For healthcare providers, medical malpractice insurance is a lifeline they hope never to use. As a leading medical liability and risk management solutions company, ProAssurance provides coverage that practitioners can trust in those critical moments — and identity and data security are essential to that promise.
“We are committed to protecting our customers' information, and we take that trust very seriously,” says Robert Gwaltney, VP Information Security. “We tell our employees to treat customer data the same way they’d treat their own, and that helps our teams think about data differently.”
However, ProAssurance’s previous setup, which included homegrown solutions, relied on manual processes that couldn’t scale as the company grew or efficiently support governance needs, like access reviews and certifications. Additionally, the company used different solutions for different functions: one tool for Single Sign-On (SSO) and another for Multi-Factor Authentication (MFA). This meant employees had to use separate usernames and passwords to log into each application, which put a large burden on ProAssurance’s lean IT team to provision access across platforms and resulted in security blind spots and a disjointed user experience.
ProAssurance realized that data protection had to start with identity and access management (IAM). The team sought a platform that offered a unified identity security fabric that would simplify login processes, enforce access management controls, and deliver end-to-end identity security. Now, IAM at ProAssurance starts and ends with Okta.
From siloed access to a unified identity security fabric
ProAssurance’s journey with Okta began by migrating from disparate solutions to Okta Workforce Identity to build a unified identity security fabric and secure access across the company’s complex IT environment. The team started by integrating Okta with Workday to establish a single source of truth for all user identities. This means that all employee data, including new hires and user attributes, is automatically synchronized by Okta across ProAssurance’s ecosystem of applications. The team immediately benefited from the efficiency enhancements and laid the foundation for seamless onboarding and user experiences.
With unified identity in place, new users are automatically enrolled in MFA solutions like Okta Verify. While certain applications require MFA every single time, Okta allows ProAssurance to set dynamic policies where users are not repeatedly challenged to reduce MFA fatigue. As long as users are authenticating from a trusted device and haven't experienced significant changes in their network or location, they can continue working without disruption.
Meanwhile, phishing-resistant, passwordless authentication methods like Okta FastPass are available as an opt-in to a limited number of employees with access to appropriate hardware to strengthen security and reduce user friction. Beyond enabling seamless and secure user experiences, Okta also ensures compliance with the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
The team has also implemented SSO to improve user experience and enable safe, secure onboarding. SSO serves as a central hub for users and offers immediate access to critical applications with just one login. This seamless experience also extends to the IT team, as onboarding new apps within the ProAssurance ecosystem into SSO is a breeze. “As our tech stack has evolved, the first thing people ask is if new apps and tools will work with Okta,” Gwaltney says. “When business partners know the product by name and request to integrate their tools, that’s when you know it’s become an integral part of your business.”
Automating onboarding and access reviews to simplify security
On the governance side, Okta Identity Governance (OIG) gives the team a single place to manage, monitor, and audit access, starting by automating the entire onboarding and offboarding process with Okta Workflows and Lifecycle Management. After confirming users through identity verification procedures and adding them to Workday, a series of Workflows automatically creates their Okta account and provisions access to all the apps they need to get started.
To empower users while keeping sensitive access secure, a self-service form streamlines ad hoc requests for restricted or legacy applications that can’t be fully automated. These automations have eliminated more than two hours of manual work by the IT team per new hire, ensuring new employees are productive faster and IT staff can focus on more important tasks. “Granting day-one access has become a completely hands-off process,” says Brian Foshee, system engineer architect. “The only hands-on thing is sending them the actual computer.”
Consolidating onboarding processes with Okta has also supported M&A procedures. Previously, when ProAssurance acquired another company, the team had to manually merge Active Directory (AD) instances. With Okta, they can tie in the new organization’s AD from day one, saving significant time and resources.
Furthermore, OIG enhances security and compliance through access reviews and certifications by making sure users have the correct permissions. Before Okta, ProAssurance used an in-house web application for these reviews, which involved uploading all user data and manually checking user access for each application from a long list.
Now, the team uses OIG to automate review processes, which has helped meet compliance requirements and reduced the risk of data breaches. Workflows complete tasks, from creating a ServiceNow ticket to revoking access to automating removal for applications like Microsoft Teams and file shares. “It used to take a week or two to remove access,” Foshee says. “With OIG and Workflows, it’s instant.”
This automated access removal also helps ProAssurance’s team spend less time addressing IT tickets. Since deploying OIG for automated deprovisioning, monthly access removal-related helpdesk tickets have reduced by ~85%.“Now, our staff doesn’t have to do anything — Okta revokes access automatically when needed, which decreases the amount of time and work our IT team needs to spend on these processes,” Foshee says.
Balancing security and user experience with behind-the-scenes IAM
Looking ahead, ProAssurance is working to drive greater security outcomes and strengthen their identity security fabric by deepening its investment in Okta. This includes implementing Okta Device Access (ODA) to add a layer of security during device login and meet upcoming changes to NYDFS requirements. ODA will help ensure users’ devices meet the company’s high security standards while providing a frictionless login experience from devices to apps.
“It’s rare from a security standpoint to find a solution that’s easier for the user and it’s more secure,” Gwaltney says. “Those two things do not meet often, but Okta makes it possible.”
About ProAssurance
ProAssurance is an industry-leading specialty insurer with extensive expertise in medical professional liability and products liability for medical technology and life sciences. ProAssurance also is a provider of workers’ compensation insurance in the eastern U.S. ProAssurance is rated “A” (Excellent) by AM Best. For the latest on ProAssurance, visit proassurancegroup.com with investor content available at Investor.proassurance.com.