The healthcare industry is subject to stringent requirements for assuring the security of patient information. In a typical small medical office, one or several licensed practitioners are supported by nurses, assistants, and front-office staff. These individuals are experts in providing medical services to patients, not the IT behind-the-scenes infrastructure. Can virtual desktop technology be adopted to efficiently and securely address patient care?
Virtual Desktops
First, let’s delve into virtual desktop technology. Virtual desktops are available in two major forms:
Virtual Desktop Infrastructure (VDI)
The overarching virtual desktop technology, most often as provided by an in-house system.
Desktop as a Service (DaaS)
Virtual desktop technology as contracted with a service provider and usually hosted in the cloud.
From the user perspective, the virtual desktop appears the same: the user remotely accesses a secondary desktop that is housed and maintained centrally. It is precisely this centralization feature and the corresponding inherent technology that provides distinct advantages for securing and maintaining patient care.
Patient Data Security
A core requirement for the healthcare industry is maintaining privacy of patient data. Many countries have strict patient data protection requirements, such as HIPAA (Health Insurance Portability and Accountability Act) in the USA and Bundesdatenschutzgesetz (BDSG) in Germany, and severe penalties may be imposed for lack of compliance. In addition to regulatory requirements for confidentiality, healthcare providers have the moral obligation to ensure that details regarding patient treatments, medications, and all medical records do not fall into the wrong hands.
From a practical standpoint, centralizing patient data within a virtual desktop is not only a good technical decision, but also a sound business decision to aid regulatory compliance. Around the globe, healthcare leaders are adopting virtual desktops to provide more efficient patient care and security.
Virtual desktop technology provides inherent security, ranging from logon to session security, as well as backend databases. In order to gain access, a user must first properly authenticate. Because authentication is based on Active Directory credentials and permissions, only authorized users are able to remotely gain access to virtual desktops.
Once the user has accessed to the virtual desktop, session data traverses the network securely via SSL/TLS, which means that the data is encrypted by means of certificate technology. When viewed within a packet analyzer, sometimes called a packet sniffer, the actual data that is being sent and received cannot be discerned; only the sending and receiving devices have access to the decrypted data streams. TLS 1.2 has been available since 2008 and is being replaced with version 1.3.
Session security is further enhanced because a full VPN is not necessary. Rather than allowing many kinds of traffic to traverse a full VPN, this technology inherently only permits communications to and from the virtual desktop. As a result, network security is maximized yet simplified.
In addition, when the user types in data fields, such as a list of patient prescription medications, the text is processed by the application housed within the data center, and the data stream traversing to the user device is presented on the screen as a series of bitmap updates. This not only provides additional security but also minimizes the amount of data that is transferred.
With virtual desktop technology, no patient data is maintained on the user device; thus, there is no worry of data theft if the device is lost or stolen. When the medical expert accesses radiographs, medical history, or other information, it is done within the confines of the virtual desktop infrastructure, with no dependence on the local device. For example, if a physician realizes that her laptop was stolen during a robbery, there is no concern that any patient data has been compromised.
Further, because no patient data is maintained on the local device, there are no concerns about backing up the files and potentially restoring them at a later date. Because all data is maintained centrally—whether in the cloud or a corporate data center—backups are performed as a standard practice, and users do not need to take any action.
Another benefit of not maintaining patient data on the local device is more efficient anti-virus protection. Sometimes users and internal IT staff are lax about maintaining anti-virus updates on local devices. Because virtual desktop technology is administered centrally, maintenance of anti-virus on the virtual desktop and related technology components is more efficient.