Do you work in Healthcare IT or a Hospital?
Posted by 4rcher_4rg@reddit | sysadmin | View on Reddit | 61 comments
Hi everyone,
I’m a Ing. sistem student currently working on my thesis regarding IT infrastructure in the healthcare sector.
Any insights on the following would be a huge help:
- Hardware: How old are the daily-use workstations? (Are we talking modern builds or legacy machines still clinging to Windows 7/XP?).
- HIS/Systems: Does your Hospital Information System run in the browser (SaaS/Web-based) or is it a locally installed "thick client" (Java, .exe, etc.)?
- Paper vs. Digital: Do nurses have terminals/COWs (Computer on Wheels) everywhere, or is paper still the king for daily charting?
- Pain Points: Is there a specific piece of software that "always breaks" or slows everything down?
- Contingency Plans: What happens when the system goes down? Are there clear paper protocols in place, or does the facility go into panic mode?
- Security: Are USB ports strictly blocked, or is it still a "wild west" where anyone can plug anything in?
- Integration: Is there a single Unified Patient Record, or do departments (Lab, Radiology, ER) use separate systems that don't talk to each other?
clbw@reddit
I work for a large hospital here are my answers
Hardware: How old are the daily-use workstations? (Are we talking modern builds or legacy machines still clinging to Windows 7/XP?).
We have a mix of VDI, Citrix , and thick clients, clients are up to date on current Os’s if say a laptop it generally is replaceable after 3-5 years
• HIS/Systems: Does your Hospital Information System run in the browser (SaaS/Web-based) or is it a locally installed "thick client" (Java, .exe, etc.)?
Our EDR system is accessible vie a thick client, Citrix, or web browser. Think desktops, laptops and tablet devices
• Paper vs. Digital: Do nurses have terminals/COWs (Computer on Wheels) everywhere, or is paper still the king for daily charting?
In the US it required we have an electronic record EDR
• Pain Points: Is there a specific piece of software that "always breaks" or slows everything down?
Yes it normal, we have a central EDR system called Epic. And third party software that imports and exports data this can cause bottle neck but is highly managed
• Contingency Plans: What happens when the system goes down? Are there clear paper protocols in place, or does the facility go into panic mode?
We have down time procedure and disaster recover procedure test regularly. We also have redundancy in the cloud and two independent data centers we have a 99.999% uptime which is standard in health car
• Security: Are USB ports strictly blocked, or is it still a "wild west" where anyone can plug anything in?
Our security prevents rouge devices and usb we also have group policy in place and a compliance department a lot of the systems in the ED are locked down. In ambulatory it is managed more
• Integration: Is there a single Unified Patient Record, or do departments (Lab, Radiology, ER) use separate systems that don't talk to each other?
All system talk two each other and all systems are integrated with our EDR
Some stats for you
Employed for IT we have about 800 people spread between IT, application, and development/automation.
Employee count is like 30 thousand spread between multiple hospitals and ambulatory ( clinics etc)
Server count it 7000 server spreed between the cloud and virtualized. Physical serve it probable 50 max.
Bogus1989@reddit
I work for a pretty big one, if not the biggest. All of my answers will only be based on my region, you can assume the rest of the org is behind and either on par with us or they have a plan to be eventually. It is documented and told to us by national IT leaders that our region is far ahead of others. We deploy things first and standards end of getting made from what projects we deploy. Tip of the spear. This sounds frustrating (but its actually better, we end up not getting screwed , or passed a standard that obviously doesnt fit in our region.) We are basically just used to it, and we managed our region alone without outside teams for years until policies and standards and teams took over alot of our scope. we dont let vendors or project managers steamroll us. We pushback when needed.
Anyways,
Hardware: All windows 11. Mostly all thin clients now, hosted desktops on azure. Any actual workstations left here and there are machines 12th gen intel or newer. Mostly desktop minis.Thin clients are the same size of course. every single patient room has a wall mounted thinclient/desktop mini workstation with monitor and keyboard. Every unit has “wows” (workstation on wheels) for backup incase in-room machines arent working. its generally all systems with intel 12th gen or more
Besides the computers, every single department/unit in the hospital has minimum 20 iphones(usually 2 stations of 20 so 40 total) that almost every department can do their entire job on in the EMR. they dont even need the PCs. Not all departments have their specialty built out(generally ones where it didnt make sense and would make it more difficult)
The iphones and PCs print to portable wireless zebra zq610 label printers. Theres 10-20 each unit/department.
