As a national healthcare services company, Kindred Healthcare must provide computer support to more than 76,000 employees in 46 states. To keep its remote computers and company network safe from malware, and to reduce the cost of supporting remote
workers and give them a better computing experience, Kindred deployed Windows Server 2012. By using the operating system’s DirectAccess feature, remote and mobile employees can bypass the complicated process of connecting to the corporate network over a virtual
private network (VPN) and instead connect by using a standard Internet connection. Kindred will enhance network security, reduce remote access support calls by about 35 percent, conserve network bandwidth, and give employees a more productive work experience.
Because DirectAccess eliminates the need to establish VPN connections, the IT staff can support new acquisitions sooner.
Kindred Healthcare is a healthcare services company that operates hospitals, nursing centers, and a contract rehabilitation services business across the United States. As of June 30, 2012, through its subsidiaries, Kindred provided healthcare services
in 2,154 locations in 46 states, including 118 long-term acute care hospitals, 6 inpatient rehabilitation hospitals, 224 nursing and rehabilitation centers, 27 sub-acute units, 52 hospice and home care locations, 102 inpatient rehabilitation units (hospital-based),
and a contract rehabilitation services business, RehabCare, which served 1,625 non-affiliated facilities. Kindred has been ranked one of Fortune magazine’s Most Admired Healthcare Companies every year since 2009, and was recently ranked as one of the Top 10
Healthcare IT Innovators for 2012 by Information Week. It is a US$6 billion company with 76,000 employees.
||By using DirectAccess, our remote computers are always connected, so we know that they’re receiving security updates. Having well-secured computers is critical for a healthcare organization.
| James Crick
Infrastructure Services Manager, Kindred Healthcare
About 50,000 of the company’s employees are information workers and clinical staffers who share about 27,000 client computers. These 27,000 computers are in more than 2,000 locations, ranging from hospitals to one-person offices. About 400 of these locations
are what Kindred calls “well-connected” sites—linked to the corporate data center by T1 communication lines or other wide area network (WAN) connections. The other 1,600 sites are “lightly connected,” meaning that employees in those locations connect to the
Kindred network by using virtual private network (VPN) technology. About 3,500 employees are mobile or remote workers who fall into the “lightly connected” category, working primarily from home using portable computers and occasionally visiting local offices.
All computers that connect regularly to the corporate network receive automatic security updates. However, keeping the 3,500 portable computers protected was a challenge. Although it was company policy that remote workers connect to the network at regular
intervals to receive security updates, this did not always happen. The result was computers out of compliance and vulnerable to malware attacks. A security breach could jeopardize corporate and patient data, and cause a violation of federal healthcare regulations.
“Much of our client computer management is done through Active Directory Group Policy settings, and when employees didn’t connect, they didn’t get security updates. That presented a real challenge for us, trying to maintain secure remote clients,” says James
Crick, Infrastructure Services Manager at Kindred Healthcare. “Irregular connections to the corporate network affected not only network security but also the deployment of software applications and computer asset management.”
Portable computers also represented a disproportionate amount of support work for the IT staff. Of the remote access support calls, 28 percent were specifically related to lost security tokens, which the employees used to authenticate themselves during the
VPN logon process. “All of our mobile and remote workers disliked the use of tokens, which are awkward and costly to maintain,” says Rick King, Consulting Systems Programmer, Windows Infrastructure Services Department, Kindred Healthcare. “We decided to eliminate
tokens wherever possible to streamline the logon process for our customers.”
The IT staff wanted to make network connection easier for remote workers, while also speeding the process to support business growth. Kindred is growing rapidly, mostly through acquisitions, and it took 90 days or more to install a dedicated WAN connection
to a new office. This limited how quickly an acquired hospital, nursing home, rehabilitation center, or home care or hospice site could become a functional part of the Kindred family.
Most of the servers in the Kindred Healthcare data center run Microsoft software, including the Windows Server 2008 R2 operating system, so Kindred was aware of the development of the Windows Server 2012 operating system. The IT staff was particularly
interested in the enhancements to DirectAccess, a feature that Microsoft introduced in Windows Server 2008 R2, to allow a client computer to connect directly to intranet-based resources over the Internet without the complexity of establishing a VPN connection.
In Windows Server 2012, DirectAccess is easier to deploy, manage, and use.
||Irregular connections to the corporate network affected not only network security but also the deployment of software applications and computer asset management.
| James Crick
Infrastructure Services Manager, Kindred Healthcare
“One reason we hadn’t considered DirectAccess before was because we didn’t have an enterprise certificate solution, which was previously required,” says Chris Koch, Senior Systems Programmer, Windows Infrastructure Services Department, Kindred Healthcare. “The
new version did not require that. We thought that Windows Server 2012 DirectAccess would give us a much cleaner way to secure remote access for our mobile work force, including our lightly connected PCs.”
