University Hospital Gets the Most Out of Mobility with Total Access Control

Total Access Control from PortSys Helps Public Safety Agencies to Securely Transform Their Collaboration Efforts with Other Government Agencies, Social Services & Vendors

Milton Keynes University Hospital (MKUH) NHS Foundation Trust is a 550-bed hospital operating 50 miles northwest of London. MKUH provides outpatient services to more than 350,000 patients annually, while also managing more than 87,000 emergency department (ED) visits. As a university hospital, Milton Keynes also conducts upwards of 85 research studies on an ongoing basis, involving more than 2,500 research subjects.

 

To meet its mission for the U. K.’s National Health Service (NHS), the hospital has almost 5,000 employees and volunteers spread across four clinical service units and seven corporate functions with access to resources on its IT network. It also has approximately 1,000 users at partner organizations, the vast majority of whom require remote access to MKUH applications from outside of the hospital.

When Ollie Chandler, the Head of IT Technical Services at MKUH, arrived in late 2016, he saw there was an urgent need to upgrade the ability of his team to deliver secure remote access to the hospital’s resources. At the time, the hospital did not have an adequate access control solution in place to manage personal devices to encourage and enable a BYOD (Bring Your Own Device) approach.

Although the hospital relies on VPN connections for direct access for its Windows 10 corporate devices, only 10 percent of those devices are mobile; the rest are desktop computers. The vast majority of MKUH’s staff thus relies on their own personal devices for remote access to hospital applications when they work remotely.

 

As public safety, government and social service agencies look to increasingly share information with each other and their approved vendors in real time, they have a great opportunity to significantly advance the way they collaborate, make the lives of end users easier, and strengthen their security.

CHALLENGE

Total Access Control (TAC) is a Zero Trust Access solution that offers Federal, State, County and Municipal public safety agencies the opportunity to securely improve compliance by more effectively managing all access to their critical applications and network resources in one place. TAC’s consolidated Zero Trust Access approach provides multiple levels of security, eliminating the need for these agencies to invest in various solutions from multiple security vendors. TAC’s unified architecture ensures these agencies can control every feature and function of their security through a single platform. And it accomplishes this while making the lives of internal and external authenticated users easier with Single Sign-On through TAC’s web-based portal.

TAC ENABLES PUBLIC SAFETY AGENCIES TO….

  • Fortify Their Infrastructure
  • Reduce Their Attack Surface
  • Cut Complexity & Costs
  • Simplify Access for End Users
  • Thwart Hackers
  • Ensure Compliance
  • Enable Mobility

TAC SOLUTION ADVANTAGES

  • Strong Authentication
  • Device Intelligence
  • Secure SSH Network Services
  • Active Directory User Management
  • Granular Security Policies

“Approximately 80% of the remote access requests we receive don’t come from a MKUH corporate device at another location,” Chandler said. “They are either coming from the individual’s own personal device or a device owned by one of our partners. We needed a solution to enable us to get the most out of mobility, so our users would have access to what they needed to do their jobs wherever they were, as long as they had an internet connection.”

Chandler had been a strong proponent of the Microsoft Unified Access Gateway (UAG) solution for remote access at his previous assignment with the Bedford Hospital NHS Trust. However, UAG was reaching the end of life for support as Microsoft continued to mothball that solution.

That led Chandler and his team to begin an extensive search for a remote access control solution – one that would provide not only the high level of security that MKUH’s divisions, partners and patients required, but also the remote access capabilities necessary to continue to provide quality patient care. The chosen solution also had to meet strict requirements set forth by the NHS to safeguard patient information.

THE BUSINESS CASE

Reduce Complexity, Strengthen Security and Improve Collaboration with Partners

A public safety agency has to communicate with dozens of partners – including court systems and social services agencies – each with their own access standards. It also may need to connect to federal resources, such as the FBI’s National Crime Information Center (NCIC), which require that local agencies accessing national resources comply with federal security standards. Each agency also sets its own policies for end devices, making it impossible for one public safety agency to mandate its policies to partner organizations.



Hackers constantly scan for open ports across the critical infrastructure of public safety agencies to gain access through brute force and phishing attacks. Without the proper access controls in place, hackers can use an agency’s own credentials to launch ransomware, exfiltrate data on personal information such as criminal records, and spread these devastating attacks to partner agencies.

In many public safety agencies, more than half of the staff may be in the field at any time where they still need to collaborate with partner agencies. That makes enabling secure mobility across the extended public safety enterprise an essential requirement – something that has became even more critical as internal staff and external partners increasingly are working remotely much more frequently due to the pandemic.

