Healthcare continues to be a target for hackers with ransomware and targeted phishing emails being the most common approaches. Because healthcare organizations handle a large volume of sensitive patient data, they must adhere to regulations for protected health information (PHI) under the HIPAA omnibus rule, and are required to report any breaches that compromise user data. Healthcare organizations require strong security to combat threats and ensure compliance.
PruittHealth was aware of industry-wide security concerns and caught and isolated phishing attempts in the past. The organization wanted to increase the security around their applications to protect their organization and patient data. They engaged in a risk assessment to identify areas where they could improve security. This assessment helped PruittHealth identify the need to implement multi-factor authentication (MFA) to protect against future credential theft attempts; to improve controls they use to prevent access from unmanaged devices brought in through bring your own device (BYOD) initiatives, and to block malicious access attempts to their applications.
Based on past experience, PruittHealth was concerned that implementing MFA would be time-consuming and difficult. However, Richard Bailey, Vice President of IT Operations, said after a brief proof of concept (POC), it was clear that Duo Beyond would meet their needs. Additionally, they would spend less time deploying and managing it than other solutions they had considered in the past.
PruittHealth chose Duo to address its security needs because Duo offers a “very clean self-enrollment process, and it has a lot of pre-existing integrations with a variety of products that we already use,” Bailey said.
PruittHealth took a phased approach to their deployment of Duo, focusing first on integrating their remote connectivity applications, which included NetScaler, Microsoft RDP access and their Palo Alto VPN. Once these remote entry points were secured, the security team started to look at other applications that were in use and were able to implement MFA for user validation to their Outlook Web Access (OWA).
Easy Deployment of a Secure Solution
Large healthcare organizations do not want to impact the productivity of care providers when rolling out new solutions. There is a risk that users will resist adoption. With Duo, however, PruittHealth was able to have 8,000 users self-enroll within a month with no resistance and minimal disruption.
According to Bailey, Duo has been able to provide them with a “simple multi-factor authentication solution, and since deploying, there have been no successful phishing attempts.” Having the ability to rapidly deploy a security solution offered immediate benefits in protecting PruittHealth’s knowledge workers, who access critical system resources.
With their users protected against credential theft with MFA, PruittHealth shifted their focus to the devices accessing their applications and implementing policies to restrict access from unknown devices and locations.
Minimizing the Threat Surface
PruittHealth now needed a device inventory to provide visibility into all of the devices accessing protected applications and to enforce device-based access policies. With Duo Beyond, they can see a full device inventory through a single pane of glass and have been able to secure their endpoints and enforce policies to block access to applications from out-of-date and vulnerable devices. This, in conjunction with their implementation of MFA, has reduced the attack surface effectively and efficiently.
Additionally, Bailey shared that they are able to leverage the ability to use the Trusted Endpoints feature to complement their mobile device management (MDM) solution. On the Android and iOS devices where the Duo Mobile app is installed, PruittHealth is able to verify the device and determine if the device satisfies the defined access policies before permitting access to the application. By leveraging this feature, they are able to provide convenience to their users, without compromising their security.
Regulatory Compliance Now and into the Future
Like any other healthcare organization handling PHI data, PruittHealth is required to adhere to the HIPAA omnibus rule. Duo Beyond meets HIPAA omnibus breach notification exclusions of mandatory reporting requirements by providing reports and audit log data which demonstrate and provide evidence of encryption and passcode compliance. Access attempts by users are logged not just at enrollment but are logged and tracked each time a user accesses an integrated application, providing historical audit proof. Their implementation of Duo Beyond makes it easy to reduce the potential of any fines or penalties that could result from a HIPAA violation.
Currently, the state of Georgia Drugs and Narcotics Agency (GDNA) enforces Electronic Prescribing of Controlled Substances (EPCS) regulations as set out by the Drug Enforcement Agency (DEA). In the future, PruittHealth intends to leverage Duo’s identity proofing to ensure they are in compliance with EPCS guidelines.
PruittHealth invested in their security environment by deploying Duo Beyond to protect their users, block malicious attack sources, aid in continuing to meet HIPAA regulations, and set the organization up to meet EPCS guidelines. By implementing strong security solutions, PruittHealth exemplifies their ongoing commitment to protect and care for their patients and their data.