CASE STUDY: Healthcare and social assistance is currently among the top 5 reporting sectors for cyber security incidents in Australia, with compromised accounts or credentials listed as the top exploit.
For Carers ACT information and communications (ICT) innovation lead Thomas Pike (pictured), a non-profit organisation whose purpose is to support, connect, and empower unpaid family and friend carers, this risk is something to be taken seriously.
“Account compromise is something which is hugely worrying for us,” says Pike. “We hold some of the most sensitive personal information you can and we take our responsibility in holding that information very, very seriously.”
Pike is responsible for supporting the daily operations and security of the ICT systems as well as finding innovative new ways to help carers, to support the mandate of Carers ACT, a part of the Australia-wide network of Carer Gateway service providers. For over 30 years, Carers ACT has provided a range of integrated services and support for individuals caring for family or friends in need of temporary or permanent help in the tasks of daily living, as well conducting both local and national advocacy work to raise awareness of the needs of carers.
|
|
Operating from four locations across Canberra and Illawarra, Carers ACT has 65 full-time employees, with additional support workers in short term respite facilities and a disability services program. Providing safe and effective respite and services for family and friend carers requires timely access to sensitive health information about the individuals being cared for, including care plans, health conditions and consents. This health information is critical to deliver safe and effective care to clients – but is also valuable to threat actors.
In the past several years, Pike has noticed increasingly sophisticated cyber threats, including spear phishing campaigns that target employees with malicious emails that appear to come from the CEO of Carers ACT. Threats also come from potentially insecure devices used by clients and other guest accessing guest Wi-Fi systems while in their facilities.
“As an organisation, and especially as an ICT department, we are very aware that we require health information to provide a safe and effective service. We spend a lot of time making sure our systems are responsive to those particular threats,” says Pike.
To ensure high quality care and the safety of client data, the ICT department has undertaken a series of infrastructure improvements to increase system resiliency, security and improve system login experiences for support staff. Pike decided to replace cumbersome passwords and complex two-factor and legacy multi-factor authentication (MFA), such as SMS codes, with a Fido security key to enable a secure, user-friendly passwordless experience for its support workers.
Having used and worked with YubiKeys at a previous organisation, choosing the YubiKey for Carers ACT was an “easy choice to make.” The YubiKey is a hardware security key that delivers phishing-resistant MFA and passwordless authentication, complying with Essential Eight Maturity Levels 2 & 3. Carers ACT began by rolling out the YubiKey Security Key C NFC which supports Fido2/WebAuthn (device-bound passkeys) to all support staff to address cyber threats and enable a seamless and user-friendly login to shared devices.
With the Australian government continuing to encourage cybersecurity efforts and the adoption of phishing-resistant MFA for all businesses – with particular emphasis on critical infrastructure and health organisations – the Carers ACT YubiKey deployment is a future-proof investment toward shifting compliance requirements.
Increasing infrastructure resilience with the YubiKey
Over the course of the last several years, Pike and the ICT team have invested heavily in infrastructure improvements to address evolving risk and to improve service delivery to carers. Carers ACT has reimplemented all their networks to improve access and to protect against cyber-attacks. Carers ACT also leverages several Microsoft products to improve security and drive better experiences, including Microsoft AccountGuard, Microsoft Intune for endpoint management and Microsoft Conditional Access for access control.
Microsoft Conditional Access is a feature of Microsoft Entra ID that allows for granular access control policies to enforce the use of phishing-resistant authentication (or the YubiKey specifically) to access Microsoft Entra ID-protected devices, applications and services. Pike uses Microsoft Conditional Access to create access controls based on user role. For support workers, this access is restricted to office locations on shared Microsoft Surface tablets.
As an established Microsoft environment, Pike was able to take advantage of out-of-the-box support for the YubiKey to streamline implementation. “One of the strengths of the YubiKey is the high availability of documentation to support implementation,” says Pike. “The YubiKey is standards-based and there are many well-documented use cases for how to implement Fido2 logins.”
Thanks to the work already completed to modernise Carers ACT infrastructure, and the technical support information and guides provided by Yubico, the ICT team was able to implement YubiKeys quickly.
“I cannot say enough about the ease of implementation. We were able to implement the YubiKeys within just a couple of days,” says Pike.
Going passwordless to reduce user friction and IT support costs
In the past, security and compliance requirements required Carers ACT to use complex passwords and deploy mobile MFA leveraging SMS or authenticator apps. These MFA implementations frustrated both users and the IT team.
“We were finding that our support workers are very talented in providing people support, but technology is not their job and they struggled to consistently remember usernames and passwords,” notes Pike. “We ended up spending a lot of time on password resets or with users simply not able to log in due to platform issues.” In fact, the average company can expect 60% of IT service desk interactions to be related to password resets.
Even more important than reducing these hidden governance and support costs was the need to make the login process for staff much simpler, so they could seamlessly access devices and focus on providing quality care.
That efficient balance of security and compliance comes to life with the YubiKey, creating a passwordless login experience that leverages the highest-assurance security of device-bound passkeys. Support staff simply insert the YubiKey into the shared Microsoft Surface tablet and add a short, easy-to-remember PIN to securely authenticate to devices and have immediate access to Entra ID-protected environments.
“It was important for us to design our ICT systems to be both secure and easy to use. The YubiKey has made the login process for our staff much simpler, allowing them to focus on providing quality care,” said Pike.
Following a pilot program with select ICT department staff, all support workers were issued a YubiKey with basic training and on-hand assistance to register the YubiKeys and demo the improved login experience. “We are able to demonstrate to users that the login experience is going to be easier than what they did before,” shares Pike. “The reaction we’ve had has been glowingly positive.”
Looking ahead to stronger MFA across the organisation
For many years, choosing an MFA approach required trade-offs between security, user experience and productivity. After first-hand experience with the drawbacks associated with passwords and legacy MFA, the YubiKey provides Carers ACT with a high-assurance and user-friendly passwordless experience for its support workers. Looking to the future, Carers ACT plans to extend the YubiKey deployment across other parts of the organisation.