Solved: Running Epic EHR in VMware Fusion

MacNephDoc · ‎02-22-2013

My medical practice is about to commit to Epic EHR. We've just had our technology assessment. There were two reps from the installation team present at the assessment; one will be our account leader; the other actually did the assessment. I'm a bit concerned because she was quite vague about whether I could use my Mac and run Epic within my Fusion VM. The Account Leader assured me there'd be no problem and told me she was aware of docs who do this; the person who did the "readiness assessment" told me she was concerned because one of the requirements was to encrypt the entire drive on laptops, and they support only one solution (apparently not native Windows whole-drive encryption, but a solution that comes from a 3rd party vendor (that has recently been purchased by Dell). It was quite obvious to me that the person doing the "readiness assessment" didn't know the difference between Boot Camp and a VM; she kept insisting that she wasn't sure the encryption software would "run on a Mac." I told her that I was quite confident that if it was a utility that didn't deal with Windows in some strange way that it was virtually certain to work to encrypt my virtual machine. I did get the impression that I wouldn't be permitted to use VMware's whole-disk encryption algorithm.

Can anyone in this group enlighten me on whether a 3rd party Windows drive encryption tool is likely to encounter problems with a Fusion VM?

Thanks so much,

Jim Robertson

dariusd · ‎03-03-2013

Credant's full-disk encryption products do work inside a VMware VM, but one of the aims of Credant's software is to ensure that the hard disk is only ever booted on the one system, and it is extremely sensitive and will go into key recovery mode at the faintest hint of any change to the hardware visible to the VM. There are plenty of situations where you will need to decrypt the drive(s) before a change to avoid key recovery mode. (You can re-encrypt afterwards.)

Many of the host CPU's capabilities are visible to the VM, so a move to a host with a different CPU can trigger key recovery (although that might be considered a feature, given the nature of the product!). It will also sometimes be triggered by updates to Fusion (or being moved to a host with a different Fusion version), since new Fusion versions often include a new BIOS, and that sometimes makes Credant think it might be a different system. It could conceivably also be triggered by changes to the VM configuration (changing the number of processor cores or the amount of memory), although I haven't verified that.

In short: It should work, but don't expect it to be trouble-free. Certainly be prepared to perform key recovery when needed.

Good luck!

--

Darius

View solution in original post

MacNephDoc · ‎03-03-2013

A bump, because now I know a bit more.

The encryption tool I'll need to use is from Credant (who's just been purchased by Dell). They have solutions for Windows client and server, for Mac, for mobile devices, etc. I don't know yet whether the Enterprise IT folks will want me to be encrypting my entire MacBook Pro SSD, or whether they'll want it enveloping just my Windows VM. Looks as though either will be possible, but I'm already getting "we don't work with Macs" murmurs from IT suggesting that they won't venture beyond following invariable scripts for setup, so I'll need to be an informed but proactive customer if I want to maintain access to the rest of my digital life while running my EHR at work.

I did find one thread on this forum that makes it clear it's a BAD idea to try porting a Credant-encrypted Windows VM from one Mac to another...

Anyone have additional experiences?

Thanks so much,

Jim Robertson

dariusd · ‎03-03-2013

Credant's full-disk encryption products do work inside a VMware VM, but one of the aims of Credant's software is to ensure that the hard disk is only ever booted on the one system, and it is extremely sensitive and will go into key recovery mode at the faintest hint of any change to the hardware visible to the VM. There are plenty of situations where you will need to decrypt the drive(s) before a change to avoid key recovery mode. (You can re-encrypt afterwards.)

Many of the host CPU's capabilities are visible to the VM, so a move to a host with a different CPU can trigger key recovery (although that might be considered a feature, given the nature of the product!). It will also sometimes be triggered by updates to Fusion (or being moved to a host with a different Fusion version), since new Fusion versions often include a new BIOS, and that sometimes makes Credant think it might be a different system. It could conceivably also be triggered by changes to the VM configuration (changing the number of processor cores or the amount of memory), although I haven't verified that.

In short: It should work, but don't expect it to be trouble-free. Certainly be prepared to perform key recovery when needed.

Good luck!

--

Darius

ColoradoMarmot · ‎03-04-2013

And just one additional note - do NOT try to run the WDE solution via boot camp. That's asking for a bricked machine.

MacNephDoc · ‎03-04-2013

dlhotka wrote:
And just one additional note - do NOT try to run the WDE solution via boot camp. That's asking for a bricked machine.

I Googled "WDE" and found lots of suggestions that came before what I assume is the correct parsing (Whole Disk Encryption).

ColoradoMarmot · ‎03-04-2013

Sorry about that 🙂

There are a couple of that do supposedly work with boot camp, but they tend to have issues (PGP for example - long long waits for versions that work on OSX releases), and none are supported/safe to use with a virtualized windows boot camp.

I thought that Epic was all browser based, am I misremembering?

MacNephDoc · ‎03-04-2013

dlhotka wrote:
Sorry about that 🙂
There are a couple of that do supposedly work with boot camp, but they tend to have issues (PGP for example - long long waits for versions that work on OSX releases), and none are supported/safe to use with a virtualized windows boot camp.
I thought that Epic was all browser based, am I misremembering?

Remote access to Epic is accomplished via a browser, but native access to the server from WAN-based clients isn't, so far as I know (but I may be wrong; a dedicated icon shows up in the task bar whenever it's running).

All

Running Epic EHR in VMware Fusion