Digital Identity Reference Architectures

The digital identity reference architectures for clinical workstations and shared mobile devices in the following sections are well-proven configurations that have been thoroughly tested by Imprivata and successfully implemented by many of Imprivata’s customers.

Readers should request architectural design assistance from an Imprivata pre- or post-sales consultant or certified Imprivata Partner when deviating from these designs.

Reference Architectures for Clinical Workstation Workflows

The following reference architectures are proven configurations that have been used to implement Imprivata Enterprise Access Management and Epic EHR on shared and private workstations.

Each reference architecture includes:

  • A description of the environment, including a logical architecture

  • Details of how each component in the environment is configured

NOTE:

In addition to the following information, Imprivata recommends that you review the Enterprise Access Management Imprivata Enterprise Access Management - SSO Supported Components.

This resources include the currently supported component versions, as well as the policies associated with the addition and retirement of specific component versions. For reference architectures that use thin an zero clients, this resource contains detailed information about the functionality supported by these devices in the Imprivata endpoint ecosystem.

Detailed Architecture

This workflow is used in settings where there is direct interaction between the patient and the provider. For example – exam rooms and inpatient rooms.

You can deliver the EHR via application virtualization to Windows, VDI to thin clients, and VDI and application virtualization to thin clients.

As illustrated in the following, the Epic EHR is delivered to a shared Windows workstation via Citrix DaaS virtual application.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive.

  • Imprivata OneSign Authentication Management

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundled with the EPCS license

  • Imprivata Virtual Desktop Access

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • The Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive.

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective MFA workflow policies
EAM SSO

  • Imprivata computer policies for the workstations and Citrix servers are configured for Fast User Switching

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Imprivata Virtual Desktop Access should be configured to launch Hyperdrive if users also need access to personal Citrix applications

  • Both Epic Multi-App and Epic Only modes are supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.
Windows workstation

  • The workstation is configured to automatically boot and authenticate to Windows using generic workstation-based credentials.

  • The Imprivata shared–kiosk workstation agent (type 2) is installed.

  • Citrix Workspace app is installed and configured to connect to Citrix using workstation–based credentials, for example: kioskuser/kioskpassword.

Configure it

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a shared thin or zero client endpoint via a virtual desktop. The Epic EHR thick client is installed locally on Omnissa Horizon or Citrix DaaS VDI image.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

  • Imprivata Virtual Desktop Access

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata Confirm ID workflow policies

EAM SSO

  • Imprivata computer policies for the VDI images are configured for fast user switching

  • Imprivata computer policies for the thin/zero clients can be configured for Epic Secure or Epic Logout

  • Imprivata Virtual Desktop Access should be configured to launch Hyperdrive if users also need access to personal Citrix applications

  • Both Epic Multi-App and Epic Only modes are supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
VDI

  • Epic is locally installed on the Omnissa Horizon or Citrix DaaS virtual desktop images.

  • Imprivata shared–kiosk workstation agent (type 2) is installed on all virtual desktop images.

  • The Imprivata Connector for Epic Hyperdrive is installed on all virtual desktop images.
Thin client

  • Thin clients are configured to automatically boot and connect to a persistent VDI Windows desktop using device-based credentials (i.e. kioskuser/kioskpassword)

Configure it

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered via Citrix Virtual Apps to an Omnissa Horizon or Citrix DaaS VDI image. This type of configuration is also known as a double hop.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata Confirm ID workflow policies

EAM SSO

  • Imprivata computer and user policies are configured to support automated access to VDI desktop using Imprivata Virtual Desktop Access

  • Imprivata computer policies for the thin/zero clients can be configured for Epic Secure or Epic Logout

  • Both Epic Multi-App and Epic Only modes are supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization to the VDI images.

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.
VDI

  • Imprivata shared–kiosk workstation agent (type 2) is installed on all virtual desktop images.

