're proud of some recognition we've received both for patient safety and magnet status for our nursing program and again just to give you a sense for some of our throughput. We perform about 11,000 surgeries per year and have over about 67,000 emergency room visits per year. We are, in fact, the only Children's Hospital in the state of California between Los Angeles and San Francisco. We have a very large catchment area.
A little bit about who we are from the technology side. We run Dell, VMware, NetApp, Cisco. We have about half a petabyte of data that we manage, about 10,000 network elements, 8,500 user accounts, and about 300 servers. Like most places, we're a Microsoft shop, use Lenovo, HP, and so forth. On the application side, for those of you familiar with HCIS vendors, we are Meditech client/server version 5.65, which means that we are Meaningful Stage 1 certified. We use Lawson for our ERP and Picis in our operating room.
In Children's Hospital, our mission is to provide high quality comprehensive health care services to children, regardless of their ability to pay, and to continuously improve the health and wellbeing of children and our vision is quite simply to be the best children's hospital in the country and I like to share that because I'm very passionate about where it is that I work and the mission and vision really drives everything that we do in IT, right down to BYOD, which, again is why I'd like to share just a little bit about what Children's Hospital does.
Now, taking a step back, talking about where we've been. In 2011, about a year ago, was a real transformational year for us. We went live with what we call our Advanced Clinical System or shortened to ACS, and what that did was in one day we went live with our electronic nursing documentation. We had a big bang where folks came in and we went from being paper-based to being electronic and we also rolled out CPOE over the course of three phases in about six weeks. We fundamentally changed the way that we delivered care. In doing so, that really changed the requirements for IT as well because it forced us to think about how it is we deliver content because suddenly we have this increase in the number of users and the resources that they're accessing and also just the sheer number of supportive devices. When you think about every nurse and every physician using CPOE, the number of devices really exploded.
I know this visual is a little bit hard to see, but I like to use this because it kind of reminds me of the lottery where they put all the balls in the hopper, and we really had three things that were kind of jumping around in our minds. One was the security piece around mobile devices. Another was the increase in the number of clinical users. When you go from having nursing documentation on paper to having nursing documentation electronically, your number of users has really grown exponentially. Then finally, resource effectiveness. How do we best leverage the resources that we have and that we'll acquire over time? When those three balls were kind of moving around in the hopper, it led us to the conclusion that we really needed to leverage our virtual desktop infrastructure or abbreviated as VDI.
The significance of the ACS initiative when we went live or actually prior to when we went live, it really forced us to think about things differently because the standard approach of going live with a new system, matching it with the requisite number of devices, really wasn't practical for us. We leveraged the VDI when we went live with ACS and, in doing so, that really laid the ground work for future projects, in particular Bring Your Own Device because we had that in place in order for ACS to go live.
Now, when you think about Bring Your Own Device, there's a lot of questions that come up or a lot of reasons why you should think about doing BYOD. One is there are simply multiple device preferences. We had, for example, when we were getting to go live with ACS, we had a device roadshow where we brought in devices and had our endusers kind of come through this, really, like a fair and look at the different devices and try to determine what makes the most sense for a particular workflow. Probably not surprisingly, there's a whole host of different preferences in terms of tablets, laptops, wall mounted PCs, and Bring Your Own Device enables you to accommodate the multiple device preferences.
Also, different applications work differently on different devices, which is to say that not every software vendor has caught up with the capability of today's mobile devices. For example, using tablets in healthcare, I always say is good for static data review. If you're looking at an x-ray or static information, it's good for looking at a tablet device, but if you rely on entering a lot of data, once you bring up that virtual keyboard, you've lost about half of your screen and then you're typing like this. So, does it work for some people? Absolutely. Does it work for others? It doesn't, which again speaks to the fact that different applications are going to work differently. Yes.
Audience: Excuse my interruption for a question, you mentioned a couple of different brands. My interest is more on the application side. I think Meditech was one of the packages. Now you're talking about ACS. Is that a brand or package? Is that your internal program name?
Kirk: ACS is what we call the overall kind of initiative to move to electronic documentation.
Audience: In your program name and inside ACS, how many apps, branded apps, are running in that family under ACS that you're delivering?
Kirk: ACS is really different Meditech modules.
Audience: Okay, a client/server that has a web interface to it then as well.
Kirk: No, it's client/server.
