Table of Contents Lab Overview -... 2 Lab Guidance... 3 Module 1 - Just-In-Time Application Deployment (30 minutes)... 4 Module 1 Introduction... 5 Just-In-Time Applications using App Volumes... 6 Module 1 Summary... 47 Module 2 - Identity Based Dynamic FireWall Services (30 minutes)... 48 Module 2 Introduction... 49 Identity Based Firewall... 50 Module 2 Summary... 80 Module 3 - Compliance and Regulatory Data Security (45 minutes)... 81 Module 3 Introduction... 82 Data Security... 83 Module 3 Summary... 120 Lab Review and Summary... 121 Lab Review and Summary... 122 Page 1
Lab Overview - HOL- MBL-1661 Page 2
Lab Guidance The Table of Contents can be accessed under MORE OPTIONS in the upper right-hand corner. Note: It may take more than 90 minutes to complete this lab. The modules are independent of each other so you can start at the beginning of any module and proceed from there as well as repeat the lab after re-enrolling Healthcare organizations frequently perceive that security and speed are mutually exclusive benefits. Most healthcare organizations are stuck with archaic and brittle forms of securing their data centers and end points. These same organizations have yet to modernize their approach to application delivery. With HIPAA, HITECH, and PCI compliance requirements, healthcare organizations need to look at innovative ways to secure one of the most vulnerable access points: the end point. We need to address a better way to provision new clinical applications and services, and we need to do so in real-time. Virtualization has brought tremendous efficiency, flexibility and speed to the consumption of resources in the datacenter. These benefits are enabled by the abstraction of compute and memory resources from the underlying physical hardware. What if we did the same thing for network and application provisioning? In this lab we'll show you some new and exciting ways to provision applications in realtime to clinicians and end users. We'll also take a look at securing the end point leveraging identity-based dynamic firewalls to secure the desktop. Lastly, we're going to take a look at ensuring compliance on our end points. A brief description of each module follows: Lab Module List: Module 1 - Just-In-Time Application Deployment (30 minutes). Module 2 - Identity Based Dynamic FireWall Services (30 minutes). Module 3 - Compliance and Regulatory Data Security (45 minutes). Lab Captains: Mark Richards, Staff Systems Engineer David Coleman, Sr. Systems Engineer This lab manual can be downloaded from the Hands-on Labs Document site found here: http://docs.hol.vmware.com/hol-2016 Page 3
Module 1 - Just-In-Time Application Deployment (30 minutes) Page 4
Module 1 Introduction In module one, we are going to discuss and demonstrate Just-In-Time application deployment. This will demonstrate the ability to provision applications in real time and how doing so is valuable to clinicians. The solution saves clinicians and end users time spent waiting for IT and adds time back to seeing patients. Page 5
Just-In-Time Applications using App Volumes In this module you will leverage VMware App Volumes for just in time applications delivery. Connect to the Win7-Internal endpoint Double Click the Win7-Internal remote desktop icon to connect to the endpoint Page 6
Check your desktop, then Launch the VMware Horizon Client Based on the Hand on Labs environment you will be using the Win7-Internal virtual machine as a desktop endpoint. This would normally be your physical device. 1. Validate that you are connected to the Win7-Internal desktop. 2. Click the VMware Horizon Client Page 7
Connect to the Horizon desktop Double Click the cloud icon to connect to the Horizon infrastructure and your virtual desktop. Logon A new Clinician was hired and provisioned a virtual desktop. Logon as Dr. Melissa Null using the following credentials: 1. User name: mnull 2. Password: VMware1! 3. Domain: CORP 4. Click Login Page 8
Connect to the Healthcare Desktop Double Click the Healthcare Desktop icon to connect to your Horizon Windows 7 desktop. Page 9
Launch Fuji Synapse 1. Launch the Fuji Synapse Application. Wait, where is the application? 2. Note the connection information: desktop name is Win7-View-01a and the user name is mnull. Page 10
Start Menu...Programs Maybe the Application Icon was not placed on the desktop, let's go check. 1. Click the Windows Start icon 2. Click on All Programs Page 11
Fuji Program Folder 1. Notice that there is no Fuji application folder. Finally, let's check to see if the application is installed at all. 2. Click Control Panel Page 12
Control Panel In the Control Panel, under the Programs grouping 1. Click Uninstall a program Page 13
Installed Programs 1. Notice that no Fuji application is installed on the desktop. Now that you validated that the application was not installed, we need to check the App Volumes assignments. Page 14
Open the Chrome Browser 1. From the ControlCenter desktop 2. Launch the Google Chrome browser Page 15
Open a new tab to App Volumes Manager 1. Click to open a New Tab 2. Click the App Volumes Manager bookmark to open the manager 3. Logon as Administrator 4. Password is VMware1! 5. Click Login to open the manager Page 16