  • Citrix Workspace app is installed on all virtual desktop images and configured to connect to Citrix using workstation-based credentials

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with the Windows user’s credentials
Thin client

• Thin clients are configured to connect to Imprivata using ProveID Embedded or ProveID Web

NOTE:

For more information on thin or zero clients supporting this workflow, see the Imprivata Enterprise Access Management Supported Components Guide

Configure it

This workflow can be used in most clinical settings. However, it is not recommended for settings where the patient record must remain persistent on the workstation for different users to access.

You can deliver the EHR via application virtualization to Windows and application virtualization to thin clients.

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a shared Windows workstation via Citrix DaaS application virtualization.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • The Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive.

  • Epic system definitions configured to support roaming.

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata Confirm ID workflow policies
EAM SSO

  • Imprivata computer and user policies are configured to support automated access to Citrix using Imprivata Virtual Desktop Access

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization.

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.

  • Citrix workspace control settings are configured to support a single session per user for session roaming.
Windows workstation

  • The workstation is configured to automatically boot and authenticate to Windows using generic workstation-based credentials.

  • The Imprivata shared–kiosk workstation agent (type 2) is installed.

  • Citrix Workspace app is installed.

Configure it

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a shared thin or zero client endpoint via Citrix DaaS application virtualization.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive.

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • The Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive for Epic login.

  • Epic system definitions configured to support roaming.

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies

EAM SSO

 

  • Imprivata computer and user policies are configured to support automated access to Citrix using Imprivata Virtual Desktop Access.

  • Imprivata computer policies on thin/zero clients can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization.

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.

  • Citrix workspace control settings are configured to support a single session per user for session roaming.
Thin client

  • Thin clients are configured to connect to Imprivata using ProveID Web or ProveID Embedded.

    NOTE: See the Imprivata Enterprise Access Management Supported Components Guide to determine which thin or zero clients support this workflow.

  • Citrix Workspace app is installed on the thin client or is embedded into the firmware or operating system.

Configure it

This workflow can be used in most clinical settings. However, it is not recommended for settings where the patient record must remain persistent on the workstation for different users to access.

You can deliver the EHR to thin or zero clients via:

  • A virtual desktop

  • VDI and application virtualization

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a shared thin or zero client endpoint via a virtual desktop.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows (bundled with EPCS license)

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • Epic system definitions configured to support roaming

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer and user policies are configured to support automated access to Citrix DaaS or Omnissa Horizon Virtual Desktop VDI using Imprivata Virtual Desktop Access

  • Imprivata computer policies on thin/zero clients can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
VDI

  • Epic is locally installed on the Omnissa Horizon or Citrix Virtual Desktop virtual desktop images.

  • The Imprivata single user computer agent (type 1) is installed on all virtual desktop images.

  • The Imprivata Connector for Epic Hyperdrive is installed on all desktop images.
Thin client

  • Thin clients are configured to connect to Imprivata using ProveID Web or ProveID Embedded.

    NOTE:

    See the Imprivata Enterprise Access Management Supported Components Guide to determine which thin or zero clients support this workflow.

  • Omnissa Horizon or Citrix Workspace app is installed on the thin client or is embedded into the firmware or operating system.
Detailed Architecture

As illustrated in the following, the Epic EHR is delivered via Citrix DaaS to an Omnissa Horizon or Citrix DaaS VDI image. This type of configuration is also known as a double hop.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows (bundled with EPCS license)

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • Epic system definitions configured to support roaming

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer and user policies are configured to support automated access to Citrix DaaS or Omnissa Horizon Virtual Desktop VDI using Imprivata Virtual Desktop Access

  • Imprivata computer policies for the thin/zero clients can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix Virtual Apps application virtualization to the VDI images.

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.
VDI

  • Imprivata single user agent (type 1) is installed on all virtual desktop images.

  • Citrix Workspace app is installed.

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with the Windows user’s credentials
Thin client

  • Thin clients are configured to connect to Imprivata using ProveID Web or ProveID Embedded.

    NOTE:

    See the Imprivata Enterprise Access Management Supported Components Guide to determine which thin or zero clients support this workflow.