Audience: It is client/server Windows-based. That eliminates the tablet access, does it not?
Kirk: Meditech is working on creating a tablet application, but with the Bring Your Own Device, we've created a way where you can get Meditech onto a tablet and, in fact, it runs on windows, you can get it on an iPad. You can run a windows environment off of an IOS with the BYOD.
Audience: With an environment you provided your users?
Audience: Thank you.
Kirk: Correct. We'll talk a little bit more about that because that's a really exciting component of BYOD where you're not limited by the operating system of the device.
Audience: Because you can't control the audience, right. You're not necessarily dictating what brand of tablet or smartphone they're using.
Audience: You've got to accommodate them.
Kirk: That's correct.
Audience: Thank you.
Kirk: Other reasons to consider Bring Your Own Device, again different workflows. The example that I used, some people, a dietitian for example, they favored iPads because a lot of what they're doing, they're looking at data, not so much entering data. In contrast, someone who relies on extensive data entry, a tablet is probably not the best tool because if you think about typing on a virtual keyboard, probably not the best outcome.
Cost. Cost is also a consideration and your initial reaction, as was ours, was good, this will be a huge cost savings because now we don't have to buy all these devices. True, to an extent, because remember as you get out of the business of not only buying the device, the Microsoft license, antivirus software, what have you, what you are implicitly signing up for is additional investment in the VDI, so the virtual desktop infrastructure on the back end. There's still some cost and how those balance out over time, our sense is that it will be a net savings, but it won't eliminate enduser devices from the IT budge type of savings.
We will talk about safeguarding of data using Bring Your Own Device. We'll show how we have insured that data remains safe and secure and, in fact, never at any time resides on the individual device. Also for us, it's also a matter of staying competitive. There are other hospitals in the community and a lot of folks are doing this. There's demand from our physicians, in particular, to be able to bring your own device and we want to remain competitive in our local market place.
What our solution was, as I alluded to, was to leverage our existing virtual desktop infrastructure environment and the way that you can access VDI through your own device, all you need to be able to do is install the VMware view client. If you have a device that can download a very small application, the client, that device can then be BYOD and you can access your virtual desktop on the backend. Like I said before, we're a Windows shop, but if your device preference is an iPad, you can install this client and you can access your Windows-based virtual desktop on an iPad or an Android device or bring a laptop from home. It can be . . . I kind of cringe when I say this, but it can be a 10-year-old laptop, you know the ones that are that thick. If it can download that client, it can run the Windows-based environment. People are kind of surprised when they walk around with an iPad running Windows and our version of Meditech, but that's the way we're able to do that.
Actually in doing so, the other benefit of that is it's the same look and feel that's familiar to the endusers. Whether you're accessing it from a wall-mounted PC in a nursing unit or if you brought your own Android tablet from home, it looks exactly the same because you're in fact accessing the same desktop image.
As far as policies go, we are currently live with BYOD. We rolled it out earlier this year in a pilot phase and we were very fortunate that we had great participation from our physicians. In fact, they were some of the drivers of this saying let's do this, why are we not doing this and our CMIO was also very instrumental in helping us build that support, which really naturally flowed very quickly. Some of the things that we found to be beneficial, one was we developed this with extensive input from our enduser community. We didn't just go off and develop this and then hand it back to the physicians. We engaged them throughout the process so that they had an active role in what this would ultimately look like.
One of the questions that we frequently get is, okay so now we've permitted any device that can download this client to be a BYOD, what responsibility does IT take in supporting that device? The answer is where we've landed is we support the connectivity to the device, but that's where we draw the line because we don't support the device itself. If you bring in a laptop from 1999, download the client and it works, we'll ensure that the client works you're able to access the virtual desktop, but if it's your iPad from home, we're not going to get involve with the iTune store or why that's not downloading your music or why you can't find your family pictures. It's really the connectivity element that we support because, again, in doing so then you're on to our resources and our network.
All infectious control aspects apply. If you take a device out of the hospital, obviously there is some infectious control consideration and those are policies that we already have in terms of how you have to treat a device that has been out of the hospital. Again, one of our initial reactions was what are we going to do to reinvent this wheel, do we have to come up with a policy for that and the answer is really no because a lot of those policies already exist. We've had laptops for years. Obviously they leave the hospital, they come back in. We simply leverage the existing policies that we have. Again, as I said, this was something that was developed with physicians in mind and they were really some of the champions, but ultimately any clinical user could access this resource.