Our newest hospital doesnt even have land lines or IP phones anymore, zoom app calling is all on the iphones for department to department communication.
Besides our EMR (Epic) iOS app we have basically all the other capabilities or systems used on the desktop machines available on iOS apps as well. All of it works on ipads ofcourse too, we have those as well but mainly just for managers and 1 or 2 for a specialty department. Our entire maintenance/facility crew has been computer-less for years now solely operating on iPads pros since they are always on the move.
Jeez what else…ill add more as I think of it and add on to the post.
SirThoreth@reddit
We're also an Epic shop, though we've gone Epic Hosted. Pretty much everything else is the same, and even with Epic hosting our EHR now, there's still plenty in our local data centers.
tarvijron@reddit
My experience has been that hospitals with money have moved all the programs to VDI so the HIPAA compliance stuff can be moved away from doctors hands
paleologus@reddit
And because the main programs run on Citrix the workstations can go 7+ years before refresh
justinf210@reddit
I worked IT for a college I.T. department, but our number only differed from the hospital's by one digit. Those calls were always fun.
"I can't log in to Citrix" "We don't use have Citrix any more" "You WHAT?"
theHonkiforium@reddit
That's awesome. 😂
ipreferanothername@reddit
Also honestly a big benefit of Citrix: you have to update very few things. Im a windows guy and a couple guys on our team run the Citrix environment: 8k peak users a day
There's like 15 golden images they update and then everything is good to go as the VMs reboot on the weekend. We have so many pieces of integrated software installed with the Epic client in Citrix. There's no way the client team could keep it all running on user machines all the time. And it's so easy from a security protective to protect a couple of subnets where the Citrix VMs are instead of micro managing all the same policies for all our devices.
R3luctant@reddit
At 11 years old here.
insufficient_funds@reddit
• Hardware: How old are the daily-use workstations? (Are we talking modern builds or legacy machines still clinging to Windows 7/XP?).
—— our workstations are all on win11, except a very select few with win10 dependencies still. We have a pretty solid 5yr refresh cycle on the pc side.
• HIS/Systems: Does your Hospital Information System run in the browser (SaaS/Web-based) or is it a locally installed "thick client" (Java, .exe, etc.)?
——- we’re all in on epic, and it’s still a thick client installed on a master image deployed to a shitload of servers and accessed via Citrix published apps. However behind the scenes- just about every page in epic is being loaded from a web page. I think they are slowly transitioning the entire platform to be web based?
• Paper vs. Digital: Do nurses have terminals/COWs (Computer on Wheels) everywhere, or is paper still the king for daily charting?
——- digital everywhere; but routine “downtime procedure” cycles to make sure everyone knows how to do it all on paper
• Pain Points: Is there a specific piece of software that "always breaks" or slows everything down?
—— biggest pain point is talking to doctors. Stuff that always breaks? Idk… printing?
• Contingency Plans: What happens when the system goes down? Are there clear paper protocols in place, or does the facility go into panic mode?
—- being on epic, there are clearly defined downtime procedures for that system. Ancillary systems (imaging, radiation, etc) should all have their own known and documented downtime procedure but I’ve never been part of that.
• Security: Are USB ports strictly blocked, or is it still a "wild west" where anyone can plug anything in?
—— usb ports are allowed but when you plug a device in, it forces you to format and encrypt it if you want to touch the files on it.
• Integration: Is there a single Unified Patient Record, or do departments (Lab, Radiology, ER) use separate systems that don't talk to each other?
—— epic rhapsody (think that’s their integration engine?) does a swell job handling HL7 based integrations which seemingly every healthcare related system out there is capable of using.
turboturbet@reddit
Australian State Government EUC Engineer in a network of two hospitals and 4 satelite offices.
