Technology Current State (AHS)
The purpose of this section is to provide a brief overview of the size and technical direction of Alberta Health Services (AHS). This will allow Proponents and others seeking to deploy Information Technology solutions to propose or design solutions that are most compatible with AHS IT’s technical direction.
The technology architecture of AHS is based on the following guiding principles:
AHS uses technologies based on identifiable industry standards.
AHS uses technologies that can be cost-effectively supported and managed.
AHS uses technologies that operate on common platforms, operating systems and networks.
AHS minimizes risk by assessing security, impacts, and compliance with our environment before deploying new solutions.
Solution designs must be approved by the appropriate AHS team prior to implementation.
In general, AHS Technology Infrastructure strives to be n-1 from a versioning perspective over a 3-5-year lifecycle depending on the technology platform. Within each capability layer there are several standards that are in place as described below.
End User Environment
AHS uses a variety of End User devices across the enterprise.
Laptops and desktops running Windows 10.
Most desktops have a 22-24” monitor.
Some clinical areas require high performance workstation class machines
Browser: Microsoft Edge
Apple iPad current generation.
We also have a mix of other tablet devices vendor supplied and managed.
We also have previous generations of the Apple iPad.
Wyse 3040 Thin OS version. Wyse management console
Dell Latitude – Windows 10.
We also have a mix of other brands.
Samsung running Android
Lexmark print release available for location independent printing
Microsoft Print Servers
AHS employs an enterprise approach for Single Sign-On (SSO) and domain authentication via Active Directory. To enhance security, two-factor authentication (2FA) is prevalent.
AHS runs a in a single Active Directory 2019 user domain with Windows Server 2019 Active Directory Schema. It is centralized in two urban hub locations, Calgary and Edmonton, and serves 150,000+ users, 75,000+ PCs, and 4,000+ servers. LDAP/S, SAML, & ADFS are also supported.
All applications that support LDAP/AD should authenticate with the AHS domain.
Single Sign-On and End User Device Access
AHS currently employs the following single sign-on solutions that could be leveraged:
Imprivata OneSign v4.9 on G2 appliances with SSO, SSPW, FBID and VDA licensing.
Oracle Enterprise Single Sign-On Suite Plus - Version 18.104.22.168.0 (SSPR via GINA extension)
Tap and Go: Imprivata
AHS uses a variety of presentation methods including local application, web and thin client solutions.
AHS supports local client applications with Microsoft’s Office suite and Internet Explorer being standard applications. Microsoft Exchange (Outlook, Outlook web access) and Teams are deployed for real-time collaboration environments.
AHS predominantly uses Microsoft IIS and Apache for web server infrastructure. AHS prefers to implement web-based applications that utilize existing HTTP (port 80/443), LDAP and Portal server infrastructure and require only a standard web browser on the client workstation.
It is a preference that any proponent recommended web application does not require any of the following client side technologies to operate with full functionality:
Web browser plug-in or helper applications,
Java/JVM, VBScript and ActiveX
AHS has recently standardized on Dell Server hardware and prefers to deploy virtualized servers on blade technology. Physical servers when required, are typically standard rack mount models.
AHS offers the following server platforms for the deployment of new applications:
Full operational and administrative support can be offered for the above operating systems and the corresponding hardware environments.
Enterprise Content Management that governs information architecture and governance is provided by RedDot. This is consistent for both Internet and Intranet environments.
SharePoint 2016 handles enterprise wide collaboration. Multiple SharePoint environments handle collaboration requirements for internal, external and private environments respectively. Video content is currently not supported in the collaboration space.
Custom application development, enhancements and customization and are predominantly on .NET framework.
Microsoft Exchange and Teams are also deployed for real-time collaboration environments.
AHS supports and maintains a variety of solutions using ANSI SQL / Open Database Connectivity (ODBC) compliant relational databases. Proponents seeking to deploy new applications that are hosted by AHS must be compliant with this direction.
MS SQL AlwaysOn is preferred for MS SQL clustering.