  • Omnissa Horizon Client or Citrix Workspace app is installed on the thin client or is embedded into the firmware or operating system

Configure it

Detailed Architecture

As illustrated in the following, the Epic EHR is locally installed on shared workstations.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows (bundled with EPCS license)

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer policies for the workstations are configured to not close Epic on user switch

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Both Epic Multi-App and Epic Only modes are supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Windows workstation

  • Workstations are configured to automatically boot and authenticate to Windows using workstation-based credentials (i.e., kioskuser/kioskpassword)

  • Imprivata Shared Workstation Agent (Type 2) is installed

  • Imprivata Connector for Epic Hyperdrive is installed

This workflow is used in a in a private location, administration area, or specialty areas where a limited number of users require access.

For example – a physician office or an administration area that is only used by unit coordinators.

Epic is typically delivered to the Windows–based workstation via application virtualization technology, such as Citrix DaaS.

Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a private Windows workstation via Citrix Virtual Apps application virtualization. The following licenses are required:

  • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • The Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive for Epic login.
EAM SSO

  • The Imprivata computer policies can be configured for Epic Secure or Epic Logout.
Citrix

  • Epic is delivered via Citrix Virtual Apps application virtualization.

  • The Imprivata Citrix or Terminal Server agent (type 3) is installed on all Citrix servers delivering Epic.

  • The Imprivata Connector for Epic Hyperdrive is installed on all Citrix servers delivering Epic.
Windows workstation

  • The Imprivata single user agent (type 1) is installed.

  • Citrix Workspace app is installed.

Configure it

Detailed Architecture

As illustrated in the following, the Epic EHR is locally installed on a private workstation.

  • Required Imprivata licenses:

    • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

    • Imprivata OneSign Authentication Management

  • Optional Imprivata licenses:

    • Imprivata Confirm ID for EPCS

    • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic login device is configured to use the Imprivata Connector for Epic Hyperdrive

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies

EAM SSO

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Imprivata computer policies can be configured for Multi-User Desktop (MUD) with the number of concurrent sessions limited to one (1) to allow any user to logout the authenticated user

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Windows workstation

  • The Imprivata single user agent (type 1) is installed.

  • Imprivata Connector for Epic Hyperdrive is installed
Detailed Architecture

As illustrated in the following, the Epic EHR is delivered via Citrix DaaS to a Windows workstations.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundles with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer policies for the workstations are configured for Fast User Switching

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization
Windows workstation

  • Workstations are configured to automatically boot and authenticate to Windows using workstation-based credentials (i.e., kioskuser/kioskpassword)

  • Imprivata Shared Workstation Agent (Type 2) is installed

  • Imprivata Connector for Epic Hyperdrive is installed

  • Citrix Workspace app is installed

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with Workstation-based credentials
Detailed Architecture

As illustrated in the following, the Epic EHR is delivered via Citrix DaaS to an Omnissa Horizon or Citrix Virtual Desktop VDI image. This type of configuration is also known as a double hop.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundles with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer and user policies are configured to support automated access to a Citrix DaaS or Omnissa Horizon Virtual Desktop VDI using Imprivata Virtual Desktop Access

  • Imprivata computer policies for the VDI images can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization to the VDI images
VDI

  • Imprivata Shared Workstation Agent (Type 2) is installed on all virtual desktop images

  • Imprivata Connector for Epic Hyperdrive is installed

  • Citrix Workspace app is installed.

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with the Windows user’s credentials
Thin client

  • Thin clients are configured to automatically boot and connect to a persistent VDI Windows desktop using device-based credentials (i.e., kioskuser/kioskpassword)
Detailed Architecture

As illustrated in the following, the Epic EHR is delivered via Citrix DaaS to an Omnissa Horizon or Citrix Virtual Desktop VDI image. This type of configuration is also known as a double hop.

Required Imprivata licenses:

  • Imprivata OneSign Single Sign–On with the Imprivata Connector for Epic Hyperdrive

  • Imprivata OneSign Authentication Management

  • Imprivata Virtual Desktop Access

Optional Imprivata licenses:

  • Imprivata Confirm ID for EPCS

  • Imprivata Confirm ID for Clinical Workflows, bundles with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • Epic system definitions configured to support roaming

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata workflow policies
EAM SSO

  • Imprivata computer and user policies are configured to support automated access to a Citrix DaaS or Omnissa Horizon Virtual Desktop VDI using Imprivata Virtual Desktop Access

  • Imprivata computer policies for the VDI images can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization to the VDI images
VDI

  • Imprivata single user agent (type 1) is installed on all virtual desktop images.

