Healthcare Secure Authentication Case Study: Sanitas
Sanitas use PINsafe® for additional security, without compromising usability
Summary
Sanitas is a leading health care provider in Spain. Across its network of hospitals and clinics, it provides a personalized health service together with various insurance policies for its clients. Besides its five private hospitals, the company has invested in more than 800 medical centers and clinics in Spain where patients can receive treatment. Sanitas is a member of Bupa, an international health care group which operates in more than 190 countries around the world. This group has no shareholders, which means that all profits are invested in substructure improvements such as hospitals and new technologies in healthcare. Today Sanitas has more than 9,000 employees and 2.4 million clients.
The challenge
In order to operate over such a vast network, remote access to all information stored on the corporate network has become a vital necessity. Sanitas uses the Citrix Access Gateway portal and needed to be able to provide its employees and commercial delegates who work remotely, with flexible and secure access to information stored on the virtual private network (VPN).
Given the sensitive nature of the data that is contained on the systems, such as patient records, it was crucially important for Sanitas to ensure that only authorised parties were accessing the VPN. To coordinate the implementation and adoption of an authentication solution amongst such a large employee base, Sanitas required a solution that would not only guarantee strong security, but also provide flexibility and ease of use.
The solution
Faced with this challenge, Sanitas approached Comparex, a global IT provider that specialises in license management, software procurement and technical product consulting. Comparex considered the requirements set by Sanitas and recommended the Swivel authentication solution.
Swivel Secure’s multi-factor authentication solution presents the user with a challenge, checking their response is correct before granting network access. The company has over 17 years’ experience in delivering authentication solutions to a wide variety of customers, including UK NHS Trusts.
As a flexible authentication platform, Swivel offers the widest range of user deployment options according to Gartner, and enables companies to assign an authentication level to each member of staff, meaning only authorised employees can access certain areas of the corporate network – a key requirement for Sanitas.
Recognising Sanitas’ need for flexibility and adaptable authentication, Comparex also recommended Swivel Secure’s PINSafe protocol, which offers an additional level of security, without compromising usability.
PINsafe, Swivel’s patented one-time-code (OTC) extraction protocol, generates an OTC each time a user needs to login, thereby ensuring that only authorised users can access the virtual network.
The process combines the use of a registered PIN with a ten digit security string that is sent to the user. The user then combines these in their head to work out a unique OTC. For example, if the user has a PIN of ‘1370’ the user would enter the first, third, seventh and tenth digits from their security string.
The PIN is known only by the user and is never entered at the time of login. This method guarantees that the authentication server can never be compromised by known threats such as phishing, key logging or hacking and mitigates the threat of man-in-the-middle and shoulder surfing attacks.
Sanitas opted to implement PINsafe across multiple devices, so as to allow its employees greater flexibility in how they choose to authenticate.
Sanitas chose PINsafe’s browser implementation via TURing image, which incorporates the security string image within a login dialogue. Swivel offers a variety of customisation options such as different fonts and backgrounds to make the TURing image more resistant to optical character recognition attacks.
In addition, Sanitas employees can also authenticate via the PINsafe mobile app, which delivers an OTC directly from the Swivel server to their mobile devices – enabling users to authenticate even during a prolonged lack of network coverage.
Sanitas’ previous solution authenticated via a mobile application, however Swivel offered superior security and flexibility, providing
Sanitas employees with the option to authenticate from their browser, with further authentication options such as tokens and SMS, available if required.
The solution was implemented in 2013 and at this time, its 1,000 remote users authenticated via Swivel Secure’s PINsafe solution.
Moving forward, Sanitas intends to implement Swivel in different portals so as to allow access from VDI desktops too.
Get in touch for more tips on protecting your patients and their sensitive data against the threat of online attacks.
