Saturday, January 19, 2008

Desktops and Laptops in an Enterprise

One of the interesting aspects of being a CIO at two institutions, Harvard Medical School and CareGroup, is that I can experience complex IT issues from multiple perspectives.

A tension that always exists in enterprises is how much IT is centralized and standardized verses local and variable. Desktops and laptops provide a good example of the issue.

At Caregroup, we must protect the confidentiality of 3 million records (HIPAA mandate and patient expectation), ensure nearly 100% uptime, and prevent all viruses/trojans/worms/keystroke loggers from entering our network to ensure the integrity of patient data as mandated by numerous compliance requirements. Security is an end to end design requirement from the servers to the network to the desktop/laptop used to access the data. Because of these patient care and regulatory requirements, hospitals tend to function more like corporate entities, mandating standards for each device. We have 7500 Windows XP computers at Beth Israel Deaconess, standardized on the Dell Optiplex product line and managed with an IT provided image that ensures stability and security. The total cost of ownership of this managed infrastructure is low for the following reasons:

  • I have 8 staff servicing these 7500 Windows machines - nearly 1000 machines per person. Because the hardware and software is standardized, replacing parts, maintaining desktop images, and managing the lifecycle of the products (averages 5 years) is very efficient.
  • We leverage our purchasing power with the vendor to get the best price for these machines
  • We do not have to test our applications on a large array of different hardware
  • The Optiplex line from Dell is designed for enterprises to require very little service (i.e. better power supplies and more reliable parts) and to have little variability over the product life cycle
  • Our training effort can be very focused to create high expertise regarding the machines we support

Thus, we have official policies mandating that only IT provided desktops can be connecting to the network. I rarely get feedback on this policy because a desktop is seen as a commodity with little personalization. We spend a bit more up front for the Dell Optiplex line than we would for the consumer grade Dell Dimension line, but the total cost of ownership over the lifecycle of the device is much lower than if we purchased consumer grade machines.

Laptops are harder because they are seen by many as highly personal. Some folks want "Executive Jewelry" like the Sony VAIO. Others shop for price over enterprise manageability. The challenge is that laptops are generally made from highly proprietary hardware, which is optimized for small size/light weight. This means that they are hard to service and support. In our case, we have standardized on Lenovo/Dell laptops and require that each is purchased with a 3 year warranty, ensuring complete service coverage for the life cycle of the device. We do not make repairs ourselves and require the manufacturer to replace any defective parts. As with the desktop, Dell makes two product lines - the Latitude optimized for enterprises and the Inspiron optimized for consumers. Occasionally, Caregroup employees will look at the Inspiron line and note they are cheaper and more full featured than the Latitude line. What they do not realize is that the Latitude laptop, like the Optiplex desktop, uses higher quality parts that are very consistent for the lifetime of the product. If a Toshiba optical drive was part of the original design, the same Toshiba part will be in every Latitude shipped. By requiring the purchase of standardized laptops, we optimize the total cost of ownership of these devices over 3 years, as well as their reliability, security, and supportability. Responding to a security incident or attempting to provide best effort service to a non-standard laptop rapidly costs more than purchasing a standard laptop to begin with.

Apple Macintosh computers are analogous to the Dell Latitude/Optiplex line. Macs use consistent, high quality parts and their standard configurations have been able to support the needs of the BIDMC research community. The majority of the systems are MacBook Pros, followed by MacBooks and then a small number of iMacs and Mac desktops. All have OS X and a 3 year AppleCare warranty.

Sometimes employees try to purchase these on their own and submit a receipt for reimbursement, bypassing the institutional mandate to standardize devices connected to the network. In early 2007, the CareGroup adopted a policy that no such purchases would be reimbursed. If truly unusual cases of very specialized "high power" hardware purchases are required, the CIO can sign off on an exception before the purchase is made, but IT must apply patch management and anti-virus protection to these devices to ensure appropriate security. The cost of trying to manage the operating system on non-standard devices is very high, so we try to limit exceptions to under 10 devices per year.

