The Challenge: Support Physician Access While Protecting Against Threats
Marin General Hospital (MGH) is an independent not-for-profit facility with an award-winning cancer program.
Their primary business objective is to protect patient information. They also need to support the ambitious goals of their business by ensuring their security program is in lockstep with their business goals.
The main business drivers for their security program are to provide a secure environment for patient information, ease patients' concerns about their records, and to meet regulatory healthcare compliance.
Their users include a diverse mix of physicians, physician staff, partners and contractors. They needed to be able to support hundreds of physicians in non-corporate locations and allow them to look up electronic health records (EHRs) from anywhere.
"If we required physicians to come onto our campus to get access to work resources, they wouldn't work for us," said Jason Johnson, MGH information security officer. Physician recruitment is a major part of the hospital business - if they're not able to stay on the cutting edge of tech, then they'll likely go to another facility.
Meanwhile, the security team was also seeing an uptick in phishing emails that they needed to protect against. The security team needed to find a solution that balanced both usability needs with lowering risk and strengthening their security posture.
The Solution: Secure, Remote and Usable Access
With Duo, MGH was able to provide the secure remote access that all of their physicians, staff and contractors expect - their users are able to access email, VPN, their EHR system, and other resources while not physically on their campus or in any MGH locations.
We need to make resources available and ensure they're secure without compromising the user experience," said Johnson. "Duo allowed us to provide security and availability to organization resources remotely, with minimal impact to the user experience.
MGH initially deployed Duo's multi-factor authentication (MFA) solution to secure access to their email, as most users check their email off campus. They were able to roll out Duo to thousands of their users all at once.
"The many enrollment options were helpful - the different ways that one could be enrolled was useful for our many different types of users," said Johnson.
Comprehensive Device Insight & Customer Support
Duo's MFA can also provide insight into their BYOD (bring your own device) and corporate-managed devices. Without using an agent and keeping user privacy intact, Duo’s device visibility only gives administrators insight into the security health of devices accessing applications.
"By having that little telescope into people’s devices and the security of them, it offers us the unparalleled information on what's accessing our network," said Johnson.
MGH was able to leverage Duo's premium customer success team, Duo Care, with a team of Duo experts to help with deployment.
"The support was immaculate - we always had the resources we needed for deployment. The access to a dedicated engineer at an incredibly reasonable fee was special - it's nothing we've ever seen from another vendor, before or since," said Johnson.
MFA: A Stepping Stone to Better Security Hygiene
"Good cyber hygiene at home spreads to good cyber hygiene at the organization - MFA is a good tactic in both places. It bridges the gap and shows them it's not a scary thing. It's a necessary protection that is very low impact," said Johnson.
In addition to increasing overall user security awareness, multi-factor authentication lays the foundation for the start of a zero-trust security model by quickly enabling organizations to verify users' identities. Duo's MFA gives organizations immediate insight into any device accessing a protected application, like an EHR, without the need for an MDM or agent.
By combining user trust with device trust, any organization can easily start on their journey toward trusted access to protect their workforce.