Audience: Yeah, I’m trying to wrap my head around this. Is the solution that you're describing with the virtual desktop infrastructure and VMware, it seems to be on kind of this abstract level of services and so on and then you're describing working with physicians to make sure to satisfy their needs. I'm just wondering if you could give an example or two about some conversations that you might have had with physicians so I can get a sense of what sorts of concerns they were bringing to the table.
Kirk: One of the concerns that came up was what should be on the image. What should people be able to access through the VDI image. Should email be on there, should the internet be on there? Obviously Meditech or electronic medical records should be on there, but there was a degree of interest in helping a craft, what would be available because we don't want to put a hundred things on to a virtual desktop image, but we do want to make sure we get the things that are critical to our endusers on there so that it's available to them. That was something that they were engaged in. Another thing, at a higher level, which we were able to accommodate, was the physicians' objective was not, "Okay we have laptops now, we don't want to have a solution that says now you can have laptops and this one certain tablet device you have to buy, the Android most recent version." The feedback that they had and the participation that they had was, "We want to bring in anything, you guys go make that happen." It was really everywhere from kind of the minutia of what exactly do we make available to them, all the way to the high level concept of, "Look Kirk, our expectation we can bring any device in from home, you guys need to be able to make it work."
Here's some considerations that we went through when we implemented the BYOD. Like I said, users have multiple device preferences and BYOD enables us to accommodate, really it's not even us. It enables the user to accommodate what their device preference is because, again, if they can download the client onto the device, it will work.
We will see a multitude of enduser devices because people are going to bring in iPads, they're going to bring in tablets, they're going to bring in laptops that we haven't seen before, but again our commitment is to support the connectivity, not the actual device itself, connectivity so they can access the VDI.
As I said, the devices will be used outside the hospital. That's something that's not so much a technology issue as it is enforcing the existing policy around infectious control considerations.
On the application front, not all applications could be needed or wanted on BYOD and this again is where we engaged the physicians and others really across the hospital as to what are the proper applications to offer on a virtual desktop image.
The third one there is really I think a good example of where technology ends and policy begins. The question came up should exempt and nonexempt employees have the same access. In other words, people who are hourly, should they be at home accessing VDI? From a policy perspective, the answer is no and that's something where it's not so much a technology consideration where we need to do something so that certain people can't access at a certain time, that's more setting an expectation that existing hospital policy needs to be followed.
From an infrastructure perspective, we did anticipate a potential spike in the number of VDI sessions and in our case we did provision the sessions in advance so that we could accommodate the need. It's also possible that you could limit the number of sessions. That was an avenue we didn't want to go down, certainly for obvious customer satisfaction reasons. It is a potential consideration that if you were, for example, piloting something you could limit the number of sessions.
As I said, there will be a potential decrease over time in the number of purchased devices, but even though there is cost-savings with the reduction in number of devices purchased, there will be some increase in cost around the virtual desktop infrastructure investment and VMware and such. As I said before, our anticipation is that over time that there should be a savings overall, but it's not a complete savings where you're wiping a line item out of the IT budget.
Finally on the security perspective, there's a couple of different ways that you can do this from a network control perspective. You can partition the existing network or you can create a separate wireless network. In our case, for reasons I won't dive too deep into, from a network architecture perspective, we did end up creating an additional wireless network that people could access and, again, that was more so from a network architecture perspective. My sense is that overtime that we'll probably fold that into our existing network. Again, that was something that we did just based on where we were at the time from an architectural standpoint.
Confidential data. One of the beauties of BYOD is because you're accessing the virtual desktop, if you were to lose that device or no longer have access to it, not only is there not data on it at the time that you're reviewing it, there never was data on it. As soon as it's disconnected, that's not a problem if the device was lost or stolen because the data has always resided on the virtual image on the back end. There's not a risk of losing data to a lost or stolen device.
Audience: I’ll call it session for lack of a better term – as a VDI user, I've got an active session with my view open, can you set that VDI management up so that if I walk away at some perimeter distance or timing basis, if I’ve had, call it a time out so many minutes or seconds without connect to my view, I blow that view away. I don't want that person walking off campus with that healthcare information view on that screen.
Kirk: Correct and that's exactly . . .