Full operational and administrative support can be offered for the above products and the corresponding hardware environments.
AHS has standardized with an Enterprise Content Services (ECS) solution, Quanum by Quest Diagnostics
Alberta Health Services currently operates the largest private network in Alberta and the fifth largest private network in Canada today. The current AHS network is a geographically & technologically diverse network spanning approximately 662,000 square kilometers. (255,599 sq mi.) The longest network path is approximately 1500 km (932 mi). The network is comprised of a variety of regional MANs (Metro Area Networks), WANs (Wide Area Networks), Internet VPNs (Virtual Private Networks) provided by multiple service providers across multiple transport technologies. The AHS network provides service to +700 locations and an average of 300,000 active network IP connected endpoints, (the “AHS Network”).
AHS currently has a combination of Metropolitan Area Network (MAN) and Wide Area Network (WAN) services operating between facilities. The IPV4 network securely connects all major AHS data centres, hospitals, community health centers and urgent care facilities within Alberta. Using trusted connectivity methods, various robust and highly available infrastructures are in place to support mission critical clinical and business application delivery.
The core AHS Network is comprised of two (2) AHS owned and operated DWDM (Dense Wave Division Multiplexing) rings in Edmonton & Calgary which are interconnected through provider based wavelength services. There are four (4) provincial data centers located in Edmonton and Calgary following a 2+2 model which are housed in dedicated co-location facilities. Each DWDM location is connected with a minimum of 20 Gbps capacity, while the provincial datacentres are inter-connected through multiple dedicated 10 Gbps circuits.
The AHS provincial WAN, is a multi-provider DMVPN (Dynamic Multi-point Virtual Private Network) providing both physical and logical path diversity to rural hospitals, acute care facilities and other small facilities. The WAN currently supports remote locations with network capacity between 5-800 Mbps, dependent on the size of the remote facility and bandwidth requirements. Sites can be located in both rural and metro areas. The DMVPN core routers are located across the four provincial data centers and are fully redundant to each.
Internet access is provided by diverse ISPs (Internet Service Providers) paired in Edmonton and Calgary with a 10 G connection to each ISP in each of the four (4) provincial data centers. This provides AHS with a total live capacity of 50 G to support AHS and many partner business connections as well as VPN connected facilities and remote teleworkers.
AHS Network Services supports and maintains local area networks that provide a typical end user with a switched 1Gbps Ethernet wired connection. For high-capacity devices such as servers, 1G/10 GB are available in computer rooms. These are based on Ethernet at full line rate (10Gbps, 1Gbps, and 100Mb) or policed service sub-rates for WAN sites.
Wi-Fi coverage is being extended to enable staff and physicians across the province to wirelessly access the private and secure AHS network using a variety of devices, including fixed and mobile workstations, laptops, smartphones, and tablets. Wireless LAN will be available in both 2.4GHz and 5GHz spectrum. Devices connecting to the wireless network must support 802.11a, 802.11g, or 802.11n protocol(s).
Secure remote access is provided by a number of AHS managed solutions, many of them legacy and intended to be phased out. If remote support functionality is required, it is preferred that proponents will use existing AHS managed solutions. Exceptions will be considered on a case by case basis.
Identity Services added the UAP (Unified Access Portal) for external application access, technology leverages the Citrix Unified Access Gateway and Citrix Storefront. Provides access to both Citrix and Web based Applications secured via RSA 2FA.
The new provincial standards for VPN:
A fob-free solution that allows users with AHS assets to be highly mobile and connect to the network. NetMotion is ready for a provincial rollout and well over 1,000 AHS staff are currently using this solution.
A physical Fortinet appliance that allows AHS employees to connect multiple networked AHS devices (e.g., laptop and VoIP phone). This solution is available today.
A solution we offer for vendors and AHS partners who require a continuous connection for monitoring devices and / or contributing to databases.
A fob-based solution for users (staff and vendors) who wish to use non-AHS assets to access AHS network resources and services. This solution is available today.