A public safety agency can now use Total Access Control (TAC) to provide full control over employee, partner and vendor connections to critical resources and applications from any device with TAC’s clientless RDP application. Many public safety agencies turn to TAC because support for Microsoft’s Unified Access Gateway reached its end of life long ago. These agencies have been able to further consolidate their IT security infrastructure for legacy applications as well.

A glaring problem is that each of those legacy network resources and native applications typically had their own separate ports. Hackers constantly scan the Internet using bots to exploit such open ports for ransomware, malware and data extraction of confidential information, such as criminal records.

Access requests for all applications and resources can now be delivered through TAC, wrapped over a single standard secure SSL port used for all web traffic (443). Users are then only granted access once a public safety agency’s security policies for each resource are met – and they are granted access to only those specific resources, not the entire network.

TAC not only serves the purpose that these multiple solutions previously offered, but it provides another level of security since all of a public safety agency’s resources are now behind a firewall and not exposed to the Internet. TAC’s Multi-Factor Authentication provides much greater protection against phishing, brute force, ransomware, and data exfiltration attacks that hackers try to launch through open ports to the Internet.

TAC also can make it much easier, and yet much more secure, for the tens of hundreds of users at partner governors organizations who need to connect to a typical agency’s network. For instance, TAC is so intuitive that first-time users can quickly start using TAC with concise bulleted instructions from the agency’s network security team.

Also, for security reasons some agencies w make their email solutions publicly available through the Internet. However, internal users can still gain secure access once authenticated through TAC. Another frequent use case is public safety officers who – for obvious reasons – can’t bring along the laptop they may use at their home or office to

report on undercover operations. With TAC, they can quickly, securely and discreetly access the critical information they need on a mobile phone – offering more security both in a virtual and a physical sense to those officers putting their lives on the line in undercover operations.

Ticking Off Every Box for Security

After considering several options, Chandler made a business case to the hospital’s Executive Management Board (EMB) for Total Access Control (TAC), an innovative Zero Trust solution from PortSys that provides simpler, stronger and more unified security.

“This was an innovative approach for our EMB to consider, because at the time we only had VPN connections for our own staff’s corporate devices, and nothing for BYOD or partners,” Chandler said. “The EMB was impressed that we would be able to offer a robust unified remote access solution built with security as its foundation. After the EMB signed off, we were up and running fairly rapidly.”

The TAC portal went live with connections to the hospital’s applications in less than a day. The solution was first rolled out to a core group of early adopters, before being fully deployed across the enterprise. Early adopters soon found that TAC was easy to use on remote devices, whether they were personal laptops, phones, tablets or desktop computers, and word quickly spread across the organization.

“TAC ticks off every one of our boxes for security,” Chandler said. “There are no direct connections to resources. Also, a user’s context of access must be authenticated. That includes robust endpoint inspection, verifying the user’s credentials, requiring multi-factor authentication, and validating the security status of the device. Each connection to each resource must meet the requirements in our security policies before TAC grants access.”

Even then, Chandler added, TAC only provides access to those applications for which a user is authenticated. TAC’s function-checking feature enables the use of customized authentication by application, so each resource has its own security policies for access. Extra authentication can be required through TAC for more sensitive applications, eliminating the “all or none” security policies traditionally used by enterprise organizations for remote access.

Chandler was also impressed with TAC’s flexibility. MKUH originally decided to present an icon-group Windows desktop through an IDS server, but it soon began adding web links to email and the hospital’s Intranet. The addition of more and more web apps soon turned the user interface into a crowded virtual desktop.

Each user’s endpoint is examined by TAC to determine the level of access users should receive, and nothing more. That prevents hackers from compromising agency resources from the endpoint if a device is lost or stolen.

In addition, nothing is required to be installed on a remote client, so TAC doesn’t violate security and privacy policies of partner agencies – and it doesn’t create any exceptions to be managed. 

Users access TAC’s portal securely by the public safety agency’s choice of web browser, enabling secure access to applications after inspecting not just the user, but the device, location, device security compliance status, and additional factors surrounding the user’s context of access that the agency requires for access. 

An agency can also view end user access for all internal users, partner agencies and support vendors through a single, centralized view. To ensure compliance to government regulations, TAC enables agencies to audit everything, including Single Sign-On (SSO), security policies, application delivery, secure tunneling, authentication, and government and personal devices – all in one place. 

Put it all together, and TAC transforms the ways partner agencies collaborate, and is a much more secure way for vendors to maintain the systems that public safety agencies rely on every day. 

Security is paramount for public safety agencies, but so is ease of use. It is imperative that end users have easy, secure access to critical applications, wherever they are working. TAC is easy to deploy, manage and maintain, with 24/7/365 support included.

