Securing sensitive medical data is a top priority for organizations like Meadville Medical Center, a Pennsylvania-based healthcare system. HIPAA regulations require healthcare organizations to keep careful track of who can access medical information, but maintaining detailed access logs and session data can be challenging without the right tools. Meadville Medical Center (MMC) needed a new way to verify user identities and track usage more effectively for its 2500 users, so the healthcare organization turned to UserLock.
The Challenge
Concurrent User Sessions Caused Compliance Concerns
Healthcare providers at medical centers like MMC treat hundreds of patients every day, so it’s no surprise that they’re incredibly efficient. As doctors and nurses meet with patients, they often use multiple workstations to take notes, order tests, and write prescriptions. But logging into those workstations with every new patient often seems frustrating and time-consuming for providers.
In the spirit of efficiency, many healthcare professionals log into multiple computers with a single set of credentials. While this may seem practical to doctors and nurses, these concurrent user sessions pose a major security risk and violate HIPAA regulations. When a single user logs in on multiple computers, it becomes impossible to track who accessed which patient’s data, putting all the organization’s data at risk of unauthorized exposure.
MMC’s previous access management solution, Okta, didn’t offer the support they needed to prevent concurrent sessions. That inspired the MMC team to download UserLock’s free trial.
The Solution
An Easy-To-Use 2FA Solution That Supports Rapid Workflows While Mitigating Risk
While the MMC team quickly discovered UserLock could help control unauthorized concurrent sessions, they quickly realized that UserLock was capable of much more than they expected. The healthcare organization also wanted a multi-factor authentication solution that could help them further strengthen their access security without interrupting their employees’ workflows.
The team wanted to leverage multi-factor authentication, but asking for identity verification too frequently would get in the way of doctors’ and nurses’ rapid workflows. UserLock's two-factor authentication solution works for MMC because it allows admins to decide how frequently to prompt for MFA. By verifying a user’s identity only when needed with an easy MFA method and allowing them to log in regularly throughout the day, MMC can secure their Active Directory user access and maintain accurate usage logs without slowing down critical workflows.
I can’t trust that someone is a legitimate user or administrator just because they were on a computer on-site. Now I can verify who’s using our computers with UserLock.
Mark Shorts
Lead Support Tech, Meadville Medical Center
However, since MMC employees occasionally use their devices outside the hospital, the team needed robust authentication controls for off-site users as well. With UserLock Anywhere, MMC can protect remote endpoints by triggering 2FA on every user connection outside the network domain or on an offline device, even if the user isn’t using a VPN or isn’t connected to internet at all. The MMC team also found it helpful to integrate geolocation restrictions to trigger 2FA automatically for login attempts made outside the United States. Since all MMC employees day-to-day work stays state-side, any connection outside the country would be immediately suspect.
UserLock is hugely beneficial when someone loses their laptop. If an employee loses their device and someone tries to log in with their credentials, they can’t gain access because of the MFA prompt.
Mark Shorts
Lead Support Tech, Meadville Medical Center
With more powerful authentication capabilities, MMC can prevent unauthorized access to their on-premise Active Directory and protect their data, even if a device is lost or stolen. Plus, insight into user sessions and usage logs can help the MMC team demonstrate HIPAA compliance and detect security threats faster, too.
The Result
Stronger 2FA Access Control Both On- and Off-Site for 2500 Employees
After a straightforward setup and easy deployment, MMC started using UserLock to verify 2000 user identities linked to Active Directory. Two months later, the healthcare company expanded to cover 500 more identities.
UserLock’s straightforward setup was great. When we needed help setting up the proxy for off-site MFA, the tech support we received was fantastic.
Mark Shorts
Lead Support Tech, Meadville Medical Center
After implementing the solution, Shorts appreciates how UserLock makes it easy to prevent concurrent sessions, authenticate users, and manage usage across the organization. UserLock gives the MMC team quick insight into who is using which device no matter where they log in, ensuring that patients’ sensitive medical data is protected against unauthorized access.
Not only does UserLock strengthen MMC’s overall cyber security posture, but it also mitigates compliance risk. Demonstrating that they can restrict concurrent sessions and define usage more precisely allows MMC to prove that only authorized users can access sensitive data, demonstrating compliance with HIPAA regulations and limiting the risk of a breach.
UserLock is a clear choice for a hospital like MMC because it reliably secures the user logon without compromising user experience or efficiency. For MMC, UserLock was just what the doctor ordered.