Epic EHR Delivered via VDI to Thin/Zero Clients

This configuration is used in settings where there is direct interaction between the patient and the provider. It gives users fast access to the workstation and the Epic EHR:

  • The EHR is not closed on user switch.

  • Other applications, such as web browsers and email, are closed on user switch.

This topic details how each component in the following environment is configured.

Click to enlarge.

In this workflow:

  • The Epic EHR (Epic) is delivered to a shared thin or zero client endpoint (thin client) via an Omnissa Horizon or Citrix DaaS VDI image (virtual desktop).

  • The Epic thick client is installed locally on the virtual desktop.

For a summary of this architecture and Imprivata license requirements, see Epic EHR Delivered via VDI to Thin Clients.

NOTE:

Before you begin, verify that your thin clients are supported. For more information, see "Endpoint Device Matrix" in the Imprivata OneSign Supported Components guide.

Imprivata Enterprise Access Management Configuration

In this section you configure the Imprivata user and computers policies:

  • An Imprivata user policy is the means by which you define authentication methods and rules to a specific group of users.

  • An Imprivata computer policy is the means by which you define security parameters to a specific set of workstations.

    This workflow requires one computer policy, which is assigned to the thin clients.

NOTE:

The following steps detail the required settings to achieve this workflow. For complete details on user and computer policies, see the Imprivata Enterprise Access Management Help.

In this workflow, users are enabled to authenticate with a proximity card + a password.

Although users will typically authenticate to Imprivata Enterprise Access Management with a proximity card, enabling password as the second factor is required for pass–through authentication for Citrix and Omnissa (VMware).

Defining Authentication Methods

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Desktop Access Authentication section.

  4. Under Primary Factors, select Password, and then Proximity Card.

    A secondary factor is not required.

  5. On the Virtual Desktops tab, verify that Enable virtual desktop access automation is not selected.

  6. Save the user policy.

The following screen captures detail the above settings.

Click to enlarge .

Assigning the User Policy

To apply users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import port it.

In this workflow, the thin clients are enabled for Windows authentication.

Enabling Windows Authentication

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

While there are no required computer policy settings for the virtual desktop, it is best practice to keep policies associated with your virtual desktops and thin clients separate.

For any settings you require, create a new computer policy and explicitly assign it to your virtual desktops.

Virtual Desktop Configuration

In this section, you:

  • Install the Imprivata agent on the virtual desktops on which Epic is locally installed.

    Installing the Imprivata agent enables Imprivata to communicate between the virtual environment and the shared workstations.

  • Install the Imprivata Connector for Epic Hyperdrive.

    Installing the Connector enables Fast User Switching for Epic Hyperdrive.

  • Configure registry settings.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Delivering a virtual desktop image requires that you install the Imprivata shared–kiosk agent (type 2).

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Shared Kiosk Workstation agent.

Using a Third-Party Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=2

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Install the Imprivata Connector for Epic Hyperdrive on all of the virtual desktop images that are delivering Epic. Consider the following:

  • The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

  • The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

NOTE: Before installing the Imprivata Connector for Epic Hyperdrive, be sure that Epic is installed.

Using the Installation Wizard

To install:

  1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Using the Command Line

To install:

  1. Standard msiexec commands can be used to run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The Epic version of the Imprivata Connector for Epic Hyperdrive can be specified in the msiexec command line as follows:

    • EPICVERSION = 2014

    • EPICVERSION = 2015

    • EPICVERSION = 2017

    • EPICVERSION = "2018 August"

    • EPICVERSION = "2018 November"

    • EPICVERSION = "2019 February"

    NOTE: If you are using the Imprivata Connector for Epic Hyperdrive version 6.3 or later, including an Epic version is not required.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Configure the following registry settings to enable the following:

  • Proximity card "tap–to–lock" .

  • The detection of proximity card events on the virtual desktop.

Name Data Type Location Value
DisableCAD DWORD

32-bit: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

64-bit: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 

Default = 0

Set to = 1
DisableCAD DWORD

32-bit: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

64-bit: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon

Default = 0

Set to = 1
LockRemoteSessionWithAgentOnClient DWORD

32–bit: HKLM\Software\SSOProvider\ISXAgent

64–bit: HKLM\Software\Wow6432Node\SSOProvider\ISXAgent

Default = 0

Set to = 1
LockVirtualSessionWithHotKey DWORD

32–bit: HKLM\Software\SSOProvider\ISXAgent

64–bit: HKLM\Software\Wow6432Node\SSOProvider\ISXAgent

Default = 0

Set to = 1

Thin Client Configuration

In this section, you:

  • Configure your shared thin client workstations to automatically log into and connect to a persistent virtual desktop using generic workstation–based credentials.

