Methodist Health System + Duo
Methodist Health System of Dallas, one of the leading healthcare providers in North Texas, chose Duo to help them comply with HIPAA and EPCS guidelines and regulations
When it comes to deploying security in healthcare, the minutes do really matter. With Duo in place, we don’t need to worry about security or lost productivity.
The Challenge
To serve patients more efficiently, MHS wanted to modernize how they process prescriptions. To implement e-prescribing, they needed to comply with the Texas Department of Public Safety (DPS) requirements to follow Electronic Prescriptions for Controlled Substances (EPCS) guidelines. Offering e-prescriptions gives MHS the ability to build a computerized medication history while prescribers get a more secure form of prescription delivery that also makes prescription filling easier for patients. To comply with the controls under the EPCS guidelines, MHS is required to use a FIPS 140-2 token for authentication and authorization of e-prescriptions, and the legacy multi-factor authentication (MFA) solutions they had in place did not offer a favorable user experience.
Several years of supporting a diverse network of locations has resulted in myriad security solutions being deployed to address various areas within the MHS infrastructure. They needed a consolidated solution that could meet all of their needs and offered a reduction in overall costs.
Another challenge MHS faced supporting multiple connected locations is the need to balance connectivity with complying with Health Insurance Portability and Accountability Act (HIPAA) administrative and technical safeguards. Maintaining HIPAA compliance is paramount to MHS in their mission to provide accessible and secure solutions for their network of health care providers and patients. Providing continued connectivity also poses unique challenges to ensuring PHI data is accessed appropriately and securely.
The Solution
Addressing EPCS Requirements
MHS chose Epic Systems for their e-prescription provider. Wayne Keatts, MHS’s Assistant Vice President and Information Security Officer, said the simple integration and the relationship Duo has with Epic led them to consider Duo to meet the EPCS requirements. A DEA-accredited auditor, Drummond Group, LLC, confirmed that Duo Push satisfies Electronic Prescription of Controlled Substance (EPCS) requirements for two-factor authentication, meaning Keatts could deploy a solution that was quick and easy to use without impacting the workflow of patient caregivers.
Keatts said they have “not been disappointed in any way with the way that Duo operates. All of our users feel that the solution is super easy and convenient. It is one of the most effective security products we have rolled out.”
Reduced Burden on IT
MHS has a goal to consolidate the various security solutions they have deployed and implemented throughout the organization based on individual projects. Duo will help in that consolidation and offers benefits not only to the parties who need to authenticate but to the administration and executive levels as well.
The MHS IT administrator who currently manages multiple authentication platforms has said that Duo is the easiest to manage, Keatts noted: “He almost gets giddy when we discuss expanding our use of Duo.”
Duo’s easy-to-consume model provides lasting value and a predictable total cost of ownership (TCO). “The simple subscription-based pricing is easy to manage and we know exactly what we are getting,” Keatts said.
They have plans to expand their use of Duo’s MFA beyond their administrative users connecting through Citrix Netscaler and to protect OWA for all users. They anticipate this will result in an overall reduction in their operating costs by reducing administrative overhead and helpdesk call volumes.
Continued Connectivity
Providing administrative resources the ability to remotely connect to various locations securely while protecting PHI is important to MHS. The implementation of Duo’s MFA solution is helping the administrative team reduce the time it takes to get remotely connected with Netscaler.
Keatts said he frequently receives comments about how convenient it is to use Duo’s push authentication versus other legacy methods, which involve manually inputting a six-character rotating code for access.
“At 3:00 in the morning, it is a challenge to read off the numbers from some of the other solutions that we have tried before. With Duo, all they have to do is hit a simple ‘yes’ to be securely authenticated to the systems they need,” Keatts said. “It makes my job easier to keep things secure, and makes their job easier because they get timely access. When it comes to deploying security in healthcare, the minutes do really matter. With Duo in place, we don’t need to worry about security or lost productivity.”