Hardware ranges from 8 years old for desktops and 5 years old for laptops. In the process of upgrading to win11 so anything older than intel gen 8 is being retired.
WOW's are used in the wards and tap on/tap off imprivata is installed.
Citrix based environment but every department has there own software using very old java or in some cases 16bit software that has to be emulated on dosbox or 32bit win10 atm.
cjdacka@reddit
I work in IT Desktop Support in a hospital in Australia, this is we use.
mallamike@reddit
begging mine to let me replace the 6yr old 4core hps literally being held together with tape... but network can pay a vendor to come and terminate cat6 because they dont want to run cable :eyeroll:
ender-_@reddit
I work for a medical device distributor, and as such I often help integrate stuff in clinics and hospitals. Here's my experience:
gobbler_69@reddit
Workstations every 3-5 years, server hardware every 5/7 years. 100% of hipaa data on a Citrix environment
forgottenmy@reddit
FYI most organizations have moved away from the use of thick clients and gone with local clients/installs and COWs are generally WOWs (workstation on wheels). The headaches from clinical folks who aren’t generally very knowledgeable about IT when they think you are calling one of them a cow or thick (and lord help you if they happen to be thick) is not worth the hassle. It’s probably an important distinction for someone in the academic world writing a thesis.
That said, like the other poster noted, most things are VDI. The days of local installs are over unless there is no other way around it. End points are almost all Win 11 at this point. We prioritize getting eol products updated. Backend is different due to cost. We have a push to all new hardware and hosts, but definitely moving a lot to the cloud due to crazy memory and storage costs not to mention what Broadcom did to our pricing in VMware. Last ucs I priced was 147k (for one, mild spec) and 180 days of lead time.
Berry_master@reddit
They switched the name from Cows at my old employer to WoWs. That lasted about a month before someone went to HR saying they there were people pointing down the halls talking about WoWs. It got switched back to cows so there wouldn't be any sexual harassment issues.
TheGreatNico@reddit
They told us to stop calling them CoWs and switch to WoWs, but nobody, including the staff that would be the ones to object to that name, ever used it. Official term is still 'mobile workstation' but everybody still calls them cows because... yeah
0mn1p0t3nt69@reddit
Yeah that and we can't say thick clients anymore LOL
fizzlefist@reddit
Legend has it that a nurse was talking about her COW (computer on wheels) a patient assumed the staff were laughing them, and made a big enough of a ruckus that the orders from on high were that they just be called WOWs evermore.
Though a few months back I heard a site trying to push the term BMW (something mobile workstation) which I thought could only be cooked up by a comes out executive.
TheGreatNico@reddit
In order:
There's also the various lab systems that are so old that there's no way to get data migrated that doesn't involve a daisy wheel printer and a Serbian-to-English dictionary.
jfarre20@reddit
nursing home IT director here, we use cheap Chromebooks for nurses (since they keep spilling soda in them), Windows 11 Beelink AMD micro pcs, or T14 AMD thinkpads for everyone else. We have wall mounted touch kiosks running Anduin OS, and various TV kiosk displays running Debian.
We use the cloud EMR pointclickcare, but have paper backup procedures for when it goes down.
Two Wans, Fiber+starlink,
usb ports not blocked, tried but staff use flash storage too much even though there's literally no reason to anymore with the network drives/google drive/etc.
I've been using codex/claude code and power automate to integrate stuff wherever possible - but these companies want to charge a ton for API access so I just drive a browser or reverse engineer the web apis.
BlazeReborn@reddit
I almost did. Applied for a night job at this huge hospital. Pay was pretty decent.
Later on I met someone who did work there at the same position I applied for. He told me he had to leave or else he'd do something very stupid to himself.