Audience: That's exactly what you do?
Audience: That's pretty cool. Thank you.
Kirk: So they'd be disconnected. I'll leave you with some things to think about and there's always kind of the inevitable things to think about because nothing's always exactly as we consider.
The first one is prepare for what I call losing some sense of control because in the current state, kind of before BYOD, we set forth, of course in collaboration with our enduser community, that there is a device standard. So we have a standard laptop with the device roadshow, certain devices were selected, iPads, other devices. Those were the standard, those were bought by IT, we controlled that, we dictated that. With BYOD, that starts to go away because people are going to bring in what they want to bring in and you're going to see a whole host of things. Endusers, as I think everyone probably knows, can be pretty clever and they're going to bring in basically anything they can that has wireless capability. We need to be prepared to support whatever it is that shows up on our doorstep.
Again, it's important to set those ground rules upfront as to what you're going to support. Again, in our case, what we landed on was supporting the connectivity to the device, not the device itself. We don't have the manpower or really the interest in helping people find the lost family pictures on their iPad or what have you. We're really in the business of ensuring that they can establish the connectivity to their virtual image.
Considering scalability, it is possible that there could be a real increase in the number of VDI sessions and you just need to think about how we anticipate the number of sessions growing, the demand for that, because people could bring in multiple devices and that's something that you just have to forecast and be prepared to accommodate. In our case, we haven't maxed out our sessions so we've been able to meet that need.
Again, the securing the data, that's really one of the benefits of using VMware with Bring Your Own Device because, like I said before, not only is there not data on when you're looking at it, there never was data on there. You can take it home, do whatever else you want with it, throw it away. It's really not our concern because the fact that there's never any data on the physical device.
Finally, again, on cost, as I said over time there will be savings from decrease in the number of devices purchased, Microsoft licenses purchased, antivirus software and such, but at the same time there will be some degree of an increase in the investment necessary to support the VDI on the backend.
Those are some of the things that I will leave you with to think about and I will be happy to take your questions now and also for those who are viewing virtually and everyone here, I hope that you jot down my contact information because this is something that we're really excited about and I'm always happy to continue the dialogue if there are questions either today or in the future.
Audience: Are endusers able to access the VDI from home?
Kirk: Not the BYOD. As an employee, I can access my virtual desktop remotely, but we're not offering the BYOD from home.
Audience: How do you enforce that?
Kirk: Because it's a separate network, you have to be onsite to access the wireless capability.
Kirk: For someone such as myself, or anyone working remote, you can access the standard virtual image, but it wouldn’t be on your own . . . You wouldn't be accessing the clinical network with your device. I am at home accessing my email and internet and such, our intranet and things.
April: Can I just have you repeat the question when you answer it? That will save me from running back and forth. Thanks.
Audience: Is the VDI program good enough for video on your own devices and what's the quality of that from your experience?
Kirk: The quality experience is the same as if you were accessing something hardwired from the hospital. So, I would see no reason why you couldn't view a video. For example, the internet is one of the icons on the virtual desktop image so you could go to YouTube and watch a video.
Audience: If you have a physician who wants to work on charts at home, what are their options?
Kirk: Right now they could not leverage the BYOD network. They would have to use a VPN to access Meditech.
April: Kirk, can you tell us a little bit about who was the executive sponsor of this project and related information projects at the hospital?
Kirk: The question was: who was the executive sponsor for this project and for related projects at the hospital. It's important at Children's that people don't feel like these are all IT projects. For example, when we went live with our nursing documentation project, the executive sponsor of that project was not me as a CIO, but that was the CNO. Similarly in a case like this, I would suggest that really the CMIO was the executive sponsor for this project. Again, it's not seen as an IT initiative, but it's really run by the operations group of the hospital.
Audience: You know the software vendors for the HRs - they are all developing actual applications from their app stores. Have you had any conversations about how you're going to support roles on their own device because it’s not going to really work well through a virtualized desktop.
Kirk: Yes and that's a good question. I'll repeat the question. The question was, as vendors develop their own, for example, tablet applications through an app store, how do we intend to support those and at this point our plan is to continue to leverage the virtual desktop infrastructure and I think that, for the most part, a lot of those software vendors are far enough out that I'm not sure that they know the answer to that question. I know Meditech is actively, in our case, our primary EMR vendor. They are actively working on developing that. I think that it's probably sometime out in the future before that's available and to be honest we will have to evaluate that when we get to it. I think that they need to be part of that conversation too as to how they would propose to keep the data secure because I don't think they want the data on the physical device more than we do.
