Centre Hospitalier Saint Quentin: How Okta is helping a medical centre to keep its workers safe by securing remote working
to configure Okta
for simple multi-factor user authentication
- Getting ready for remote working
- Choosing a solution that's simple and secure
- Implementing double-factor authentication
- More confidence in remote access systems
- An example for other medical establishments to follow
Like many medical establishments, when the French lockdown was announced in March 2020, CHSQ wasn't ready from a security perspective to deploy remote working for users at a large scale. In the context of an increase in the number of cyberattacks, CHSQ wanted to put in place strong authentication, to verify the identities of its remote workers and guarantee its security strategy in the long term.
The IT team looked for an IAM solution that could adapt to unmanaged personal devices as well as computers provided by CHSQ. The solution needed to be simple for users, easy for the IT department to manage and maintain, and also needed to integrate natively with CHSQ's infrastructure, which uses a Palo Alto VPN.
Now, when remote workers connect, their identity is verified using Multi Factor Authentication, with either an SMS, an OTP application, or with Okta Verify. Depending on their Active Directory profile, which is integrated with Okta's Universal Directory, users are automatically connected via the correct channel.
With Okta, CHSQ's remote workers have more confidence in the hospital's remote access systems. As for the technical team, they know that the connection is secure, and that sensitive data is better protected.
CHSQ hopes that its experience can serve as an example for other medical establishments that are facing the growing threat of cyberattacks. The next step? Securing remote maintenance access using MFA, and the implementation of Okta in other establishments in CHSQ's regional hospital group (Groupement Hospitalier de Territoire).
We wanted a solution that is simple to use. We didn't want to put so many barriers in place that it affects productivity. It had to be effective, but easy for our teams to manage and maintain.
Jean-Baptiste Gard, Infrastructure and Networks Manager and CISO at Centre Hospitalier Saint-Quentin (CHSQ)
- Offers strong authentication of remote workers' identities using MFA, to protect sensitive hospital data
- Connects users automatically via the correct channel, for a harmonious and frictionless user experience
- Adds an additional layer of security that reassures employees in the context of a rising number of cyberattacks
- Provides a platform that's always available, so practitioners can connect remotely and work on files at any moment of the day or night
Trust and confidentiality are central to the patient-doctor relationship, especially when it comes to patient data. Increasingly, however, hospital data is becoming a target for cyberattacks. According to ANSSI, in 2020, a cyberattack targeting a French hospital took place every week. It's an issue that Jean-Baptiste Gard, Infrastructure and Networks Manager and CISO at Centre Hospitalier Saint-Quentin (CHSQ), recognizes. "Since 2020, we've seen a net rise in attempts to exploit vulnerabilities, as well as an explosion in phishing attacks," he confirms. "In February 2021, many medical establishments were targeted by ransomware attacks."
CHSQ serves the city of Saint-Quentin in the north of France and has around 1,000 hospital beds. The hospital is also a referral center for a network of 11 hospitals across the Somme and Aisne departments, which cover around 400,000 inhabitants. This position means it leads structural and strategic projects for the group, such as piloting training, purchasing, and IT innovations.
Before the onset of the pandemic, the majority of CHSQ's 2,500 employees worked on-site. Because of the sensitive nature of patient data, remote working was available only for a small number of employees who could access the network remotely via the hospital's VPN. However, when France went into lockdown in March 2020, the hospital needed to pivot to remote working in order to protect as many people as possible.
"We extended remote VPN access to an additional 150 people, including medical, administrative, and technical staff," Gard explains. "We weren't ready for that, from a security perspective. Our users weren't used to it, and they were not able to access all the tools they needed."
With insufficient portable devices to supply every remote employee, the IT department looked for an identity management solution that could adapt to both unmanaged personal devices and to computers provided by CHSQ. Within the context of increased cybersecurity threats, it wanted to put strong authentication in place to verify the identity of remote workers during the pandemic, as well as enabling its security strategy for the long-term, anticipating the addition of new cloud applications.
Choosing a solution that's simple, secure, and doesn't slow productivity
According to Gard, reconciling security with a smooth user experience was a priority when choosing a security solution for CHSQ. "We wanted a solution that is simple to use," he explains. "We didn't want to put so many barriers in place that it affects productivity. It had to be effective, but easy for our teams to manage and maintain."
CHSQ also wanted a platform that would integrate with the existing infrastructure, as it was already using Palo Alto Networks GlobalProtect for its VPN. "Okta offers an easy integration with Palo Alto, which suited our needs," says Gard. "The two solutions complement one another perfectly: Okta verifies identities, and Palo Alto manages the file integrity monitoring and security analysis side of things."
With a slow return to on-site activity over the summer months of 2020, but with the prospect of a second wave and return to remote working in the autumn looming, CHSQ prepared to deploy Okta. "We decided on a simple integration using SAML," says Gard. The team needed to configure three aspects: integrating Okta with the hospital's firewalls, then installing an LDAP client on the servers at CHSQ to work with the Active Directory, and then configuring the cloud part in Okta.
"For the Okta configuration, it took between 4 and 5 hours to carry out the necessary tests and install everything," says Gard. "We didn't have any issues, the process was straightforward and quick." In September, 200 users were migrated to the new system, accessing the VPN using Okta Multi-Factor Authentication. "We were able to simply put our POC into production, we didn't have to start from scratch," Gard confirms.
A successful return to remote work for 200 users
With Okta in place, when the subsequent lockdown was announced, the CHSQ team was ready for it. "When the next lockdown was announced in October 2020, 200 users once again had to pivot to remote working. This time, everything went very well," says Gard.
CHSQ users logging on remotely are now authenticated by Okta, which is integrated with both CHSQ's Palo Alto GlobalProtect VPN and with Citrix VDI. The VDI is used by employees who are using private devices rather than a company computer and who require access to a virtual desktop for applications that can't run remotely due to latency issues.
Depending on their Active Directory profile, which is integrated with Okta's Universal Directory, users are connected automatically via the correct channel. They are then able to access the applications they need depending on the level of access that fits their profile. For secure authorisation, CHSQ decided to offer three MFA second factor options: SMS, the Okta Verify mobile application, as well as another OTP application (Google Auth), to give users a choice.
"When our users open up their workstation in the morning, whether that be a CHSQ computer or their own device, they click on the connect button," Gard explains. "After entering their password followed by a second-factor according to their preference, the application verifies the connection and the user has access to everything they need. It's easy for them, and we know that their connection is secure."
Connecting with confidence, during lockdown and beyond
According to Gard, the big difference in remote working the second time around has been in the experience of the users. "Since implementing Okta, our remote working employees have more confidence in our remote access systems," he explains. "Day-to-day security risks inevitably bring more anxiety to users. They find Okta reassuring."
Another benefit is that the Okta platform is always available. "At any moment of the day or night, practitioners can connect and work on a file," says Gard. "Certain doctors are able to connect from home in a secure way in order to add information to patients' files remotely. Furthermore, we haven't experienced any service interruptions, which is very important for providing continuity of service for our patients."
The next step? Securing remote maintenance access using MFA. Around 200 companies work on the CHSQ system remotely, installing, maintaining or updating applications. By adding an additional factor, the IT department can automatically verify the origin of these connections and guard against compromised accounts attempting to gain access. After that, the next stage will be to implement Okta in the other hospitals that are part of the regional group (Groupement Hospitalier de Territoire).
"I hope our experience can help our colleagues in other medical establishments," says Gard. "In the context of an increase in cyberattacks, we've been really convinced by Okta as a product: it provides an additional layer of security that is essential, and that makes a great difference in the eyes of our end-users."