At Harvard Medical School, there are no HIPAA constraints, no patient care issues, and fewer regulatory requirements applying to desktop/laptops. The education and administrative locations at Harvard are centrally managed similarly to CareGroup. However, the very large research enterprise at Harvard is given the recommendation to purchase Lenovo and Dell products at attractive prices but not mandated to standardize. The cost of supporting this research enterprise is 5 times higher than CareGroup - 1 person per 200 devices instead of 1 person for 1000 devices. Over time, as more and more applications become software as a service (Saas), web-based, and operating system neutral, it may be possible to use thin client devices, or more managed devices at Harvard, but for now, the school has accepted higher support costs in research environments by acknowledging that experimentation sometimes requires non-standard approaches. A researcher can implement cutting edge software or hardware if it will aid their research inquiry and at Harvard there are no patient care issues to worry about.

The CIO in many organizations is seen as the corporate guy who says "no" to requests for adopting heterogeneous personalized technology. I hope this brief explanation of the total cost of ownership, the need for security and the need for managing service levels illustrates that, honestly, I'm not such a bad guy after all.


Norge said...

What do you do about personal hardware that uses Wi-Fi...for example the iPhone?

John Halamka said...

We have 460 Cisco Lightweight Access Points providing 802.11a/g services to our patients and providers. We offer two SSIDs on our wireless network - a public non-secure internet connection and a private secure connection to all internal networks. Personal hardware devices all use the public non-secure internet connection. The iPhone, a great consumer device, does not have the capability of connecting to our secure network which is based on the EAP-FAST authentication protocol.

Amr said...

How do you control what is being accessed through the patient wireless network? How can you ensure that the patients are not accessing inappropriate substances? How can you enforce accountability in such a situation? Do you offer free wireless access to patients?

Techno Tornadoes said...

AMR - I have a similar setup to John's whereby we provide non-secured WiFi to patients, vendors, etc. We funnel the traffic through our web filters (Barracuda). The Cisco Access Points allow for a complete segmentation of the traffic from the private network of our Hospital and the public infrastructure.

John Halamka said...

We offer free wireless access to all patients, but do not monitor content. We have a standard appropriate use statement which all patients must sign electronically before getting connected. Of note, we do not route patient connections through any part of the Harvard internet infrastructure - we've purchased a separate Sprint connection for this traffic.

Sudsy said...

I know that Dell makes the claim that you summarized regarding the difference between the Optiplex line and the Inspiron/Dimension/Vostro lines (why oh why did Dell have to confuse the issue by suddenly changing the Inspiron brand to also include desktops?). I've started to wonder if this claim is valid.

I have no way of judging their claim about higher quality parts except to say that in my experience in a large academic department in a large US university, I found that Optiplexes and the rest have no significant difference in failure rate. I would like to see a non-partial detailed examination of this issue based on real experiences, not on MTBF claims.

I don't think the claim of less variability of Optiplex components makes much sense anymore. For standard desktop PCs, virtually all functions are provided by the chipset, and not by separate add-in boards, like in the old days. So, provided that Dell doesn't change the chipset in a specific model
Dimension/Inspiron/Vostro, a standard OS image will work just fine no matter what other components change in the PC.

I agree that standardization can help reduce the number of people required to support a large number of desktop machines, but I'm skeptical of Dell's claims because I don't think they make technical sense anymore. I'd love to hear any counter examples.


Jon Forrest - UC Berkeley

John Halamka said...

The advantage we've experienced with Optiplex is simpler image management. We maintain a small library of very stable images for specific hardware. Limited variation in hardware enables us to manage a smaller library of OS images.

Heather said...

I work in a Canadian hospital library (in a region experiencing an economic boom, incidentally, so money should not be our issue), and I know from many listserv postings and blogs that medical librarians often have tons of trouble with their IT departments. In my case, it's not a hardware issue, but several software issues. I really don't care what types of desktop or laptop applications are mandated, but it frustrates me no end that our IT people place absolutely no priority on keeping software up to date. We are forced to use Netscape 4.8 for e-mail, Internet Explorer 5 as our browser, and Acrobat Reader 6 for reading PDFs. We are prevented from updating these products to the latest versions (locked down from downloading updates) and it's totally not a priority with our IT people to update things system-wide. So opening a PDF from an e-journal freezes up Internet Explorer, because we're two versions behind on both IE and Acrobate reader, and Netscape e-mail tries to open links in the Netscape 4.8 browser (again, I can't change this to IE under preferences, because the IT cops have grayed it out).

