The organization was on a journey to provide better care and improve health outcomes. During this journey, they planned to transform patient information digitally to enable 6000+ clinicians to provide care anytime, from anywhere and on any device.
However, the availability of patient data on the internet increases risks of data breaches. Any exposure of patient data to unauthorized individuals leads to non-compliance and fines up to $1M.
Their chief information security officer (CISO) is responsible for security and compliance programs. His goal is to ensure that they uphold the trust and privacy of their employees and patients, while enabling new services.
Due to recent increased cyberattacks on healthcare organizations, the system wanted a security solution that could be deployed quickly to all of their users. They wanted to ensure patient data was secure, no matter what device was accessing it - corporate-owned or personal devices. In addition, they wanted to enforce a consistent set of security policies for all data access, while not burdening clinicians with additional steps or workflows.
As a first step, the company deployed Duo’s multi-factor authentication (MFA) solution to provide strong authentication for all users logging into applications with patient information. Duo’s native integration with healthcare applications, easy user self-enrollment and flexible authentication options helped the company roll out MFA to 25,000+ users within weeks without a glitch. Plus, users could install Duo’s solution on their personal devices without worrying about privacy.
“Our clinicians loved the simplicity of the Duo Push notification to their phone or smartwatch to authenticate,” said their CISO. “Many users also liked the ability to choose from different methods depending on where they're at. They might be buried deep in a hospital zone with bad cell or wireless connection, in which case they can use Duo Mobile to generate a passcode to log in securely.”
Easily Deploying at Scale
When it came to rolling Duo out, the company had a deployment of over 20,000 users. While their initial plan was to roll out the solution hospital by hospital, they thought it might be too confusing for users.
“We then decided to make the announcement to roll out Duo globally in one fell swoop. We used Duo's self-enrollment functionality and features, which was very intuitive for users,” said their CISO. “We also contracted a third-party company to assist with help desk support, since we thought they would be flooded with tickets. But they only got three calls in the first three or four months of rolling it out - it was very non-impactful.”
Uncovering Risky, Personal Devices
Using Duo, the company’s security and IT team discovered thousands of net-new personal devices accessing applications with patient data - that is, an additional 30,000 mobile devices than they previously thought accessed their environment.
“Being able to track OS and browser versions as well as having graphs for compliance helped sell the Duo Beyond upgrade to leadership,” said their CISO. “We initially thought there was a few hundred BYO devices, but there were, in fact, actually thousands - over three times the amount of devices accessing our systems than we had previously estimated.”
With Duo’s Unified Endpoint Visibility, they were also able to find that many mobile devices accessing company resources had poor security hygiene.
“One of the first things [our security/IT team] discovered that they didn't like - there's about 50 percent mobile devices that did not meet their corporate policies (password protected or encrypted). We weren't as compliant as we thought we were with our BYOD devices,” said their CISO.
Complying With the HIPAA Omnibus Rule
For covered entities, ensuring mobile devices storing or accessing patient data are encrypted and passcode-protected are key requirements of the HIPAA Omnibus Rule. This allows the data to be classified as “unusable, unreadable, or indecipherable to unauthorized individuals” and greatly reduces risk of compromise. Without being able to prove these as facts, every lost or stolen device is reportable to the Office of Civil Rights (OCR) and may lead to fines up to $1 million.
Previously, the company tried to use a mobile device management (MDM) solution to meet security and compliance requirements, but clinicians pushed back due to privacy concerns. If a user had several MDMs on one device (which often happens due to working with other networks and systems), they would often compete for control over the device, sometimes bricking the device and locking users out.
With Duo, the company was able to get insights into all mobile devices and tablets, including personal devices accessing company applications. For the very first time, the company was able to get visibility into personal mobile devices and laptops not visible to their MDM. Furthermore, Duo was able to provide deep insights into the security posture of mobile devices, such as out-of-date software and status of security configurations such as passcode, biometrics, encryption, etc.
“Now we can start using Duo's great dashboards and functionality to help meet our audits - whether those are HITRUST, PCI DSS or OCR audits. We can use [Duo’s] visibility to help prove our compliance status and security,” said their CISO.
Armed with new security insights, the company developed a policy framework aligned with the HIPAA Omnibus ruling. For example: if a user with an unencrypted and unlocked mobile device tried to access Citrix NetScaler Gateway that provides access to Electronic Health Record (EHR) software, Duo was able to block the device. Duo notified users why they were blocked and point them to take corrective action. This type of easy-to-understand communication framework designed for non-technical employees, helped the company avoid expensive IT help desk tickets.
Consolidating Security Solutions
With Duo, the company was able to cut back 90% of their MDM investments and increase security coverage for mobile devices by 3x. Since users were already licensed and fully deployed, it lowered their training curve and cost of deploying and managing additional software.
“We saw a more tangible benefit with being able to consolidate our spend with Duo Beyond. By using Duo Beyond for BYOD control, we don't have to spend that money on third-party MDM solutions,” said their CISO.
Clinicians liked that Duo to checked their devices for compliance at login, rather than taking full control of their device like a traditional MDM. This also helped provide access to third party business partners without having to control their device or have multiple company MDM solutions battling for control of the device.
“That's been the biggest thing for us. The chief financial officer (CFO) side of the house will like consolidation and management - who wants to manage not just 20-30,000 users, but also 60,000 devices with MDM? All users have more than one device; often times two or three devices accessing our system,” said their CISO.
Duo’s Secure Access for Cloud Applications
The large healthcare system is at the forefront of embracing digital transformation. Since their users demand access to applications from anywhere, Duo helps the company provide easy and secure access to cloud applications by offering a native integration with centralized authentication systems such as ADFS that connect several cloud applications.
With Duo Beyond, the healthcare system can ensure all BYOD devices accessing cloud applications are passcode-locked, encrypted and not jailbroken.
“If we could give a recommendation to other companies now, we would say jump right into the Duo Beyond edition because that endpoint and mobile device information, as well as enforcement is so valuable,” said their CISO.
Learn more about Duo for Healthcare.