Roaming Epic EHR Delivered via Application Virtualization to ProveID Embedded Thin Clients

This configuration can be used in most clinical settings:

  • A shared workstation with roaming applications lets users move from workstation to workstation and automatically connect to one or more applications, including the Epic EHR (Epic).

  • As users authenticate to different shared workstations, they reconnect to their virtualization session, which makes it appear as if their applications are "roaming" with them.

NOTE:

This configuration is not recommended for settings where patient medical records must remain persistent on the workstation for different users to access. For example — an exam room.

This topic details how each component in the following environment is configured.

Click to enlarge.

In this workflow the Epic EHR (Epic) is delivered to a shared Imprivata ProveID Embedded endpoint (thin client) via Citrix DaaS application virtualization.

For a summary of this architecture and Imprivata license requirements, see Epic EHR Delivered via Citrix to Thin Clients.

Before You Begin

Review the following before you begin:

  • Verify that your thin clients are supported. For more information, see "ProveID Embedded" in the Imprivata Enterprise Access Management Supported Components guide.

  • The following steps assume that ProveID Embedded has been installed and configured.

    For more information, see "Configuring ProveID Embedded on Linux Thin Clients" in the Imprivata Enterprise Access Management Online Help.

Imprivata Enterprise Access Management Configuration

In this section you configure the Imprivata user and computers policies:

  • An Imprivata user policy is the means by which you define authentication methods and rules to a specific group of users.

  • An Imprivata computer policy is the means by which you define security parameters to a specific set of workstations. This workflow requires two computer policies:

    • The first policy is assigned to the shared thin clients.

    • The second policy is assigned to the Citrix servers that are delivering Epic.

NOTE:

The following steps detail the required settings to achieve this workflow. For complete details on user and computer policies, see the Imprivata Enterprise Access Management Help.

To enable the thin clients:

  1. In the Imprivata Admin Console. open the gear icon menu, and click ProveID.

  2. Select Allow full API access via ProveID Web API and ProveID Embedded.

  3. Select your thin client model, and then click Save.

In this workflow, users are enabled to authenticate with a proximity card + a password.

Although users will typically authenticate to Imprivata Enterprise Access Management with a proximity card, enabling password as the second factor is required for Citrix pass–through authentication.

Defining Authentication Methods and Enabling Virtual Desktop Access

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Desktop Access Authentication section.

  4. Under Primary Factors, select Password, and then Proximity Card.

    A secondary factor is not required.

  5. On the Virtual Desktops tab, select Enable virtual desktop access automation.

  6. Select Automate access to applications or published desktops, and then select Roam open applications.

  7. Save the user policy.

NOTE: If Citrix published applications or desktops appear in the pane, do not select them. This workflow does not require you to automatically launch an application. Citrix Workspace app manages application access.

The following screen captures detail the above settings.

Click to enlarge .

Assigning the User Policy

To apply users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import port it.

Configuring a connection to the Citrix connection broker makes the Epic application available to computer policies.

Configuring the Connection to Brokers

To configure the connection:

  1. In the Imprivata Admin Console, click Computers > Virtual desktops.

  2. In the Citrix XenApp section, enter one or more URLs to the Citrix stores.

  3. Click Save.

Configuring Citrix for Native Connections to Stores

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Imprivata Enterprise Access Management SSO:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

In this workflow, the thin clients are enabled for Windows authentication and automated application access.

Enabling Windows Authentication and Application Access

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. On the Virtual Desktops tab, go to the Citrix XenApp section , and select Automate access to Citrix XenApp.

  5. Under When a XenApp endpoint is locked, specify the required behavior when the endpoint becomes locked:

    • Keep the XenApp client and user session active

      This option preserves the user session; when a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their applications are preserved just as they were when this endpoint computer was locked.

    • Shutdown the XenApp client and disconnect the user session

      This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their application will relaunch.

  6. Optional – If you are deploying ProveID Embedded workstations, select Enable Published Applications.

  7. Under Available Citrix Servers, select one or more Citrix stores.

  8. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

In this workflow, the Citrix servers that are delivering the Epic are enabled for Windows authentication.