  • Imprivata Connector for Epic Hyperdrive is installed

  • Citrix Workspace app is installed.

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with the Windows user’s credentials
Thin client

  • Thin clients are configured to connect to Imprivata using ProveID Web or ProveID Embedded.

    NOTE:

    See the Imprivata Enterprise Access Management Supported Components Guide to determine which thin or zero clients support this workflow.

  • Omnissa Horizon Client or Citrix Workspace app is installed on the thin client or is embedded into the firmware or operating system
Detailed Architecture

As illustrated in the following, the Epic EHR is delivered to a private Windows workstation via Citrix DaaS application virtualization.

  • Required Imprivata licenses:

    • Imprivata OneSign Single Sign-On with the Imprivata Connector for Epic Hyperdrive

    • Imprivata OneSign Authentication Management

  • Optional Imprivata licenses:

    • Imprivata Confirm ID for EPCS

    • Imprivata Confirm ID for Clinical Workflows, bundled with EPCS license

Click to enlarge.

The following table summarizes how Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Epic EHR

  • E-Prescribing Controlled Medications (and other Epic signing contexts) are configured to programmatically re-authenticate using the correct Imprivata Connector API calls for the respective Imprivata Confirm ID workflow policies
EAM SSO

  • Imprivata computer policies can be configured for Epic Secure or Epic Logout

  • Epic Multi-App mode is supported
EAM MFA

  • Relevant user policies are added to the correct Imprivata Clinical and EPCS workflows, for the purposes of enrollment, licensing, and re-authentication
Citrix

  • Epic is delivered via Citrix DaaS application virtualization
Windows workstation

  • The Imprivata single user agent (type 1) is installed.

  • Imprivata Connector for Epic Hyperdrive is installed

  • Citrix Workspace app is installed.

  • Epic Hyperdrive in Slingshot Mode is installed and configured to connect to Citrix with the Windows user’s credentials

Reference Architecture for Shared Mobile Devices

The following reference architecture is intended for shared mobile devices. See the Imprivata Mobile Access Management (formerly GroundControl) Online Documentation for supported component versions as well as policies around the addition and retirement of specific component versions.

Detailed Architecture

As illustrated in the following, Epic Rover is delivered to shared mobile devices via Mobile Device Management (MDM).

Required Imprivata licenses:

  • o Imprivata GroundControl Mobile Device Provisioning

  • o Imprivata GroundControl Mobile Device Check Out

  • o Imprivata OneSign Single Sign-On, may be shared with workstation licensing

  • o Imprivata OneSign Authentication Management, may be shared with workstation licensing

Click to enlarge.

The following table summarizes how Imprivata Mobile Access Management, Imprivata Enterprise Access Management and the other technologies in your environment are configured:

Technology Configuration
Network configuration

  • Launchpad workstations should have reliable, hardwired network connectivity to the MAM cloud environment and to the Imprivata enterprise

  • The shared mobile devices should have reliable, wireless network connectivity to the MAM cloud environment, the MDM and the Imprivata enterprise for Imprivata Enterprise Access Management
Epic Rover configuration

  • Epic Rover can be configured with an extended application-level timeout if device-based passcodes are used.
MAM configuration

  • MAM is configured for device check out and credential AutoFill using EAM integration

  • MAM is configured to integrate with the Mobile Device Management solution that is used to manage the shared devices

EAM configuration

  • The Imprivata ProveID API is enabled to support integration with MAM

  • Mobile application profiles are created and deployed to shared device users for applications requiring credential autofill including Epic Rover
Mobile Device Management (MDM) configuration

  • Install Epic Rover and Locker apps

  • Enable notifications for both Imprivata Locker (com.imprivata.b2b.locker) and Epic Rover (com.epic.rover)

  • Require passcode policy with appropriate complexity