The Arc of Ulster-Greene is part of a national not-for-profit organization that offers a full array of services to people affected by intellectual or developmental disabilities throughout the mid-Hudson and Catskill Mountains region of New York. Its small technology team provides services to a workforce of 2,500 people in 100 locations, is committed to the cloud, and likes to use IT solutions that simplify their IT/networking lives, but The Arc of Ulster-Greene found providing remote users access to critical healthcare-records applications very problematic.
Securing mobility and remote access in a HIPAA-compliant organization is very difficult. The Arc of Ulster-Greene had been using remote desktop solutions from Citrix and Microsoft, and the IT staff faced a number of challenges:
“If you allow people to work from home with their PCs, we actually have to audit their homes for compliance,” said Bart Louwagie, CIO of The Arc of Ulster-Green. “It’s a big issue with HIPAA that is often ignored because people can do their work anywhere, meaning they can expose [personal healthcare] information anywhere. It’s not physically controllable.” The mobility of The Arc of Ulster-Greene’s workforce is also driving a need for increased agility in the IT organization. “If someone needs to move tomorrow, we can’t really respond to them, and we should be able to.” Louwagie added.
Furthermore, high availability must be an integral part of any solution for remote access. The Arc of Ulster-Greene’s workforce is required to log-in remotely when the company goes into disaster-readiness mode, and the IT staff contacted its existing vendor for a potential solution. “Remote access, in case of disaster, was always a complex discussion with DNS fail-back solutions or having to inform users to go to a different location,” added Louwagie. “When we tried to get a proof of concept going with our vendor, they could not get it working in our environment.”
The Arc of Ulster-Greene needed to meet two key requirements to meet its objectives:
With EAA, every Arc of Ulster-Greene user can access applications securely with Multi-Factor Authentication (MFA), in compliance with HIPAA requirements. From any device with a browser, users need only to enter a URL for the application they need, then provide their Active Directory login credentials and MFA one-time passcode. The IT team did not have to audit the end-user’s location for compliance because no personal healthcare information could be uploaded or downloaded from the user’s machine.
HIPAA-Compliant Remote Access
Using EAA, The Arc of Ulster-Greene was able to solve the problem of giving remote users access to sensitive applications inside of their HIPAA-controlled environment. EAA can secure and present remote desktop sessions inside of a browser. This unique capability gives users access to a Windows PC inside their environment while assuring no personal healthcare information could ever land on the end-user’s device. “I gain a lot of security here,” continues Louwagie. “Any data that needs to be accessed stays within our environment. Any report that users run can only be saved on the server in our controlled environment.”
Better Application Security
With its unique dial-out architecture, EAA secures access to applications behind the firewall while eliminating inbound access through the firewall. “With EAA, I’ve now been able to publish or make things available on the outside that I couldn’t make available otherwise,” said Louwagie. “For instance, we can manage our VMware from the outside. Before it would always have been too risky to even think about that.”
To meet its high availability requirements, The Arc of Ulster-Greene used to configure complex DNS fail-back solutions or inform end users to switch to alternate sites. EAA dramatically simplified this process. “Users don’t have to know that they are logging into an alternative site,” noted Louwagie. “Other solutions didn’t allow you to do that. EAA just does it out of the box. We don’t have to configure anything.” EAA’s highly available architecture enables automatic failover of user connections to a backup customer site without user intervention.
EAA integrates authentication, access, and application security and allows mobility by enabling web, RDP, and SSH applications to be accessed from any browser. EAA’s combination provides “enormous value,” Louwagie said. “Two-factor authentication, very easy access to any application that you need to publish. It’s kind of a no brainer.”
Simple for IT, Simple for Users
Delivered as a service with all components centrally managed, EAA does not require complex network integration by the end user. EAA pre-integrates all core functionality and provides simple connection to third-party directories, SIEM tools, and security devices. “The products that have been successful for us remain successful because they introduce simplicity,” Louwagie said. “EAA is a great solution for any environment where you want to have something that really works. It doesn’t break the bank or make your IT team have to figure out all kinds of complex things. Plus, it is easy for your end users to just use.”
“EAA opens up possibilities I would never [have] previously been able to think through,” added Louwagie. “The fact that we can get EAA up and running in any environment in just a few minutes provides enormous flexibility.” Since virtually all public and private cloud environments are supported by EAA, businesses can secure and provide access to enterprise applications running in both on-premise and public cloud infrastructures and switch easily between them.