Enabling Windows Authentication

To add a computer policy for the Citrix servers:

  1. In the Imprivata Admin Console, click Computers > Computer polices.

  2. On the Computer policies page, click Add, and then enter a name.

  3. On the Citrix or Terminal Server tab, go to the Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section.

    1. Select XenApp or Terminal Server Windows session user and Imprivata user are always the same.

    2. Leave Always trust the Citrix or Terminal Server selected.

  4. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  5. Save the computer policy.

The following screen captures details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

Thin Client Configuration

In this section, you:

  • Configure Citrix Workspace app to connect to the Citrix server and deliver Epic.

  • Import the Citrix SSL certificate into your thin clients to establish trust between both environments.

NOTE:

In addition to the registry settings that are configured on the virtual desktop, USB redirection is managed from the thin client, independent of Imprivata Enterprise Access Management. Configure devices to support the USB redirection of your proximity card readers, as well as any other required devices.

Thin clients typically ship with a compatible version of Citrix Workspace app, which uses the explicit user credentials to connect to the Citrix server and deliver Epic.

Imprivata supports a number of thin client devices, all of which support native connections to Citrix DaaS published applications.

The steps to configure the connection vary by device. For more information, see your vendor–specific documentation.

Import the Citrix SSL certificate into your thin clients to establish trust between both environments.

Before you begin, save a copy of the SSL certificate to a USB storage device (thumb drive).

The following material is included as a reference for tasks in the HP Device Manager (HPDM) console. For more information, see your HP documentation.

To import the SSL certificate to one thin client:

  1. Insert the thumb drive into the thin client.

  2. Click the wrench icon > Advanced > Certificate to open the Certificate Manager.

  3. Go to the Local Root Certificate Authorities tab.

  4. Click Import from File, locate the SSL certificate on the thumb drive, and click Open.

    Restarting the thin client is not required.

To create the task:

  1. In the HP Device Manager console, click Templates and Rules.

    The Templates section lists all of the available base templates.

  2. Double-click _File and Registry to open the Template Editor.

  3. On the Content tab, click Add, select Deploy Files, and then click OK.

  4. Click Add from local, and import the SSL certificate.

  5. In the Path on Device field, enter /usr/local/share/ca-certificates, and then click OK.

  6. On the Content tab, click Add, select Command, and then click OK.

  7. In the Command field, enter the following:

    cd /usr/lib/hptc-cert-mgr

  8. Click Add, and in the Command field, enter the following:

    /usr/lib/hptc-cert-mgr/certmgr-apply

    Do not change the default settings for Execute After Reboot (No) and Wait (Yes) for either command.

  9. Click Save as to save the task, name the task, and then click OK
    The Package Description Editor appears.

To edit the package description:

  1. Complete the following fields:

    • Title

    • Installation Space

    • Architecture

    • OS Type

    • Device Models

  2. Click Generate.

The template is created and appears in the Templates section.

To send the task:

  1. In the HP Device Manager Console, click Manage Devices.

  2. Go to the Devices section, and right-click the required group of thin clients to open the Template Chooser.

  3. From the Category List, select File and Registry, and then select the template that will deploy the SSL certificate.

  4. Click Next.

  5. Use the Task Editor to manage how and when the certificates will be sent to the device, and click OK.

The following material is included as a reference for tasks in the IGEL UMS. For more information, see your IGEL documentation.

To import the SSL certificate to one thin client:

  1. Open a terminal window.

  2. Change to the /wfs directory

  3. Enter the following command to create a new subdirectory.

    mkdir ca-certs

  4. Insert the thumb drive into the thin client, and navigate to the location of the SSL certificate.

  5. Copy the SSL certificate file with the following command:

    cp <cert_name>.cer /wfs/ca-certs

  6. Restart the thin client.

To distribute the SSL certificate using the IGEL UMS:

  1. From the UMS console, right-click Files, and then click New File.

  2. Select Upload Local File to UMS server, and then use Local file to browse to the SSL certificate.

  3. In the field Local File, enter the location of the SSL certificate file.

  4. Under File Target:

    • Set Classification to Undefined.

    • In the Device files location field, enter the following path:

      /wfs/ca-certs/<cert_name>.cer

  5. Click OK.

  6. Assign the SSL certificate to your thin clients directly or through the profile that is managing them.

  7. Restart the thin clients.

NOTE: For more information on assigning objects, see the IGEL Knowledge Base.

Citrix Server Configuration

In this section, you install the Imprivata agent and the Imprivata Connector for Epic Hyperdrive on the Citrix servers that are delivering the Epic EHR.