Audience: One last tech question as a CIO, nonspecific to your branded offerings, but I've got to say that I'm intrigued and impressed by the idea of doing the VDI in a view as an active session versus a native something that you've got to manage. Clearly VMware has taken a big step in the industry to provide that sort of capability. Are they also now the owners of Citrix or is Citrix a competitor to them in this space of what I’ll call virtual session?
Kirk: The question . . . First of all, thank you for your kind comments. The question was how does Citrix kind of compare to VMware, did VMware acquire them, are they competitors, what's the relationship? The answer is they are competitors and we've made a strategic decision to partner with VMware. We're actually enterprise partners with them and we've had a relationship, I think, for a couple of years now and I've learned to be very cautious to declare we were the first because anytime you start a sentence with we were the first, then someone Googles something and someone did it five seconds before we did, but we were either the first or close to the first hospital to implement VMware's view client for iPads. There's a YouTube video out there that kind of features Children's Hospital and we talk about what we did with working with VMware and installing that on an iPad. Like I said, I think we were the first, if not we were close to being one of the first hospitals to actually roll out VMware view on an iPad so that folks could access Meditech or anything like that, again, with a Windows environment on an iPad device.
Audience: That's a cool idea. Do you have any metrics on the devices that have connected to the network via the virtual desktop?
Kirk: Again, thank you for your kind words as well. The question was do we have any metrics on the number and types of devices that have connected to our network. The answer is at this point it's pretty empirical. Being the CIO, people like to seek me out and tell me what they have put "on my network." Of course, it's not my network; it's the hospital's network. There is a degree of breadth. We've had iPads, we've had iMac, the MacBook's. There's been a lot of interest in getting Apple products, to be honest, onto the network, particularly for the screen display because we have folks who use those outside of work. I know people who have also used the Android as well, the tablets. I like to personally test things myself as well, so I know I've done the Android tablets and people have done some older laptops. We haven't gone too far back. I'm kind of curious how thick of a laptop could someone bring in and install that client on and have the patience to use it. This far it's pretty interesting, just the breadth.
Audience: Do you have roaming profiles setup on the virtual environment so like if a doctor was in a patient room and he had a PC there and if he walks out then switches it over to the iPad, do you have that setup?
Kirk: The question is do we have roaming profiles setup so that if a physician is providing for patient care in room 123, if he or she moves across the hall to room 125, can they log back in and the answer is yes. You would log out, log back in and you'd be exactly where you were.
Audience: The session is still running on the server, correct? The doctor just logs back into to be connected to the same session.
Audience: They don't have to close out anything? We're actually looking at doing this too that's why I bring this up. We have a doctor who will go room to room and he wants his chart to follow along with him, but then he will go back to his office and do transcription or whatever, and he doesn't want to have to re-log into everything, that virtual session will follow him and then when you put it on his tablet he can then walk out and have it available, not to the outside world.
Audience: Can you name the technology you're using for this as a single sign-on product or those technologies?
Kirk: It's the VMware View Client. They have a little client that you can download. In fact, it is accessible from our webpage. Of course, you could download it and you wouldn't be able to log into our network, but it's just a little tiny, it's a couple of megs, download, install it and then you're ready to go again, assuming that you have network privileges.
Any other questions? Again, I hope that if you do think of questions, please reach out to me. I do actively use LinkedIn, Twitter, my email address is there and I enjoy continuing the dialog. If you have suggestions for us, we're always open to those as well. Again, thank you for the invitation this morning, I've enjoyed speaking with you and I look forward to also staying in touch with you. Thank you.
April: Thanks Kirk.
Kirk Larson is the Vice President and Chief Information Officer of Children’s Hospital Central California, one of the 10 largest pediatric hospitals in the country. Kirk has spent his entire career in healthcare and technology. He has consulting experience with the Big Five firm Arthur Andersen; vendor experience with the largest pure play HCIS company, Cerner Corporation; and provider experience as the CIO of two different hospitals in California. Academically, he holds a Master of Business Administration and Master of Health Services Administration from the University of Michigan, and a Bachelor of Science in mathematics from North Central College.