I understand that IT departments have to make standards and data protection a priority, but they also need to help us do our jobs. I was so aggravated with the lack of functionality of my hospital's e-mail system that I considered forwarding it all to a GMail account and managing it that way. I ultimately decided not to do this, because of the privacy implications and also because it's a direct violation of policy, but someone else might not have had those scruples. Lots of people would rather bend or break the rules to work around a perpetual irritant, if there's no other way to deal with it directly.

Oh, and did I mention that in our brand new "state of the art" hospital, the computers that were designated for patient internet access sat there for nearly a year before being hooked up? IT mandated that these have to have a regular connection off the hospital network (very reasonable), but then didn't get around to actually setting it up for months (very unreasonable). In the meantime, we were told that patients were not allowed to use any staff computer to quickly send their boss an e-mail, etc.

I think it's these sorts of things, and not hardware or software standards per se, that really irritate the users of these systems.

Sudsy said...

"The advantage we've experienced with Optiplex is simpler image management. We maintain a small library of very stable images for specific hardware. Limited variation in hardware enables us to manage a smaller library of OS images."

My point is that there's nothing specific to Optiplexes that makes this true. If you standardize on, let's say, an Inspiron530, then as long as Dell doesn't change the chipset in the 530, you'll also be able to survive with the same number of OS images as you would with an Optiplex. Of course, even if you believe what I just said, it becomes a financial decision because by the time you add a 3-year warranty to the lower-priced spread, the cost might be very close to the Optiplex.

Dell gave us a song and dance for years about why they only put Intel processors in their machines. None of their reasons, except maybe supply issues, turned out to be true. I'm finding that it's almost
the same in the way they differentiate their various desktop lines.

Jon Forrest

Unknown said...

Thanks for broaching the subject of security in regards to laptops and desktops.

Quoting you saying, “At Caregoup, we must protect the confidentiality of 3 million records (HIPAA mandate and patient expectation”. “Security is an end to end design requirement from the server to the network to the desktop/laptop used to access the data”. It is nice in theory, but most people in the medical field are still using systems that encrypt the hard drives on laptops and desktops, thereby taking control of the computer and negatively affecting productivity through loss of speed. Also, with some full-disk encryption solutions, once you open your system up, none of your data is now secure and your system is totally open to any prying eyes.

Why then are we experiencing such reluctance when proposing a solution to these very real threats? We have developed a software that will not only act as a “safety deposit box” on your hard drive, but allow you to encrypt it, manage it and create corporate policies on “how” and “what” stays secure. This software only secures your data, leaving your computer to do what it was intended for, as a productivity tool. Combine it with our TripleDES (3DES) encryption for all secure file transfers and your box is complete.

I know that this seems to be a thinly veiled attempt to sell you something, but that is actually not my intent. My intent is to suggest to the medical community as a whole that you can have true data security without locking down your entire system and without any system degradation. In today’s world security is more than just complying with SOX, GLBA, HIPAA, etc, it is the actual protection of the data requirements that brought about this legislation. Data security should not be difficult, expensive or a drag on your system and this is where most other products or solutions fail.

After a long beta test at the VA and waiting for our Security Clearance, we are currently in negotiations for system implementations across the board. Do to this, we are now focusing on the medical community. I have spent hours reading your blogs, posts and interviews and truly believe that you have overcome many obstacles that I am now experiencing. Any suggestions would be greatly appreciated!

"Policy driven and Managed Security"

Xrad2 said...

I'm not sure I understand your position with respect to individuals choosing to work in a Mac environment. Do you offer the option of Dell OR Mac to your users?

Greg Mogel, MD
University of S. California