Trust and confidentiality are central to the patient-doctor relationship, especially when it comes to patient data. Increasingly, however, hospital data is becoming a target for cyberattacks. According to ANSSI, in 2020, a cyberattack targeting a French hospital took place every week. It's an issue that Jean-Baptiste Gard, Infrastructure and Networks Manager and CISO at Centre Hospitalier Saint-Quentin (CHSQ), recognizes. "Since 2020, we've seen a net rise in attempts to exploit vulnerabilities, as well as an explosion in phishing attacks," he confirms. "In February 2021, many medical establishments were targeted by ransomware attacks."
CHSQ serves the city of Saint-Quentin in the north of France and has around 1,000 hospital beds. The hospital is also a referral center for a network of 11 hospitals across the Somme and Aisne departments, which cover around 400,000 inhabitants. This position means it leads structural and strategic projects for the group, such as piloting training, purchasing, and IT innovations.
Before the onset of the pandemic, the majority of CHSQ's 2,500 employees worked on-site. Because of the sensitive nature of patient data, remote working was available only for a small number of employees who could access the network remotely via the hospital's VPN. However, when France went into lockdown in March 2020, the hospital needed to pivot to remote working in order to protect as many people as possible.
"We extended remote VPN access to an additional 150 people, including medical, administrative, and technical staff," Gard explains. "We weren't ready for that, from a security perspective. Our users weren't used to it, and they were not able to access all the tools they needed."
With insufficient portable devices to supply every remote employee, the IT department looked for an identity management solution that could adapt to both unmanaged personal devices and to computers provided by CHSQ. Within the context of increased cybersecurity threats, it wanted to put strong authentication in place to verify the identity of remote workers during the pandemic, as well as enabling its security strategy for the long-term, anticipating the addition of new cloud applications.
Choosing a solution that's simple, secure, and doesn't slow productivity
According to Gard, reconciling security with a smooth user experience was a priority when choosing a security solution for CHSQ. "We wanted a solution that is simple to use," he explains. "We didn't want to put so many barriers in place that it affects productivity. It had to be effective, but easy for our teams to manage and maintain."
CHSQ also wanted a platform that would integrate with the existing infrastructure, as it was already using Palo Alto Networks GlobalProtect for its VPN. "Okta offers an easy integration with Palo Alto, which suited our needs," says Gard. "The two solutions complement one another perfectly: Okta verifies identities, and Palo Alto manages the file integrity monitoring and security analysis side of things."
With a slow return to on-site activity over the summer months of 2020, but with the prospect of a second wave and return to remote working in the autumn looming, CHSQ prepared to deploy Okta. "We decided on a simple integration using SAML," says Gard. The team needed to configure three aspects: integrating Okta with the hospital's firewalls, then installing an LDAP client on the servers at CHSQ to work with the Active Directory, and then configuring the cloud part in Okta.
"For the Okta configuration, it took between 4 and 5 hours to carry out the necessary tests and install everything," says Gard. "We didn't have any issues, the process was straightforward and quick." In September, 200 users were migrated to the new system, accessing the VPN using Okta Multi-Factor Authentication. "We were able to simply put our POC into production, we didn't have to start from scratch," Gard confirms.
A successful return to remote work for 200 users
With Okta in place, when the subsequent lockdown was announced, the CHSQ team was ready for it. "When the next lockdown was announced in October 2020, 200 users once again had to pivot to remote working. This time, everything went very well," says Gard.
CHSQ users logging on remotely are now authenticated by Okta, which is integrated with both CHSQ's Palo Alto GlobalProtect VPN and with Citrix VDI. The VDI is used by employees who are using private devices rather than a company computer and who require access to a virtual desktop for applications that can't run remotely due to latency issues.
Depending on their Active Directory profile, which is integrated with Okta's Universal Directory, users are connected automatically via the correct channel. They are then able to access the applications they need depending on the level of access that fits their profile. For secure authorisation, CHSQ decided to offer three MFA second factor options: SMS, the Okta Verify mobile application, as well as another OTP application (Google Auth), to give users a choice.
"When our users open up their workstation in the morning, whether that be a CHSQ computer or their own device, they click on the connect button," Gard explains. "After entering their password followed by a second-factor according to their preference, the application verifies the connection and the user has access to everything they need. It's easy for them, and we know that their connection is secure."
Connecting with confidence, during lockdown and beyond
According to Gard, the big difference in remote working the second time around has been in the experience of the users. "Since implementing Okta, our remote working employees have more confidence in our remote access systems," he explains. "Day-to-day security risks inevitably bring more anxiety to users. They find Okta reassuring."
Another benefit is that the Okta platform is always available. "At any moment of the day or night, practitioners can connect and work on a file," says Gard. "Certain doctors are able to connect from home in a secure way in order to add information to patients' files remotely. Furthermore, we haven't experienced any service interruptions, which is very important for providing continuity of service for our patients."
The next step? Securing remote maintenance access using MFA. Around 200 companies work on the CHSQ system remotely, installing, maintaining or updating applications. By adding an additional factor, the IT department can automatically verify the origin of these connections and guard against compromised accounts attempting to gain access. After that, the next stage will be to implement Okta in the other hospitals that are part of the regional group (Groupement Hospitalier de Territoire).
"I hope our experience can help our colleagues in other medical establishments," says Gard. "In the context of an increase in cyberattacks, we've been really convinced by Okta as a product: it provides an additional layer of security that is essential, and that makes a great difference in the eyes of our end-users."
