Vektis, Fastbyte, and Okta: Partnering to secure healthcare data for Dutch citizens

Playing a critical role in Dutch healthcare

The Dutch have arguably the best healthcare system in Europe, consistently ranking #1 on the European Health Consumer Index. The country’s “chaos” system combines public funding and mandatory insurance coverage with regulated competition between insurers and between providers.

Vektis serves as a national information center, helping insurers, providers, and the public understand the costs and realities of healthcare in the Netherlands. Whenever a Dutch citizen submits a medical declaration to a health insurer, that information goes into the Vektis database. The database, along with the applications that the company has developed to deliver the information, helps organize operational processes and reduce administrative burden for providers, insurers, and government oversight bodies.

As a neutral third party, Vektis is charged with understanding who is getting healthcare, where they are receiving it, and what it costs. But their most critical mandate, and the reason that the company exists in the first place, is to make sure that the private healthcare information of every Dutch citizen is kept confidential, not to be misused by rogue actors, whether they be public or private.

Wanted: Clearer identity answers

The company’s client base is broadening as healthcare researchers, providers, and consumers turn to Vektis to help analyze and respond to healthcare trends. Those demands add to its primary role of generating benchmarks and mirrored information that insurers can use to determine rates and policies.

Before Okta, each of the company’s applications had its own identity store, with some internal applications using Microsoft Active Directory. As the client list grew, the work of managing client accounts for the Vektis Cognos portal “simply became too convoluted and complex,” says Vektis IT architect, Frits Akersmit. “Because we had those different environments, we weren’t able to keep pace with new client demands.”

Even with several people dedicated to identity management, the team was unable to guarantee quick, accurate answers about who was accessing information on their database. “You want to know for sure that the person calling or logging in is who he says he is,” says Harry Wiltenburg, IT manager at Vektis. “If you can’t guarantee that, well, the chances of data leaks and accidents become huge.”

To add to the challenge, says Wiltenburg, “Our workplace has become virtual. You’re free to choose when, where, and what time you work.” Initially, remote employees had to add their IP address to the company firewall—a cumbersome process that made it nearly impossible to work while traveling or logging in from a new location at a time when the IT team wasn’t available.

An identity management “A-ha!” moment

Wiltenburg had partnered for six or seven years with Fastbyte, a Dutch IT service provider, in the context of virtualizing workstations and providing help desk services. When his contacts there told him that they were planning to implement Okta for their own company, he began to think seriously about transforming identity management at Vektis.

At this point, the Vektis team came to a realization: “Our organization needs to be focused on generating information and not on managing identity.” says Ankersmit. Providing a seamless experience for clients accessing information was core to their business. An identity management partner could help them secure that access so that the Dutch people would never have to worry about their private health information getting into the wrong hands.

The team considered identity partners other than Okta, but “In the end, we were left with Microsoft and Okta, in terms of our requirements,” says Ankersmit. “When we looked at what was more out-of-the-box, Okta had the advantage.”

“We did a number of proof-of-concept tests with both Microsoft and Okta, to see what works, what runs quickly, what’s easy,” he says. “It was striking how much more easily we could arrange things with Okta. We had proof of concepts planned for a week each. Okta had it done in half a day.”

It was striking how much more easily we could arrange things with Okta. We had proof of concepts planned for a week each. Okta had it done in half a day.

The Vektis team appreciated the ease and relatively low cost of getting Okta up and running. “You don’t immediately have to start with everything, says Ankersmit. “You can just pick [additional features] up later, so it’s very easy.”

Proprietary apps, connected

While the out-of-the-box story was the main reason that the Vektis team chose Okta, they decided in the implementation process to start with the Okta API, to connect the company’s proprietary apps to Okta Universal Directory. “The API is solidly structured,” says Ankersmit. “The first time I delivered an application with the API and provided access in that way, I felt like, ‘Hey, this is right. This is a good investment.’”

“We use the API sometimes with both SAML and OpenID, and that works well,” he says. “The API is clear; we can quite easily find all the information we need. We also have a bunch of expert programmers to help us. Once a new, Okta-enabled application is in production, it simply works great. Then, it’s just like driving on the right-hand side—at some point, you forget you’re doing it, and that you could possibly do it on the left.”

Today, the team connects as many apps as possible to Universal Directory and manages client accounts almost entirely within the Okta API admin. Clients sign in once to access all their applications. They see a Vektis-branded login page, powered by Okta, and experience a much simpler process for getting all the information they need.

