ZorgSpectrum’s secure access adoption accelerated during the company’s IT transformation journey. The company which was previously a part of a group of healthcare organizations using the same IT platform made a decision to go its own way. It was a radical step that didn’t only require building its own servers and desktop experience for users, but also called for a rethink of the secure access strategy.
At the time, ZorgSpectrum’s IT Administrator access, as well as server operating systems, were already protected by Duo’s access security platform. Rolling out the solution across ZorgSpectrum’s workforce was planned for a later stage. The company felt that introducing technology changes gradually would make for a smoother transition.
However, the wider deployment of Duo’s platform happened much sooner than initially planned. A few factors played a role here. ZorgSpectrum was aware that implementing multi-factor authentication (MFA) would mean taking a step towards meeting the requirements of the national exchange platform - Landelijk Schakelpunt (LSP) which. enables secure access to patient data).
LSP is a highly secure infrastructure, and all healthcare providers in the Netherlands must comply with its program of technical and organizational requirements for the proper and safe exchange of medical data. Healthcare providers who want to access data via the platform must undergo, amongst other things, audits of both care systems and networks.
As a company headquartered in the European Union (EU) that conducts business with European customers, ZorgSpectrum must also adhere to the General Data Protection Regulation (GDPR). Verifying users’ identities with strong MFA before granting access to applications that may contain personal information seemed like an opportunity to kill two birds with one stone. It enabled ZorgSpectrum to meet both broader European as well as local Dutch requirements (AVG).
In addition to regulatory requirements, one of ZorgSpectrum’s IT system suppliers recommended securing access with an MFA solution as a best practice for all its clients. Their argument was that an MFA solution could substantially reduce the risk of unauthorised access and help protect sensitive patient data. The combination of these few factors prompted an earlier roll-out of Duo.
“Deploying Duo more widely was a logical step for us. Our IT Administrators have had a very positive experience and there was a strong preference for the solution amongst our technical consultants,” said Hans Pruim, ICT Adviser at ZorgSpectrum.
Duo’s integration across all of the applications in ZorgSpectrum’s technology stack was an important factor. ZorgSpectrum also wanted to enable broad self-service functionality for users to minimize impact on their finite IT resources.
“And on top of that we wanted the ability to provide better security without a negative impact on our end-user productivity. We wanted the enrolment and authentication to be easy to ensure a smooth adoption process,” said Pruim.
ZorgSpectrum’s IT Team was well aware that the deployment of a new IT solution required a substantial communication push. Well in advance of a planned roll-out, the company used a variety of communication tactics, including handouts with “before and after” screenshots explaining the new secure access flow in detail.
As with every project of this nature, ZorgSpectrum ran a pilot with a small group of users testing and providing feedback on the flow. “The expectation was that logging in with an MFA would become more difficult and that it would cause friction. In the end, the opposite was true. Our pilot users agreed that the login process was extremely easy and suggested that we use it in production. Word got around to the rest of our user-base and some expressed interest in trying the solution. We were in the perfect position - the solution wasn’t even rolled out yet, but we already had a demand.”
ZorgSpectrum uses Duo’s MFA version with the Single Sign-on (SSO) functionality for its main applications. The plan is to extend this for all remaining applications in the near future.
“When building our own IT environment, one of our key principles was to make the experience as easy as possible for our end-users. In an SSO environment, the user is only responsible for one set of credentials. They don’t have to manage a variety of different usernames and passwords and get to the information they require quickly. SSO doesn’t only enhance the user experience but it also increases the security of the environment.”
“For a few weeks after the deployment, we monitored the new flow to help iron out any issues. We haven’t discovered anything significant other than the fact that we’ve been saving our product owners a few hours a week that would otherwise be spent on password resets!”