Sentara Healthcare + Duo

The Challenge

Sentara Healthcare is a not-for-profit integrated healthcare system based in Norfolk, Virginia. With 300+ sites of care and 28,000+ employees across the system, they provide healthcare services to millions of patients. Due to the nature of their business, they need to safeguard protected health information (PHI) and are required to meet compliance requirements such as HIPAA and EPCS.

Sentara has a mature identity management program. They have a centralized tool to manage all user identities. They protectively provision and deprovision accounts and ensure any terminated employees have been removed from all access. They have stringent access controls to ensure only the right user has access to applications they need.

Despite existing security controls, they were at risk due to consistent phishing attempts by attackers trying to steal user credentials to get access to their network. They knew multi-factor authentication (MFA) would be ideal to mitigate the risk of credential theft. Leadership had previous experience using Duo, but they were concerned that their physician user base might resist implementation if the tool added additional burden to their workflow.

The Solution

Sentara evaluated several MFA vendors in the industry before choosing Duo due to its ease of use and speed to security. As a first step, they implemented Duo for all remote access coming into the network starting with their Cisco Anyconnect virtual private network (VPN) and virtual desktop infrastructure (VDI) and extending to remote desktop (RDP). Previously, Sentara had challenges deploying two-factor authentication for all users, but Duo was deployed to 60,000+ users within months of purchasing the solution.

“Duo’s push functionality, flexible authentication options, inline enrollment, and user documentation made it easy for us to enroll all of our users in a timely manner,” said Spiers. Overall, the project was a big win for the security team.

Enabling Secure BYOD for Physicians

Since Sentara allows physicians to use personal mobile devices to do work, they wanted to understand and assess the risk of personal devices accessing sensitive applications. They were concerned that insecure mobile devices accessing sensitive PHI may put them at a risk of not meeting compliance requirements.

“The only way we knew to get insights into mobiles devices was to push a mobile device management (MDM) tool onto user’s devices, but due to cost and complexity we didn’t want to pursue this idea,” said Spiers.

Once Duo was deployed on all users’ devices for authentication, they were instantly able to get visibility into all devices accessing their network. They discovered 2x additional devices than they previously anticipated.

With Device Insight, they were able to gather deep insights into the security posture of mobile devices, such as out-of-date operating systems, passcode/lock screens, encryption, biometrics, etc. They were surprised at the number of unencrypted and out-of-date devices accessing applications.

Enforcing Encryption to Protect PHI

Since doctors routinely send PHI in their email, it was both a security and compliance risk. For example, if the device was lost and they couldn’t prove it was encrypted, the cyber insurance carrier will not offer coverage.

With Duo, they were able to enforce usage of encryption on device and block unencrypted devices from accessing applications. Furthermore, they were able to encourage users to deploy ActiveSync profile on their devices, and leverage wipe as a backup option for any lost or stolen devices.

In the end, Sentara was able to combine their MFA and MDM budgets with the Duo Access edition and reduce the overall operational cost and time required to manage and deploy an MDM solution.