App Volumes Manager 1. Click on the Volumes tab to locate the application container Page 17
Review the AppStack 1. Click the AppStacks tab 2. Expand the Fuji Synapse Workstation AppStack 3. Click on the Assignments and notice that only the Doctors group is listed. 4. Click the X to close the assignments window Page 18
Assign the AppStack It appears that we need to assign the application(s) or AppStack to the user group 1. Click Assign Page 19
Assign Fuji Synapse Workstation AppStack 1. In the search windows enter clinical 2. Click Search to look up the group in Active Directory 3. Click on the Corp\Clinical group 4. Check the Assign box 5. Click on Assign Page 20
Confirm the Assignment Notice you have multiple choices for how the application will be attached. You can either attach the applications on the next login or immediately. 1. In most cases you will attach AppStacks on next login or reboot, make sure that is the option chosen 2. Click Assign to complete Return to the Horizon View Session Let's return to your Horizon desktop. 1. Click the Win7-Internal Page 21
Disconnect and Log Off Since the application will be delivered on a login process we need to disconnect and logoff. 1. Click Options 2. Click Disconnect and Log Off Confirm Click ok to disconnect the desktop Page 22
Optional Cancel Due to the Hands-on-Labs environment occasionally the screen does not refresh. 1. If you are presented this screen, please click the X to close the client. Page 23
Reconnect; Launch the VMware Horizon Client Based on the Hand on Labs environment you will be using the Win7-Internal virtual machine as a desktop endpoint. This would normally be your physical desktop. 1. Validate that you are connected to the Win7-Internal desktop. 2. Click the VMware Horizon Client Page 24
Connect to the Horizon desktop Double Click the Cloud Icon to connect to the load balanced Horizon infrastructure. Logon Logon back on as Dr. Melissa Null with 1. User name: mnull 2. Password: VMware1! 3. Domain: CORP 4. Click Login Page 25
Connect to the Healthcare Desktop Double Click the Healthcare Desktop icon to connect to the Horizon desktop pool. Page 26
Just-In-Time Application Delivery 1. Notice that you are connected to the same desktop Win7-View-01a and connected as user mnull 2. Based on your assignment AppVolumes delivered the Fuji Synapse Application without modifying the desktop or going through an install process. Page 27
Start Menu...Programs Maybe the Application Icon was not placed on the desktop, let's go check. 1. Click the Windows Start icon 2. Click on All Programs Page 28
Fuji Program Folder 1. Notice that you now have a FujiFilm Medical application folder. Finally, let's check to see if the application is installed. 2. Click Control Panel Page 29
Control Panel In the Control Panel, under the Programs grouping 1. Click Uninstall a program Page 30
Installed Programs 1. Notice that the Synapse Workstation application from Fuji is installed on the desktop. 2. Click the X to close Control Panel Page 31
Launch Fuji Synapse 1. Double Click the application icon to launch the Fuji Synapse Application. Page 32
Connect to Synapse Double Click the Synapse network (this may take a moment) Page 33
All Studies Double Click the All Studies (with images) folder Page 34
Search for Patient 1. In Patient Name search for Allen and press enter 2. from the filtered list find the patient Allen,Ted with the Acc# 1378 and double click the record Page 35
Minimize the Patient Information Minimize the Patient Information windows 1. Click the minus to minimize Page 36
Expose The Hidden Toolbar Fuji Synapse has a full set of features located in the hidden toolbar 1. Move your mouse pointer to the top of the window to expose the Toolbar Page 37
Close the Patient record 1. Click Organize 2. Click Close on Patient Image to return to the records Page 38
Search on Acc # 1203 1. Clear any Patient Name data 2. Enter 1203 in the Acc # field to filter the view 3. Double-Click the patient record to open Page 39
Close Patient Information 1. Close the Patient Information to view the image Page 40
Image Tools 1. Right Click in the image to reveal the Image Tools 2. Click on the Cine... option Page 41
Lossless Image review 1. You can review a lossless image in motion based on the stored image scan 2. After you review the image 3. click the X to close the Cine tool Page 42
Close the Images 1. Click Organize 2. Click Close on Patient Image to return to the records Page 43
Log Off Synapse To Log Off Synapse 1. Click File 2. Log Off Synapse Page 44
Disconnect and Log Off 1. Click Options 2. Click Disconnect and Log Off Confirm Page 45
Optional Cancel Due to the Hands-on-Labs environment occasionally the screen does not refresh. 1. If you are presented this screen, please click the X to close the client. Page 46
Module 1 Summary In Module 1 we discussed and demonstrated how leveraging Just-In-Time Deployment provisions applications in real time without affecting clinician workflows. Leveraging this solution will enable clinicians to receive near instantaneous application access and does so seamlessly from the end user perspective. Page 47