Felt like I dodged a bullet.
jeffrey_f@reddit
Hospitals are a strange bird. Always a 24/7 operation and those who start are usually the 2nd or 3rd shift until they have some time in.
jeffrey_f@reddit
Not giving away the farm, can tell you
Darkhexical@reddit
Unless you get granted an obsession you're not allowed to run outdated hardware.
thehuntzman@reddit
I'm a Senior Solutions Architect working with a hospital system full-time and in the interest of being technically correct here, I do think it is worth mentioning you aren't explicitly "disallowed" to run outdated hardware just because you're a HIPAA covered entity unless you're adhering to a cybersecurity framework such as HIPAA-HITRUST. It may also be a provision of your cyber liability insurance too but they're usually mostly concerned with vulnerable software over hardware. To be honest, your biggest risk due to outdated equipment is on the biomedical side anyway and not your typical endpoint deployment (assuming you have proper technical policies and security software installed).
Darkhexical@reddit
There's a new provision to hipaa and healthcare coming up and is likely to be approved which will make more of these things more enforced though.
thehuntzman@reddit
Yes and I think that change will be long overdue as the current verbiage is entirely too vague and unhelpful but it still doesn't prohibit outdated hardware specifically. Yes I'm going to argue over semantics here but if you are running hardware from 1990 with no known vulnerabilities (excluding the DR risk when the hardware dies and you have no way to replace components which is an entirely separate issue) it wouldn't be an issue at all. The age of a system is usually correlated with an increase in known vulnerabilities but is not directly tied to it. Vibe coded slop developed yesterday would be worse than this hypothetical 36 year old information system in this case.
As for known vulnerable systems however (which I assume is what you originally meant in your post) yes you would need a POAM or Corrective Action Plan to pass a formal assessment.
Unfortunately the reality in Healthcare as I'm sure you know is a constant battle between "perfect-world" and "the vendor won't rearchitect their blood bank software to eliminate the dependency on Microsoft Silverlight or their Cardiopulmonary software that depends on Crystal Reports 2005 because they have FDA approval for the current design already" so you end up in this weird state of "technically up-to-date but still vulnerable without extra mitigations".
Darkhexical@reddit
You have to be careful with that last point. Documentation covers the rules, but it doesn't cover your ass in court. If you aren't 'trying' (whatever the fuck that means), you’re a sitting duck for a negligence suit.
thehuntzman@reddit
Oh yeah 100% it's all about risk management and liability at the end of the day. If the documentation proves you weren't negligent and did your due diligence then that's generally enough. Nobody is going to (successfully) prosecute you for a nation state using a zero-day against you provided your detection and incident response was solid.
That said - I've done some assessments for some Healthcare entities over the years that makes your average r/homelab redditor look like an information security guru in comparison...
GunterJanek@reddit
LOL a "student" working on their thesis. You guys are gullible. I don't care if it is legit revealing this kind of information is irresponsible AF.
Absolute_Bob@reddit
A 5 minute walk through a hospital would share about the same level of information.
GunterJanek@reddit
Maybe user hardware and software but not infrastructure, policies, and security.
Darksummit@reddit
You don’t even need to work in IT to know the answer to these questions. You could safely remove that tinfoil hat if you wish.
da_chicken@reddit
No, policies and security in healthcare are largely governed by regulations, accreditation requirements, and organizational insurance. These things are only secret if you're not aware of the industry in any way. The combination of those 3 things are both extensive and comprehensive enough that there really isn't much flexibility in what choices you can make. Nothing here is going to be surprising or revealing.
Absolute_Bob@reddit
On-prem vs SaaS and how integrated they are between departments is not exactly some kind of secret when Epic and Cerner own so much of the market space. If an org isn't restricting USB they don't care about security anyway.
4rcher_4rg@reddit (OP)
I'm from Argentina and I'm in my final year of a systems engineering degree. I was asked to choose a topic of interest for my thesis. Recently, I had to visit the public hospital in my province and I saw that they were using Windows 7 systems and didn't have good practices, in addition to using a lot of paper, especially considering it will be 2026. That's why I wanted to know how things are handled in more technologically advanced countries in order to propose a more accurate and viable long-term solution.
GunterJanek@reddit
Unfortunately I can't provide you other options but I wouldn't base my thesis on information obtained by a bunch of randos on the Reddit.
thehuntzman@reddit
This guy cybersecuritys
pancakeufo@reddit
I’m in Healthcare IT in Italy for a government agency
I improved the following text with an LLM. Sorry but my english is a bit shitty
Hardware: ~1500 endpoint, split between Lenovo M720 (30%) and M70s (70%), all running Windows 11. Nothing ancient here, thankfully. We have ~50 ones with very good specs for a dept that perform epidemiology studies.