    The generic user credentials are only used to log into the workstation.

  • Import the Citrix or Omnissa SSL certificate into your thin clients to establish trust between both environments.

Session persistence (roaming) can result in users obtaining an incorrect session when moving from one shared workstation to another.

To prevent roaming, you can take one of the following actions:

  • Create a unique generic user for each shared workstation in the environment.

  • Disable session roaming in your Citrix or Omnissa Horizon environment.

NOTE:

For more information about disabling session roaming, see the Citrix or Omnissa Horizon documentation.

A generic user account is required to login and connect to a persistent virtual desktop. When adding the generic user to your user directory, consider the following:

  • The generic user account must not be enrolled in Imprivata Enterprise Access Management.

  • Citrix — The generic user account must have access to the delivery group that references the machine catalog of the virtual desktops.

  • Omnissa — The generic user account must have access to the desktop pool that is delivering the virtual desktops.

Supported thin clients typically ship with a compatible version of Citrix Workspace app or the Omnissa Horizon client, which support native connections to Citrix Virtual Desktops and Omnissa Horizon Desktops.

While the exact steps to configure each vary from device to device, you will need the following information:

  • The credentials of the generic user account that should be used to automatically log in.

  • The virtual desktop connection settings:

    • The hostname or URL of the Omnissa Horizon server (desktop).

    • The Storefront Web Site or XenApp Services URL of the Citrix server (desktop).

  • The name of the desktop.

NOTE:

For more information on configuring the connection, see your vendor–specific documentation.

Epic Configuration

In this section, you configure the Imprivata Connector for Epic Hyperdrive.

Imprivata has worked with Epic Systems to develop the Imprivata Connector for Epic Hyperdrive. The Connector leverages Epic's authentication API to provide single sign-on, single sign-off, and fast user switching for Epic Hyperdrive.

Imprivata Enterprise Access Management offers two different configuration options for Epic that can be enabled on a per-workstation basis:

  • SSO for Epic only workflow

    With this workflow, the Windows desktop is always unlocked. Users authenticate to Epic using their fingerprint or proximity card. This workflow is optimized for workstations on which Epic is the most frequently accessed application.

  • SSO for multiple applications including Epic

    With this workflow, the Windows desktop is secured by the Imprivata agent. Users authenticate to EAM using their fingerprint or proximity card. This workflow is optimized for workstations on which Imprivata Single Sign-On is required for multiple applications, including Epic.

EAM can be configured to secure Epic and maintain the patient context or log the user out of Epic with either of these workflows.

NOTE:

In scenarios where EAM performs Fast User Switching into the Epic EMR Hyperdrive client delivered via Citrix, we recommend that the Epic session remain active during times of clinician usage. The utilization of Citrix timeout settings for Epic sessions, or any closure of the Epic session, may impact login times for clinical users because they must wait for the Epic session to reconnect.

Citrix and VDI connection times are unaffected by EAM. When needed, EAM automates the connection to Citrix, but does not reduce the connection time.

When configuring support for Epic, consider the following:

  • Use the endpoint computer policy to manage the settings on the Connector for Epic tab.

    These settings are only honored from the workstation on which users access Epic. The settings are not honored where Epic is installed.

  • The Imprivata Connector for Epic Hyperdrive for Epic supports a number of reference architectures.

    While you can use the Imprivata Connector for Epic Hyperdrive Configuration Guide to complete the steps required of this reference architecture, the guide does include information that is optional.

As such, the table below provides an overview of what must be configured for this specific reference architecture.

Configuration Notes
Authentication devices

Ensure that your authentication devices are configured correctly:

  • Use Chronicles to configure the E0G master file.
  • Set the Login Mode option to SYSTEM LOGIN (EMP 45), otherwise User ID.

For more information, see Chapter 4.
Epic only mode

In this configuration, Epic is the only application that clinicians can access from the shared workstation:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 9.
Multi–app mode

In this configuration, clinicians can access other applications in addition to Epic:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 8.