Module 2 - Identity Based Dynamic FireWall Services (30 minutes) Page 48
Module 2 Introduction In this module we are going to take a look at leveraging NSX with identity based firewalling to allow access to our PACS application. By utilizing NSX we have the ability to change the firewall policies in real time, this can be done at either the group or individual level with granularity as required. This flexibility allows healthcare IT departments to not only provide a more secure system but one that can be quickly adapted as requirements change. Page 49
Identity Based Firewall Connect to the Win7-Internal endpoint Double Click the Win7-Internal remote desktop icon to connect to the endpoint Page 50
Check your desktop, then Launch the VMware Horizon Client Based on the Hand on Labs environment you will be using the Win7-Internal virtual machine as a desktop endpoint. This would normally be your physical desktop. 1. Validate that you are connected to the Win7-Internal desktop. 2. Click the VMware Horizon Client Page 51
Connect to the Horizon desktop Double Click the Cloud Icon to connect to the load balanced Horizon infrastructure. Logon Logon with 1. User name: administrator 2. Password: VMware1! 3. Domain: CORP 4. Click Login Page 52
Connect to the Healthcare Desktop Double Click the Healthcare Desktop icon to connect to the Horizon desktop pool. Page 53
Horizon View Desktop 1. Notice that your session details and your user name should be Administrator. Page 54
Launch Fuji Synapse 1. Double Click the application icon to launch the Fuji Synapse Application. Note: This may take 25-60 seconds to respond Page 55
Connection Warning Click OK to close the warning Page 56
Connect to Synapse Double Click the Synapse network Page 57
Failed to connect Error Notice that you can not connect the application to the backend. 1. Click OK to close the error Page 58
Launch Internet Explorer 1. Close Fuji Synapse 2. Open Internet Explorer Enable Synapse Plugin 1. Click Enable to allow the Fuji Synapse plugin Page 59
Connection Denied 1. Notice that you have no access to the application back-end. You must not have network access. 2. Click X to close Internet Explorer Page 60
Review the Dynamic Identity based Firewall Policies Click the - to minimize the Win7-Internal RDP session Page 61
Check your desktop, then Launch Google Chrome 1. Validate that you are on the ControlCenter desktop. 2. Double Click the Google Chrome icon Page 62
Connect to vcenter WebClient 1. Check the box Use Windows session authentication 2. Click Login Navigate to Networking and Security 1. Click the house icon 2. Click on Network & Security to manage NSX Review the Firewall Policies 1. On the left click on Firewall 2. Expand the Doctors Access Security Policy - Firewall (Rule 3) 3. Click on the Doctors ActiveDirectory to reveal the Effective members that this policy will apply to 4. Notice that the member list is empty Page 63
Page 64
Add the Doctors Active Directory Group 1. On the left click Service Composer 2. Click on the Security Groups 3. Click on the Doctors ActiveDirectory Security Group 4. Click on the edit security group icon Page 65
Include the AD Group 1. Click on 3 Select objects to include 2. Click on the drop down tab 3. Select Directory Group 4. Choose the Active Directory group called Doctors 5. Click the arrow to include the group 6. Choose Finish Page 66
Return to the Firewall Policies and Review 1. On the left click on Firewall 2. Expand the Doctors Access Security Policy - Firewall (Rule 3) 3. Click on the Doctors ActiveDirectory to reveal the Effective members that this policy will apply to 4. Notice that the member list now includes your Horizon View desktop session. Return to the desktop to validate you have access. Page 67
Return to the Win7-Internal session 1. Click the Win7-Internal Page 68
Test User Identity Rule Your Horizon View session may be locked, please unlock the computer to continue 1. Click on the Send Ctrl-Alt-Delete Page 69
Unlock the Computer Click on the CORP\Administrator Locked icon Page 70
Authenticate to Unlock 1. Enter the Administrator password VMware1! and click enter Page 71
Launch Fuji Synapse 1. Double Click the application icon to launch the Fuji Synapse Application. Page 72
Connect to Synapse Now that you included the Active Directory group to the policy you should be able to refresh the application Notice that you are now connected to the application and have multiple systems to connect to 1. Double Click the Synapse network Page 73
All Studies Double Click the All Studies (with images) folder Page 74
Search for Patient 1. In Patient Name search for Knee and press enter 2. from the filtered list find the patient Knee and double click the record Page 75
Review the Image Network access allows the application to function as normal Page 76
Close the Patient record 1. Click Organize 2. Click Close. 3. This will return you to return to the records Page Page 77
Close the Application 1. Click the X to close the Application Page 78