“Remote users don’t need a full desktop experience for something as simple as reading a policy,” Chandler said. “We restructured various groups within Active Directory, and now we can provide the specific applications those groups need through the TAC portal. This made it a lot easier for our service desk to provision access.”

“TAC certainly is worth the payoff since we now have different people with different apps and different icons customized for their unique needs,” Chandler added. “It is so much easier to give the right people access to the right resources when they need them.”

Eliminating Pain Points

The elegant simplicity of TAC’s easy-to-use portal eliminates several other pain points as well – for end users and IT security administrators alike.

“TAC is very intuitive for our end users,” Chandler said. “The portal is self-explanatory – nobody needs hours of training in TAC. We regularly add new web applications and IDP server sessions for support companies in minutes. We also copy policies, applications and other things in TAC, which saves us so much time. TAC makes our lives significantly easier.”

A huge interoperability benefit for the hospital’s IT team was that TAC works in all mainstream browsers, making it much easier for end users with multiple personal and corporate devices.

“When an access request comes in, TAC generates a soft token,” Chandler said. “Remote users no longer rely on physical tokens that can easily be lost and were a pain to maintain and manage.”

TAC also helps the hospital to meet a large variety of partner missions. Most NHS IT systems are on a national network, but not all of them. TAC is the only way MKUH provides access to its applications for 3rd-party healthcare providers who are not on the national network.

“These partners were onboarded quickly and found out TAC works really well,” Chandler said. “They don’t have to use our hardware when they are at MKUH – there’s a clear demarcation. Also, because it’s internet-facing, our applications are available through TAC when partners provide patient care away from the hospital setting.”

MKUH also has 3rd-party IT support companies who use TAC from their own offices and on their own devices.

“Third parties come in from a wide variety of Windows devices and Macs,” Chandler said. “Regardless of the operating system, we can present any application through a browser with TAC, and it works well.”

TAC FEATURES

Enabling Mobility to Improve Patient Care

One of the biggest challenges in access management today is visibility. Chandler said TAC enables MKUH to generate a single report that allows it to answer the critical question for remote access – who accessed what and when?

TAC also allows the IT team to drill down and gain critical insights on any session or remote access activity – including user credentials, the location they access from, the devices used and their status, and what applications were accessed.

“We go into that report regularly to see when people are logging in to TAC and what they are accessing,” Chandler said. “That allows us to recognize remote access trends as well as security events that may need additional attention.”

Although PortSys has made security a critical component of TAC, Chandler casts the Zero Trust access solution as much more of a total business benefit across the organization – from the IT team to end users and partners, and ultimately, to the patients.

“Total Access Control is much more than just a security solution,” Chandler said. “It enables mobility across our entire extended organization. Surrounding hospitals ask what we deliver through TAC today, and they can’t deliver the same level of mobility for their users. TAC enables us to stand out from the crowd and, most importantly, provide better patient care.

Simplify

  • Easier access for end users across multiple public safety and social service agencies
  • Eliminate need for multiple security products
  • Lower operational and technology costs
  • Scale user access quickly for new partner agencies

STRENGTHEN

  • Vigorous authentication
  • Context of Access used
    to grant/deny access to all resources and applications
  • Define security policies for each partner and vendor user group
  • Close exposed routes for hackers (eliminate most open ports)
  • Provide access only to agency resources, not networks

UNIFY

  • Centralized access to all resources: Federal, State, Municipal and Social Services
  • Single Sign-On across agency’s extended partner enterprise
  • Consistent policy enforcement ensures agency’s regulatory compliance
  • Integrated audit/reporting of all access in one place

University Hospital Gets the Most Out of Mobility with Total Access Control

Total Access Control from PortSys Helps Public Safety Agencies to Securely Transform Their Collaboration Efforts with Other Government Agencies, Social Services & Vendors

You may be interested in these materials

Financial Services Firm Finds PortSys Total Access Control Addresses Risk-based Security 

ZS Solves Office 365 Security Issue with PortSys TAC

Oklahoma Municipal Power Authority Energizes Team’s Secure Remote Access

Total Access Control Provides Zero Trust Application Access for Financial Services Firm

TAC’s Zero Trust Access Helps UK County Council Improve Productivity

You may be interested in these materials

Oklahoma Municipal Power Authority Energizes Team’s Secure Remote Access

Total Access Control Provides Zero Trust Application Access for Financial Services Firm

TAC’s Zero Trust Access Helps UK County Council Improve Productivity

ZS Solves Office 365 Security Issue with PortSys TAC

Financial Services Firm Finds PortSys TAC Addresses Risk-based Security