  • Installing the Imprivata agent on the Citrix Servers enables Imprivata to communicate between Citrix environment and the shared workstations.

  • Installing the Imprivata Connector for Epic Hyperdrive enables access to Epic Hyperdrive.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Enterprise Access Management. If your virtual environment is configured correctly for session persistence, Enterprise Access Management seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

BEST PRACTICE:

Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the connection broker roams the session that the user was previously using.

For more information about configuring session persistence and application delivery, see your vendor documentation.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Citrix or Terminal Server agent.

Use a Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=3

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Install the Imprivata Connector for Epic Hyperdrive on all of the servers that are delivering Epic. Consider the following:

  • The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

  • The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

NOTE: Before installing the Imprivata Connector for Epic Hyperdrive, be sure that Epic is installed.

Using the Installation Wizard

To install:

  1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Using the Command Line

To install:

  1. Standard msiexec commands can be used to run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The Epic version of the Imprivata Connector for Epic Hyperdrive can be specified in the msiexec command line as follows:

    • EPICVERSION = 2014

    • EPICVERSION = 2015

    • EPICVERSION = 2017

    • EPICVERSION = "2018 August"

    • EPICVERSION = "2018 November"

    • EPICVERSION = "2019 February"

    NOTE: If you are using the Imprivata Connector for Epic Hyperdrive version 6.3 or later, including an Epic version is not required.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Epic Configuration

In this section, you configure the Imprivata Connector for Epic Hyperdrive.

Imprivata has worked with Epic Systems to develop the Imprivata Connector for Epic Hyperdrive. The Connector leverages Epic's authentication API to provide single sign-on, single sign-off, and fast user switching for Epic Hyperdrive.

Imprivata Enterprise Access Management offers two different configuration options for Epic that can be enabled on a per-workstation basis:

  • SSO for Epic only workflow

    With this workflow, the Windows desktop is always unlocked. Users authenticate to Epic using their fingerprint or proximity card. This workflow is optimized for workstations on which Epic is the most frequently accessed application.

  • SSO for multiple applications including Epic

    With this workflow, the Windows desktop is secured by the Imprivata agent. Users authenticate to EAM using their fingerprint or proximity card. This workflow is optimized for workstations on which Imprivata Single Sign-On is required for multiple applications, including Epic.

EAM can be configured to secure Epic and maintain the patient context or log the user out of Epic with either of these workflows.

NOTE:

In scenarios where EAM performs Fast User Switching into the Epic EMR Hyperdrive client delivered via Citrix, we recommend that the Epic session remain active during times of clinician usage. The utilization of Citrix timeout settings for Epic sessions, or any closure of the Epic session, may impact login times for clinical users because they must wait for the Epic session to reconnect.

Citrix and VDI connection times are unaffected by EAM. When needed, EAM automates the connection to Citrix, but does not reduce the connection time.

When configuring support for Epic, consider the following:

  • Use the endpoint computer policy to manage the settings on the Connector for Epic tab.

    These settings are only honored from the workstation on which users access Epic. The settings are not honored where Epic is installed.

  • The Imprivata Connector for Epic Hyperdrive for Epic supports a number of reference architectures.

    While you can use the Imprivata Connector for Epic Hyperdrive Configuration Guide to complete the steps required of this reference architecture, the guide does include information that is optional.

As such, the table below provides an overview of what must be configured for this specific reference architecture.

Configuration Notes
System definitions

Epic system definitions are configured to support roaming.

For assistance configuring your system definitions, contact Epic.
Authentication devices

Ensure that your authentication devices are configured correctly:

  • Use Chronicles to configure the E0G master file.
  • Set the Login Mode option to SYSTEM LOGIN (EMP 45), otherwise User ID.

For more information, see Chapter 4.
Epic only mode

In this configuration, Epic is the only application that clinicians can access from the shared workstation:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 9.
Multi–app mode

In this configuration, clinicians can access other applications in addition to Epic:

  • By default, when Epic is delivered via Citrix Virtual Apps, the Imprivata Connector for Epic Hyperdrive disables the Imprivata SSO engine. To re-enable the SSO engine, configure the following registry settings:
    • ControlISXAgentStartup
    • DontStartAgentHooks
    • DontStartAgentTimer
    • HookInit
  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 8.