“We never have to bother people any more by saying, ‘You have to log in like this on A and like this on B,’” says Ankersmit. “People can also do a reasonable amount of self-service once they have an account, so that really helps. We can simply rely on the Okta infrastructure.”

People can also do a reasonable amount of self-service once they have an account, so that really helps. We can simply rely on the Okta infrastructure.

It hasn’t been a small change for Vektis clients. Previously, says Wiltenburg, “You had a single user ID for a single organization, and you could serve 100 internal users with that ID.” From their perspective, it was a simpler system. “When the roll-out came, I expected there would be lots of complaints from insurers, and that they would block the adoption of the Okta platform, but that wasn’t the case at all. I think it went fairly easily.”

Ankersmit agrees, adding that health insurers appreciate the fact that they now have clear insight into who in their organization is using Vektis applications. “It cuts both ways,” he says. The company currently connects 4600 client users through Universal Directory and the Okta API. Most clients use between five and eight applications each, which they can now access with just one login per user, in a more unified but completely Vektis-branded experience.

Access rights management, delegated

Next, the team hopes to achieve what they call “delegated access rights management,” giving client organizations and the contact representatives within those organizations the option to authorize and disable accounts in Okta on their own.

“If you work for insurer A and you go to B, and it isn’t reported, you have a problem,” says Wiltenburg. Because insurers own that information, not Vektis, it makes sense for them to take ownership of their user logins. “I want a solution in which you can effectively delegate that responsibility,” he says.

Because of procedures surrounding user administration, implementation of the access rights management goal has been complex, but the team is making headway. They are also looking at Okta Adaptive Multi-Factor Authentication (MFA) to help validate identities in the system.

Vektis’ new “one organization, one person, one identity” policy requires each client organization contact to have her own login identity. Because of client relationship factors, however, and the way the client database was set up originally, Vektis can guarantee that the policy is followed only if they set up MFA for some clients.

“You have to imagine, sometimes we’re dealing with companies that offer services to multiple healthcare providers,” says Wiltenburg. One person may effectively work for three separate organizations, logging in to Vektis to perform competition-sensitive tasks.

“We want to know when that’s happening, so we can communicate it to those companies,” says Ankersmit, “and we also want to enforce that those combinations no longer exist. We can only enforce that with MFA.”

He also plans to use MFA to add extra security for Vektis employees logging in from locations outside the Vektis domain. The team is working to set Vektis employees up with secure remote access to their applications, via Okta.

Growing trust. Increasing engagement.

Today, says Ankersmit, “In a number of cases, we simply have a better idea of who is logging in.”

At the same time, the team has had to educate stakeholders about the importance of identity management for protecting Vektis data. “In an environment that is incredibly sensitive in terms of privacy and competition, the business did not perceive identity management as a top priority,” says Wiltenburg. “It wasn’t calculated, charged to clients—it was just included in the price. People didn’t notice it at all because it was just there, so they thought it was free.”

The results, however, speak directly to added value. “In addition to the stories that I pick up from my own people, when I saw the number of active users rising quickly, that’s when I felt like, ‘Hey, we bought something that is being used,’” says Wiltenburg. “The discussion on the management team about [Okta]: ‘Do we need it? What problem are you solving?’ That stopped right away.”

I saw the number of active users rising quickly. The discussion on the management team about [Okta]: ‘Do we need it? What problem are you solving?’ That stopped right away.

Securing healthcare data into the future

Wiltenburg expects Vektis to remain on the current path, working with Fastbyte and Okta to streamline client account management, and making it easier for internal teams to access their work. He sees the number of client identities increasing into the future. “We’ll be dealing more and more with healthcare providers,” he says. “Lots of those companies aren’t all that big, so I think we’ll be seeing massive growth in identities.”

“On the other hand,” he says, I also see our products and services increasing and changing, and we need to adapt, to match our roles and groups to that.” The Fastbyte team is on top of it, serving as architects and contract partners. They uncover new Okta licensing options as Vektis grows, and work with Wiltenburg to find financial and functional options that benefit Vektis in the long term.

Along the way, Vektis is building a foundation that allows them to meet healthcare data opportunities in the Netherlands with the confidence that only a secure platform can bring.

About Vektis

Vektis serves as a national information center for the Netherlands, collecting healthcare data via insurance declarations. The Vektis database and proprietary applications help insurers, providers, and the public understand the costs and realities of healthcare in the Netherlands. As a neutral third party, Vektis is also charged with making sure that the private health information of every Dutch citizen is kept confidential and secure.