PruittHealth + Duo

Challenges

Threat actors continue to target healthcare companies with phishing and ransomware attacks and identity-based threats that seek to compromise email accounts. Modern healthcare providers also must navigate fast-changing industry dynamics—like an increasingly remote and mobile workforce—and comply with data privacy regulations for handling sensitive patient data.

As the business continues to grow, PruittHealth onboards new clinicians frequently and had noticed an uptick in identity-based attacks. A risk assessment showed the potential for multi-factor authentication (MFA) to help protect workers against credential theft, block malicious access to applications, and minimize risk from bring your own device (BYOD) initiatives.

The Duo Solution

Having detected and deflected phishing attempts in the past, PruittHealth deployed Duo to strengthen security around applications and protect patient data. Following a brief proof of concept (PoC) exercise, Richard Bailey, Senior Vice President of Information Technology at PruittHealth, decided Duo would meet the company’s needs and allow the team to spend less time managing identity security.

According to Bailey, Duo offered a “very clean self-enrollment process and had a lot of pre-existing integrations with a variety of products that we already use.” Along with ease of enrollment, Duo delivered a single, flexible, and easy-to-use solution for securing remote access, protecting user identities, and achieving compliance requirements quickly and effectively.

Easy Onboarding Promotes Rapid Deployment of MFA

A phased rollout of Duo began with implementing MFA to protect PruittHealth’s workforce and secure remote access and connectivity to critical applications. Fast, easy onboarding to Duo’s MFA solution took place with minimal disruption as 8,000 workers used the self-service portal to enroll within a month.

According to Bailey, Duo delivered a “simple multi-factor authentication solution, and since deploying, there have been no successful phishing attempts.” The SVP also noted the value of making it easy to onboard new clinicians quickly as the business expands—whether they had technical expertise or not—and to accommodate individual preferences for authentication methods.

With MFA deployed to protect workers against credential theft, PruittHealth expanded its focus to implement policies that restrict access from unmanaged devices and unknown locations, and also address MFA fatigue. As the project went on, the team continued to leverage Duo’s advanced features and capabilities to improve security and user experience.

Benefits to PruittHealth

Minimizing the cyber-threat surface

PruittHealth uses Duo to provide visibility into its full inventory of devices that access protected applications, and to better enforce access policies. Through a single pane of glass, Duo lets analysts see their full inventories, secure endpoints, and enforce policies to block access to applications from out-of-date or vulnerable devices. Together, device-based access controls and MFA significantly reduce the company’s cyberattack surface.

Bailey also sees the potential for Duo’s Trusted Endpoints feature to complement PruittHealth’s mobile device management (MDM) capabilities. The two solutions help to determine whether devices satisfy pre-defined access policies before permitting users to access applications. Using Trusted Endpoints, Bailey’s team can distinguish managed, trusted devices from those that are unmanaged and untrusted, and allow or block access on an application-by-application basis.

A flexible, future ready solution

Duo makes it easy for PruittHealth to provide its healthcare workers with flexible options that accommodate their preferred means of authenticating. For example, receiving push notifications, adopting modern biometrics methods such as facial recognition or fingerprint scanners, or continuing to receive texts and phone calls to grant access.

Along with MFA, the cloud-based Duo Central single sign-on (SSO) portal allows workers to authenticate once to access multiple approved applications from one simple, customizable landing page. For even stronger security, Duo Passwordless can eliminate password-based logins altogether.

Prevents “MFA fatigue” that ushers in attacks

Duo’s MFA application helps PruittHealth improve user experience (UX) for nurses who provide in-home patient care as well as those operating at healthcare facilities while avoiding “MFA fatigue” attacks. These campaigns succeed when users get bombarded with repeat prompts to approve authentication and finally grant access to attackers out of frustration.

Duo’s up-to-the-minute intelligence also lets the security team see when attacks are occurring and use PIN-based authentication prompts through Verified Duo Push. This feature eliminates MFA fatigue while still requiring users to complete strong authentication by entering a one-time verification code into the Duo Mobile app during the push login process. The PruittHealth team is also evaluating options for passwordless authentication using biometrics to further simplify the login process.

Promotes risk-based security

Duo makes it possible to automatically step up security in response to suspicious events and other triggers. For example, PruittHealth had observed instances where users appeared to initiate login requests from two distant locations within a few minutes.

Delivering on what Bailey calls, “the promise of identity intelligence with AI or machine learning,” Duo’s Risk-Based Authentication detects and highlights indicators of risk such as “unrealistic travel” and automatically steps up authentication requirements in situations where risk is high and trust is low.

Provides proof of regulatory compliance

Ongoing compliance challenges include satisfying protected health information (PHI) mandates defined by HIPAA laws and being able to detect and report any known breaches that might expose patient data.

Duo meets HIPAA breach notification exclusions of mandatory reporting requirements and provides details to maintain historical audit trails. Reports and audit log data provide evidence of encryption and passcode compliance with user access attempts logged and tracked each time users log into integrated applications.

The reliable identity-proofing provided by Duo helps to satisfy other diverse mandates like those set forth by the state of Georgia Drugs and Narcotics Agency (GDNA) to regulate Electronic Prescribing of Controlled Substances (EPCS).

Intelligence that scales to improve UX

As the healthcare industry’s threat landscape continues to change, new opportunities arise for PruittHealth to apply Duo Continuous Identity Security which combines Cisco Identity Intelligence (CII) and Duo Passport to protect against identity-based threats while delivering an exceptional experience for every user. Cisco Identity Intelligence addresses the rise in attacks targeting user identities by providing deep visibility into users, devices, authentications, potential threats, and more across an organization’s identity sources. Duo Passport works to minimize the number of authentication prompts users get throughout their workday (that contribute to MFA fatigue), for enhanced satisfaction and productivity.

By implementing strong, intelligent security solutions, PruittHealth demonstrates its ongoing commitment to creating a world-class “anytime, anywhere” experience for employees and patients while staying compliant and protecting patient data.