Disconnect and Log Off from the Horizon desktop 1. Click the Windows Start icon 2. Click Log off to disconnect the session Page 79
Module 2 Summary In Module two we demonstrated how by leveraging identity based firewalling with NSX we could provision access to applications at a group or individual level. This same capability can be utilized to allow access to a machine or groups of machines. This granular level of security greatly improves our security posture. Page 80
Module 3 - Compliance and Regulatory Data Security (45 minutes) Page 81
Module 3 Introduction Too frequently in healthcare we have seen loss of PHI data that is leveraged for malicious purposes. In this module we will demonstrate how NSX Data Security can greatly enhance our compliance posture. http://www.hipaajournal.com/hospital-employee-steals-protected-patient-data-tocommit-identity-theft-8064/ VMware NSX Data Security scans and analyzes data on your Virtual Machines and will report the number of violations detected, as well as what files violated your policy. It essentially provides visibility into any sensitive data that is in your environment. Based on the violations reported by NSX Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.to begin using NSX Data Security, you create a policy that defines the regulations that apply to data security in your organization and specifies the areas of your environment and files to be scanned. A regulation is composed of content blades, which identify the sensitive content to be detected. NSX supports PCI, PHI, and PII related regulations only. Page 82
Data Security When you start a Data Security scan, NSX analyzes the data on the virtual machines in your vsphere inventory and reports the number of violations detected and the files that violated your policy.in this section we will configure Data Security, select the pattern we want to identify on the workload and also do a scan to determine any sensitive data matching the pattern resident on the VM in our scenario which is "Win7-View-02a. In our case we have shown you a PHI example but you can select from a vast list of regulations as well create your own custom patterns using wild cards. Page 83
Check your desktop, then connect to the Win7-Internal endpoint 1. Validate that you are on the ControlCenter desktop. 2. Double Click the Win7-Internal shortcut. Check your desktop, then Launch the VMware Horizon Client Based on the Hand on Labs environment you will be using the Win7-Internal virtual machine as a desktop endpoint. This would normally be your physical desktop. 1. Validate that you are connected to the Win7-Internal desktop. 2. Click the VMware Horizon Client Page 84
Page 85
Connect to the Horizon desktop Double Click the Cloud Icon to connect to the load balanced Horizon infrastructure. Logon Logon as Dr. Gus Bode using 1. User name: gbode 2. Password: VMware1! 3. Domain: CORP 4. Click Login Page 86
Connect to the Data Security Desktop Double Click the Data Security Desktop icon to connect to the Horizon desktop pool. Page 87
Validate your Session Details 1. Notice your session details and your user name should be gbode. 2. Launch the Windows Explorer Page 88
Navigate to My Documents 1. Click on Documents 2. Double Click the Patient Information file to open Page 89
Review the contents Review the contents of the file and notice that this is a violation of many regulations including PHI,PII,PCI. Page 90
Manage Data Security Check your desktop, then Launch Google Chrome 1. Validate that you are on the ControlCenter desktop. 2. Double Click the Google Chrome icon Page 91
Connect to vcenter WebClient 1. Check the box Use Windows session authentication 2. Click Login Navigate to Networking and Security 1. Click the house icon 2. Click on Network & Security to manage NSX Page 92
Manage Data Security 1. On the left side click Data Security 2. Click on the Manage tab 3. Notice the empty list of regulations and standards already defined 4. Click Edit... Page 93
View All Regulatory Templates Click "All" to view all the templates. Notice that there are over 90 pre-defined templates covering Regulations, States, and Countries. Page 94
Filter for and Select HIPAA template 1. Enter "HIPAA" in the filter field and press enter (The filter field is case-sensitive) 2. Check the box ( Do NOT select the Low Threshold regulations for this Lab ) Page 95
Filter for and Select Identification Numbers 1. Enter "Social" in the filter field and press enter (The filter field is case-sensitive) 2. Check the boxes for "Canada Social Insurance" and "US Social Security Numbers" 3. Click "Next" Page 96
Finish selecting the regulation and standard Click on "Finish" to set the data pattern Page 97
Publish the change Click "Publish Changes". Start the Data Security Scan Click on the "Start" button to start scanning for violations Page 98
Monitor the Data Security Scan. 1. Notice the Status changes to "In Progress". Also "Stop" and "Pause" buttons show up 2. Click on "Monitor" Page 99
Check the progress of security scan Scan Status shows "In Progress" and also the color changed to turquoise. You can also "Refresh" the Dashboard at any time. Note: A typical scan takes anywhere from 10-15 minutes depending on the scope of scan. Return to the Win7-Internal session 1. Click the Win7-Internal Page 100