HIS/Systems: Mostly web-based. We do have a bunch of local middlewares though — things like bit4id for smart card / national identity card interaction, or small local agents invoked by the browser for specific tasks (e.g. generating prescription PDFs). So not a pure SaaS story, more of a hybrid.
Paper vs. Digital: A lot of paper still. Certain document types are legally required to be retained physically for up to 10+ years alongside their digital counterpart, so going fully paperless isn’t really on the table anytime soon.
Pain Points: Outlook flagging and blocking perfectly harmless .eml files generated by internal software.
Contingency Plans: Yes, we have formal procedures in place but well users like to panic..
Security: Locked down via GPO and enforced by our EDR.
Integration: Some departments are completely network-isolated by design like chemical labs.
Bert__is__evil@reddit
Crazy that people share Infrastructure details on Reddit. But hey, if you do, you deserve the consequences.
Warrlock608@reddit
I work in a hospital that employs about 1000 people.
We just completed our win 11 migration at the end of 2025.
We have roughly 40 computers on wheels throughout the hospital.
Almost everything is SaaS.
USB is completely locked down.
All systems share patient data.
I am unsure what contingency plans are in place. This is way above my pay grade and I don't really need to concern myself with it.
transizzle@reddit
you will get wildly different answers here depending on the scale of the organization. if you’re working at a small scale clinic or even a single hospital, you might have a smaller, easier to manage footprint with a web based EHR. if you’re a full on health system with multiple hospitals and a full on IT org, you’ll have something a lot more sophisticated. just depends on the needs of the org.
OneSeaworthiness7768@reddit
We’re disguising product research as a thesis now? Huh.
Zerowig@reddit
Any time you see “research for a thesis”, it’s some type of scam.
4rcher_4rg@reddit (OP)
Hello, I want to clarify that my native language is Spanish. If I make mistakes, you can look up my university, UTN, and check our curriculum, as well as the theses that are uploaded live. I'm in a province that isn't in central Argentina, and we use a lot of paperwork here, which is why I'm looking for information from more advanced countries. I'm trying to find a good long-term solution.
ComeAndGetYourPug@reddit
Hardware: It's replaced when it breaks. 6 year old desktops are the average.
HIS: Ours has both options and we use both depending on what the PC is capable of.
Paper or digital: Both. Every department does whatever the f they want to with no input considerations from us.
Pain points: printers
Contingency plans: Quit and go somewhere else.
Security: Nope, costs too much. See contingency plan
Integration: nope, costs too much. All separate and all the cheapest they can get away with.
I'm not jaded; you're jaded.
Regular-Nebula6386@reddit
We use a combination of PCs for non-clinical and IGELs for clinical staff. We deploy virtual apps (Citrix) and we are mostly digital but we print a lot. Major headaches are Windows patches and authentication. We do have a downtime policy and we block everything we don’t need. We have a unified ERP ($$$)
zatset@reddit
Yes, I do. But sharing the amount of information you require kind of...violates the confidentiality....
StarSlayerX@reddit
In USA, most devices are Windows, but they act as a terminal for the most part. EHR most hospitals and clinics run are basically web based. Office productivity is mostly web based as well like M365 and prohibits saving any files onto the desktop itself.
The Windows devices still have Full Disk Encryption as required by HIPAA compliance, but almost everything is done via web based portals.
My wife is a nurse and she says 95% of her work is done though EHR and M365. Once in a while she keeps a little notepad around to write notes then input it in EHR later when super busy.
zatset@reddit
To be honest, being in healthcare, I don't think that using web based EHR-s is the most practical thing. It requires extreme amounts of workarounds, as clinical analyzers and imaging machines not only don't really support sending anything over secure connection, but also many clinical analyzers still use RS232.
PaddySmallBalls@reddit
In the US?