Build Proof of Concept
Kindred signed up for the Windows Server 2012 Rapid Deployment Program (RDP) and built a DirectAccess proof of concept with the help of Microsoft Services Consulting. The healthcare company installed Windows Server 2012 Datacenter on one test server
and deployed the DirectAccess feature on that server and on 61 client computers running the Windows 8 operating system.
An IT infrastructure specialist with Microsoft Services Consulting provided an envisioning workshop on Window Server 2012 for Kindred IT business and technical decision makers. He also built the proof-of-concept environment and validated the deployment plan.
“Microsoft Services came on-site, educated us about Windows Server 2012, and helped us set up our pilot project,” Koch says. “The representative really knew the product and advocated for us within Microsoft during the RDP.”
Test New Feature with IT Employees
Windows Server 2012 DirectAccess contains improvements in deployment, management, and user experience. “The new DirectAccess management console is super clean,” King says. “We really like the Windows PowerShell integration. By using one PowerShell command,
I can find out how many unique DirectAccess sessions are underway and the total connection activity for that day. I can configure reports that go back six months or more.”
Kindred tested DirectAccess with IT employees, who tend to be more critical than average business users. “When you use IT people for a test, you get a lot of feedback,” says Crick with a smile. “They are really picky and vocal. However, the feedback we got
on DirectAccess was phenomenal. These test users were really excited about being able to log on to the network without having to perform additional steps.”
Deploy Broadly, Keep Improving
The Kindred IT staff has been so impressed with DirectAccess that it envisions using the technology beyond its 3,500 mobile workers to some WAN-connected offices. “When we acquire new facilities and satellite offices that already have Internet access,
DirectAccess gives us an option to simply take three or four laptop computers, configure them with DirectAccess, and ship them to the offices,” King says. “Those workers are instantly connected to our network.”
Kindred recently gained exposure to Microsoft System Center Configuration Manager through a company that it acquired. The IT staff is reviewing a plan to deploy Microsoft System Center 2012 Configuration Manager and use it to manage all 27,000 client PCs.
“We expect that the combination of Configuration Manager and DirectAccess will really simplify our client management,” says Koch.
By using Windows Server 2012 DirectAccess, Kindred Healthcare will be able to realize several significant benefits:
Enhance Network Security. Kindred can now increase the security update compliance of its mobile devices, thereby decreasing vulnerability to malware attacks and avoiding regulatory compliance problems. “By using DirectAccess, our remote
computers are always connected, so we know that they’re receiving security updates,” Crick says. “Having well-secured computers is critical for a healthcare organization.”
Reduce Cost of Supporting Remote Workers. Although Kindred will not be able to eliminate its VPN infrastructure entirely because so many devices require it, it will transition more remote workstation users to DirectAccess and significantly
decrease the use of VPNs. This will significantly reduce desktop support calls. “With DirectAccess over a standard Internet connection, we anticipate being able to deliver IT services to a much larger audience without significantly increasing support call
volume,” says King.
Conserve Network Bandwidth. Kindred can conserve expensive network bandwidth by using DirectAccess. Previously, remote workers accessed the Internet through VPN connections that traveled over the corporate WAN. DirectAccess routes these
connections directly to the Internet without using the WAN. “With DirectAccess, we’ll have 3,500 fewer external Internet connections using up corporate bandwidth,” says Koch. “When it’s time for these devices to download security updates, they will download
them through an Internet connection without chewing up bandwidth on our corporate network.”
Provide Better Experience for Mobile Workers. With DirectAccess-connected computers, mobile and remote employees enjoy a faster Internet connection and a much smoother, more productive work experience when out of the office. They no longer
need to learn how to use VPN software, carry clunky tokens, remember additional passwords, and repeatedly call the help desk for support.
Support Business Growth. A major benefit of using DirectAccess is the ability to quickly connect acquisitions to the Kindred network. “We can deploy IT services to a wider audience faster by using DirectAccess,” King says. “We don’t have
to wait for dedicated WAN connections to be installed, which can take 90 days or longer. DirectAccess gives us an option to ship a laptop computer to a new office and provide instant connectivity to our corporate network. We can connect any Windows 7 Enterprise
or higher client that has an Internet connection. DirectAccess gives us an opportunity to greatly simplify the delivery of IT services to new employees and the integration of acquisitions into the company. This helps the company grow faster.”
Windows Server 2012
Windows Server drives many of the world’s largest data centers, empowers small businesses around the world, and delivers value to organizations of all sizes in between. Building on this legacy, Windows Server 2012 redefines the category, delivering hundreds
of new features and enhancements that span virtualization, networking, storage, user experience, cloud computing, automation, and more. Simply put, Windows Server 2012 helps you transform your IT operations to reduce costs and deliver a whole new level of
For more information, visit
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing
can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
For more information about Kindred Healthcare services, call (502) 596-7300 or visit the website at: