As many as 6,000 people tap into Seattle Children's Hospital's network to check out confidential medical records and email. They might do so from all sorts of personal mobile devices and other roguish computers, ranging from personal Apple iPads and Android smartphones to (gasp!) Internet café desktops.
Even more alarming, there isn't watchdog software continuously tracking these devices and remotely wiping them when they're lost or stolen. There's no draconian Bring Your Own Device (BYOD) user policy blacklisting apps. There's no telling employees that they must give up privacy rights.
None of these security risks matter, because Seattle Children's Hospital employs a virtual desktop infrastructure (VDI) that safely keeps corporate data on corporate servers, not on client devices.
"That's the beauty of my BYOD strategy," says CIO Wes Wright.
It should be obvious by now that this isn't your run-of-the-mill BYOD story. In fact, Seattle Children's Hospital's approach hints at something altogether more fascinating: BYOD leading a resurgence of virtual desktops, a once-promising technology that has largely fallen on the heap of failure.
Virtual desktops come in many flavors and configurations, but basically the technology allows servers to run virtualized Windows desktop sessions accessible via a simple Web browser. From an IT perspective, this makes the client device largely irrelevant. Sounds great for BYOD, right?
"I think the whole BYOD thing really has kick-started VDI," Wright says.
Virtual Desktops: Rise, Fall and Rise Again
A few years ago, the virtual desktop fell in stunning fashion.
Virtual desktop projects failed due to cost overruns, complexity and a poor user experience. Some of those technical challenges have since been addressed. The introduction of storage technology to support persistent, one-to-one disk images and GPU-based graphics improvements have solved two of the technology's biggest hurdles, according to a newly released free ebook entitled The New VDI Reality, an update to The VDI Delusion.
[ Slideshow: 10 BYOD Worker Types ]
Now BYOD is breathing new life into the virtual desktop.
"The number one driver for investment in client virtualization, according to our surveys in the end of 2012, is supporting work from anywhere—so flexible work styles," says David Johnson, principal analyst at Forrester Research, which he writes about in a blog post. "In 2011, it was trying to increase manageability and lower costs. It's a significant change."
Can Windows Software Run on iPads?
While BYOD drives a resurgence in the virtual desktop, it's important to note that some of virtual desktop technology's failings still exist and are even magnified in the brave new world of BYOD. Chief among them: Virtualized mouse-and-keyboard-driven Windows desktop software renders poorly on new-fangled touch-screen tablets.
To understand the problem, you need only to look at the popular Windows-based Cerner EMR (electronic medical record) software that Seattle Children's Hospital relies on.
For starters, clinicians had complained to Wright that a virtualized session of the desktop version of Cerner was unwieldy on the iPad's native Safari browser. The Cerner app—touch-enabled or not—simply doesn't work well on a small tablet form factor. There's just too much information to view.
Then there is Cerner itself trying to enter the mobile game. The software company has been focused on developing a native iOS app instead of a mobile Web-based version, which flies in the face of the desktop virtualization model.
"In order to get [the native app] to play, I'm told that I have to register each device to be able to get to the Cerner server," Wright says. "That goes against my BYOD and virtualization strategy. I don't want to be keeping track of somebody's personally owned equipment."
[ Related: Can the iPad Cure What Ails Us? ]
Instead, Wright has been working closely with Microsoft engineers and a software company called VitalHub to basically port Windows desktop software to touch-friendly Windows 8 so that it could be served up in a virtualized environment to iPads. The end-goal is to have a touch-enabled, tablet-sized version of Cerner running on the iPad's Safari browser.
"Windows 8 is the only touch-enabled OS that you can really virtualize," Wright says.
Fortunately for Wright, Seattle Children's Hospital's clinicians didn't pound on his door demanding access to the Cerner native iOS app on their iPads. One of the reasons is that clinicians use the Cerner app mostly at the hospital where there's a Windows machine with a large monitor around every corner.
"This keeps them from reaching for an iPad," Wright says.
Microsoft's Monkey Wrench
Even more confusing is Microsoft's role in all of this.
Forrester's Johnson advises CIOs to carefully consider the future of Windows desktop applications for their systems of record before making the jump to virtual desktops. If a CIO anticipates a long-term dependency on the Windows desktop—say, five years and beyond—then he might want to consider one of a half-dozen virtual desktop solutions.
"For most large organizations, virtualizing Windows applications to support BYOD would be very likely a medium to long-term solution," Johnson says.
The problem is that Microsoft seems to be moving away from virtual desktops and toward a new mobile application model, thus diminishing the need for traditional desktop software. In addition, Johnson points out that Microsoft is putting little marketing resources behind Microsoft VDI and Client Hyper-V.
"We think the Windows desktop will be increasingly used for a subset of all the work that people do," Johnson says.
Virtual Desktops Face BYOD Security Challenges
The virtual desktop also isn't a panacea for BYOD's security woes.
The reality is that some employees will need to download corporate data on their BYOD tablets or phones and work offline instead of always having to fire up an online virtual session. Seattle Children's Hospital's solution to this problem is an Outlook plug-in from Accellion, a mobile file-sharing software vendor. Security-cleared employees can use Accellion to attach a file and send it fully encrypted to a home email address.
Wright can't wipe BYOD computers, so instead he leans on user agreements and checks Accellion logs to make sure those files are being handled properly.
For some CIOs, that might not be good enough. If CIOs think desktop virtualization gets them out of the BYOD security challenge, Johnson says, they're sorely mistaken. Employees accessing, say, an EMR system from a personal iPad via a virtualization session, or even a terminal services session, doesn't absolve them from an auditor's requirements.
"The auditor will still expect the CIO to have some control over the iPad," Johnson says. "It might be as simple as enforcing a passcode or detecting whether or not the device is jailbroken and then denying access if it is."
Nevertheless, Wright says he fields weekly calls from peers who want to know if VDI can help them make sense of the BYOD trend that's stampeding toward them. After all, corralling personal devices using a mishmash of mobile device management software, user policies, geo-fencing and other emerging mobile tools is a Herculean task.
"I think it's a way for IT to get out of having to control personal devices, a way to give the user the information without having to worry about the device," Wright says, adding, "It's really turned into an elegant solution for BYOD."
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at email@example.com