Return to the Desktop while the scan is running 1. Click on the Win7-Internal remote desktop session to return to your desktop. 2. Close the offending file Page 101
Close Windows Explorer Close Windows Explorer Page 102
Launch Fuji Synapse 1. Right Click the Radiologist Synapse Dashboard icon to start Fuji Synapse Page 103
Connect to Synapse You are presented with your Dashboard 1. Click the UNREAD Clinic (Synapse) link Page 104
Search for Patient In the Patient Name enter Thompson Page 105
Select Patient 1. Right Click Thompson, Bill patient 2. Click Open in new Window to open the images Page 106
Minimize the Patient Information 1. Click the minus to minimize the patient information Page 107
Image Tools 1. Right Click in the image to reveal the Image Tools 2. Click on the Cine... option Page 108
Lossless Image review 1. Review the full motion of the images You will notice after a minute or two you desktop will become un-responsive. Page 109
Policy Enforced As soon as the Data Security scan locates a violation it will tag the offending object with that violation and apply the associated security policies. Our policy is defined to block all incoming and outgoing network traffic. Page 110
Try to reconnect to the offending desktop 1. Double Click the Data Security Desktop icon to connect to the Horizon desktop pool. Note: You may need to log back on to Horizon. If prompted, please login with gbode and password with VMware1!. Page 111
Connection Error For this Hands on Lab we only have a single VM in the Horizon desktop pool, thus you receive an error while trying to connect. This is due to the dynamic firewall policy the was applied to the offending VM. Page 112
Scan completion 1. Click on the Google Chrome vsphere Web Client in the task bar Page 113
Scan Review 1. Click the Refresh link 2. Once the scan is completed the color will change to purple. 3. Notice under "View Regulations Violated Report", it shows the violation types of US Social Security Numbers and Canada Social Insurance Numbers 4. If you hover your mouse over on of the violation bars, you can see the number of offenses found. 5. Under "Top VM's Violating Regulations", it shows the VM name that has violated the PCI regulations. Page 114
Complete scan report 1. Click on Reports 2. Click Refresh once or twice for the reports screen to update 3. You can see the number of violations and the regulation policy that was triggered. Notice the number of violations. View Report In order to see the files which have violated the regulations 1. Click on the drop down menu "View Report" and 2. Select Violating files Page 115
Detailed Report Selecting the "Violating files" option will allow you to view details about the violating workload 1. Name of the offending VM 2. The compute cluster and DataCenter the VM is a member of 3. The path and name of the offending file 4. The Regulations that the files violate 5. and finally, the date and time stamp of the file. Download Report You can optionally Download Complete Report in a CSV file format. Page 116
Canvas View To view the offending VM in the policy 1. Click Service Composer from the left 2. Click on Canvas 3. Type Violations in the filter and press enter Page 117
Violating VM show up in "Data Security" Group 1. On the PHI, PII, HIPAA Data Violations canvas Click the VM icon 2. As a result of violation, the offending VM "Win7-View-02a" shows up in the security group. Page 118
Firewall Policy Review 1. On the PHI, PII, HIPAA Data Violations canvas click the Firewall icon 2. Notice that 2 firewall policies blocking east / west traffic are defined. Since the Win7-View-02a VM was a member of the "PHI, PII, HIPAA Data Violations" group the firewall rules are applied. Our rules are listed below, but you can defined multiple rules to control any east/west traffic or services. Policy Member is the Source so all traffic is blocked out going Policy Member is the Destination so all traffic inbound is blocked Page 119
Module 3 Summary In Module 3 we demonstrated how with NSX Data security we can detect compliance violations and isolate that system from the network. Utilizing this capability we can greatly enhance our compliance stature and protect our healthcare organization from breaches. Page 120
Lab Review and Summary Page 121
Lab Review and Summary Security is top of mind for everyone in healthcare IT. The End point has always been one of the easiest access points to hack an organization. Through this lab we have demonstrated new and innovative ways to better your organizations stance on compliance, security and a new and faster way to provision applications to end users. By leveraging solution sets such as NSX and App Volumes we can significantly improve our security posture and improve the time and consistency in the manner in which we deliver new applications to our clinicians and end users. Page 122
Conclusion Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online. Lab SKU: Version: 20160301-100130 Page 123