“Duo has proven to be one of those rare solutions that both improves the security while simultaneously being easier for our clinicians to use so that they can focus on their job of serving patients. Our staff and clinicians love using Duo at work, which never happens in healthcare.”
— John Zuziak, CISO, University of Louisville Hospital
University of Louisville Hospital is adopting a zero-trust security framework to reduce their attack surface
UofL Hospital needed to protect Microsoft O365 along with other applications that are critical for their business
Deploying Duo helped UofL Hospital protect sensitive protected health information (PHI) data without impeding clinicians’ productivity
Duo also helped them meet regulatory compliance requirements, such as HIPAA and PCI
University of Louisville Hospital is one of the oldest academic teaching and research hospitals in downtown Louisville, Ky. and serves more than 500,000 patients every year. A pioneer in modern medical practice and surgical procedure, the hospital offers a top-notch cancer center, and the only Level 1 trauma center in the region, which admits 3,000 patients a year. Protecting the privacy, security and the integrity of sensitive information, such as patients’ health records and billing information is one of the highest priorities for the security team at UofL Hospital.
UofL Hospital was a part of a larger health conglomerate, KentuckyOne Health, a division of Catholic Health Initiatives, where they used a lot of IT and security tools. During the separation from KentuckyOne, UofL Hospital took a holistic look at their environment and implemented a security strategy catered more toward their users’ needs and UofL Hospital’s IT infrastructure. They completed a risk-based analysis to identify areas where they could improve security. This assessment helped UofL Hospital identify the need to implement stronger security controls to protect against phishing attacks and to block malicious access attempts to their applications.
Additionally, being in the healthcare industry UofL Hospital is must comply with various regulatory requirements, such as HIPAA and PCI DSS. The healthcare industry is one of the most regulated, with ever-increasing regulatory requirements, and they wanted to be ready for current regulations and regulations that might be enforced in the near future.
UofL Hospital wanted to implement a lightweight security program to align with the business and that can be an enabler for clinicians, not a hindrance. And they needed a solution that did not add a lot of overhead for the security team.
UofL Hospital deployed Duo and was immediately able to consolidate several projects, such as multi-factor authentication (MFA), single sign-on (SSO) and mobile device management (MDM), which reduced their overall total cost of ownership by more than 50 percent.
“We are adopting a zero-trust security framework, and we know we needed MFA to start with, and multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first ever security solution recommended by the users and by clinicians. This never happens in healthcare,” said John Zuziak, CISO of University of Louisville Hospital.
UofL Hospital was able to roll out Duo with minimal effort and without a lot of support calls. “Duo is one of those solutions that does exactly what it is supposed to do – it’s so easy for the users to use. We have received only five support calls since deploying Duo,” said Zuziak.
With Duo, UofL Hospital got visibility into all devices connecting to the network externally and the location of the devices. They were able to see a full device inventory through a single pane of glass and enforce policies, such as blocking access to applications from unknown locations. This, in conjunction with their implementation of MFA, has reduced their attack surface effectively and efficiently.
Additionally, UofL Hospital was able to check the security posture of the devices accessing their applications and enforce control on who will be allowed access and under what conditions. Being a US-based organization, UofL Hospital blocked all devices attempting to access internal applications from foreign countries, minimizing their threat surface.
Like any other healthcare organization handling protected health information (PHI) data, UofL Hospital is required to comply with HIPAA regulations. Duo helped UofL Hospital develop and follow procedures that ensure the confidentiality and security of PHI. Access attempts by users are logged not just at enrollment but are logged and tracked each time a user accesses an integrated application, providing audit trails. Their implementation of Duo makes it easy to reduce the potential of any violation of the regulation.
“We wanted a modern, fluid and innovative way to adhere to various regulatory requirements. HIPAA is an important regulation, but it is not the only one. We have the additional regulatory burden that healthcare providers share with other industries, such as the Payment Card Industry Data Security Standard (PCI DSS) for protecting credit cardholder data and many others. The Electronic Prescribing of Controlled Substances (EPCS) regulation is currently not enforced in the state of Kentucky, but I want us to be prepared for that. We took this transition as a means to develop and follow procedures that ensure the confidentiality and security of patients’ information and minimize risk exposure. Duo is a partner we trust to help with this transition in the most secure manner possible,” said Zuziak
The heterogeneous application environment adds complexity for IT risk and security teams when it comes to protecting access to an organization’s sensitive applications and data. UofL Hospital identified several critical applications they wanted to start protecting. With Duo, they were able to centralize visibility of access across applications in a single pane of glass, starting with critical systems such as Palo Alto Global Protect, Citrix Netscaler, Thycotic, Office 365 and many more.
Duo’s single sign-on solution helped UofL Hospital increase user productivity. Instead of entering credentials for multiple applications, with Duo’s SSO they log in just once to gain access to various cloud applications from a single dashboard, using their existing credentials and strong MFA.
“We started securing our perimeter first taking a risk-based approach, ensuring that the verified user on a healthy device is accessing the application they should have access to. This is our first step in the zero-trust journey that we embarked upon with Duo,” said Zuziak.
Phishing was the most prominent challenge for UofL Hospital. They wanted an extra layer of security to protect their data and applications from bad actors. UofL Hospital has been implementing an organization-wide phishing awareness campaign. They are able to identify applications at risk of malicious attacks by launching phishing assessments directly from the Duo admin panel. “Since the rollout, we have not had any incidents of someone gaining access to our network,” said Zuziak.
“Our long term vision is to adopt a zero-trust security framework, and we have taken our first step. We were able to implement strong security controls without disrupting the business of helping patients, and Duo has helped us to do it easily and securely,” he said.