4rcher_4rg@reddit (OP)
Basically, I'm trying to understand how hospital systems work in technologically advanced countries. Here in Argentina, we're still using paper records, so I'm aiming to offer a long-term proposal with my thesis.
guydogg@reddit
Workstations are on 2-3 leases dependent on the OEM.
HIS is on premise and hosted via Citrix.
WoWs are used.
SoggyGrayDuck@reddit
I'm on the data side and my goodness is it different. The entitlement you deal with is absolutely crazy and I definitely feel for the techs
Darkone539@reddit
Hardware isn't that old. We have a few hp g2s running around but we're basically on contracts that mean nothing is too old.
Systems- We use 20 year old Systems for a lot. It's all being replaced next month, thankfully.
Mix of paper and digital. Most is digital now, and yes we have cows which are just a desktop with a battery and wheels. Fully digital with the rollout next month though.
Yes. Many, a lot of it is held together by duck tape.
Security is fairly good. Everything needs white listing on the network, we have NAC, and you can't use USB port data transfer without permission. We have cloud storage to share things.
Everything talks to each other, badly but it's there.
d00ber@reddit
I used to do IT for an umbrella of SNF, Geriatric facilities with long term care and hospitals.
Hardware: Daily workstations were rotated every 8 years, as that was as long as they allowed us to renew our warranty and care contracts at Lenovo. If you have a sales person, I believe they offer slightly longer contracts for medical fields, but it's been quite a while since I worked in this segment, so maybe not true any longer. There were some medical equipment like worth millions that were running outdated operating systems as old as windows XP, but we isolated those to a separate isolated Network and they used a different authentication system then our other production systems and the hospital just couldn't afford to buy a million dollar item every 8 years, especially when the company still would send people to repair those devices for fairly cheap.
HIS/Systems: When I was in the field, all the local healthcare providers were using a system called point click care (PCC) SAAS and since some of our facilities used external doctors (especially geriatrics), we went with that.
Paper vs. Digital: charting was never done on paper, but we still faxed things. That was largely changing with PCC, since all the other local places also used PCC and they had a feature that allowed us to send charts/notes..etc That said, when someone was out of network or in another state, there would still be faxes in/out. Lots of policy in place to dictate where printers are allowed to be and faxes could only be in nurse stations obviously.
Pain Points: charting. We tried ipads, laptops ..etc Devices would get stolen or damaged fairly easily back then. We essentially had locking cases with tags in them and an alarm at the door which is how we caught people.
Contingency Plans: Clear protocol. Cloud back ups with a provider that could restore as DR. Tested DR restores monthly.
Security: Anyone who touches or had access to PCC or medical records had locked USB ports. Email attachments were pretty much not allowed, had to use secure file links, kind of like one drive.. I believe PCC had this.. could be mis-remembering. We also blocked PCC from any non medical staff's devices, so they couldn't accidentally open PCC links and they wouldn't have had credentials anyway.
IIRC everything was integrated through PCC, but I can't recall. It's been too long.
Impossible_IT@reddit
Is the brostem related to sistem? /s
poizone68@reddit
Hospital IT systems are often one of the budget cut areas. In public hospitals I've often seen doctors use their mobile phones to check on the internet what dosing a medicine should have, because it's quicker to look up there than in the internal systems.
Addressing healthcare IT systems is going to be partly one of scale. Are you solving an issue from the perspective of the healthcare clinicians, the local hospital, the group or region the hospital is in, or on a national scale?
Each of these levels will have very different set of objectives that at times will conflict with one another.
Even-Cartographer551@reddit
Lets talk german healthcare IT. New client, 3 hospitals: Hardware is basically chaos - anywhere from 1 to 14 years old (Win7 and XP say hello), and there was and is no standardization. A wild mix of ThinClients, PCs and AiOs, with a few laptops thrown in. USB is unlocked, some departments still run their old dedicated servers because the 'new' system doesn't work. The old servers are unlocked, run on admin accounts and have internet access. Everybody has the same set of passwords. The primary software runs on a new terminal server which is way too slow to handle the load - so frequent timeouts are common. The internal IT department is frustrated and demotivated, and much rather work on their vacation schedule than trying to fix things anymore. Welcome to the rice fields...