A tension that always exists in enterprises is how much IT is centralized and standardized verses local and variable. Desktops and laptops provide a good example of the issue.
At Caregroup, we must protect the confidentiality of 3 million records (HIPAA mandate and patient expectation), ensure nearly 100% uptime, and prevent all viruses/trojans/worms/keystroke loggers from entering our network to ensure the integrity of patient data as mandated by numerous compliance requirements. Security is an end to end design requirement from the servers to the network to the desktop/laptop used to access the data. Because of these patient care and regulatory requirements, hospitals tend to function more like corporate entities, mandating standards for each device. We have 7500 Windows XP computers at Beth Israel Deaconess, standardized on the Dell Optiplex product line and managed with an IT provided image that ensures stability and security. The total cost of ownership of this managed infrastructure is low for the following reasons:
- I have 8 staff servicing these 7500 Windows machines - nearly 1000 machines per person. Because the hardware and software is standardized, replacing parts, maintaining desktop images, and managing the lifecycle of the products (averages 5 years) is very efficient.
- We leverage our purchasing power with the vendor to get the best price for these machines
- We do not have to test our applications on a large array of different hardware
- The Optiplex line from Dell is designed for enterprises to require very little service (i.e. better power supplies and more reliable parts) and to have little variability over the product life cycle
- Our training effort can be very focused to create high expertise regarding the machines we support
Thus, we have official policies mandating that only IT provided desktops can be connecting to the network. I rarely get feedback on this policy because a desktop is seen as a commodity with little personalization. We spend a bit more up front for the Dell Optiplex line than we would for the consumer grade Dell Dimension line, but the total cost of ownership over the lifecycle of the device is much lower than if we purchased consumer grade machines.
Laptops are harder because they are seen by many as highly personal. Some folks want "Executive Jewelry" like the Sony VAIO. Others shop for price over enterprise manageability. The challenge is that laptops are generally made from highly proprietary hardware, which is optimized for small size/light weight. This means that they are hard to service and support. In our case, we have standardized on Lenovo/Dell laptops and require that each is purchased with a 3 year warranty, ensuring complete service coverage for the life cycle of the device. We do not make repairs ourselves and require the manufacturer to replace any defective parts. As with the desktop, Dell makes two product lines - the Latitude optimized for enterprises and the Inspiron optimized for consumers. Occasionally, Caregroup employees will look at the Inspiron line and note they are cheaper and more full featured than the Latitude line. What they do not realize is that the Latitude laptop, like the Optiplex desktop, uses higher quality parts that are very consistent for the lifetime of the product. If a Toshiba optical drive was part of the original design, the same Toshiba part will be in every Latitude shipped. By requiring the purchase of standardized laptops, we optimize the total cost of ownership of these devices over 3 years, as well as their reliability, security, and supportability. Responding to a security incident or attempting to provide best effort service to a non-standard laptop rapidly costs more than purchasing a standard laptop to begin with.
Apple Macintosh computers are analogous to the Dell Latitude/Optiplex line. Macs use consistent, high quality parts and their standard configurations have been able to support the needs of the BIDMC research community. The majority of the systems are MacBook Pros, followed by MacBooks and then a small number of iMacs and Mac desktops. All have OS X and a 3 year AppleCare warranty.
Sometimes employees try to purchase these on their own and submit a receipt for reimbursement, bypassing the institutional mandate to standardize devices connected to the network. In early 2007, the CareGroup adopted a policy that no such purchases would be reimbursed. If truly unusual cases of very specialized "high power" hardware purchases are required, the CIO can sign off on an exception before the purchase is made, but IT must apply patch management and anti-virus protection to these devices to ensure appropriate security. The cost of trying to manage the operating system on non-standard devices is very high, so we try to limit exceptions to under 10 devices per year.
At Harvard Medical School, there are no HIPAA constraints, no patient care issues, and fewer regulatory requirements applying to desktop/laptops. The education and administrative locations at Harvard are centrally managed similarly to CareGroup. However, the very large research enterprise at Harvard is given the recommendation to purchase Lenovo and Dell products at attractive prices but not mandated to standardize. The cost of supporting this research enterprise is 5 times higher than CareGroup - 1 person per 200 devices instead of 1 person for 1000 devices. Over time, as more and more applications become software as a service (Saas), web-based, and operating system neutral, it may be possible to use thin client devices, or more managed devices at Harvard, but for now, the school has accepted higher support costs in research environments by acknowledging that experimentation sometimes requires non-standard approaches. A researcher can implement cutting edge software or hardware if it will aid their research inquiry and at Harvard there are no patient care issues to worry about.
The CIO in many organizations is seen as the corporate guy who says "no" to requests for adopting heterogeneous personalized technology. I hope this brief explanation of the total cost of ownership, the need for security and the need for managing service levels illustrates that, honestly, I'm not such a bad guy after all.