Adapta secures healthcare worker
access to Google Cloud with YubiKeys

Heightened security and privacy does not have to create a poor user experience

In healthcare, where the security of patient data is critical, any digital transformation must be secure by design. “I have always been interested in privacy and in security,” says van Alphen. “I worked on that in my private life and I also bring that to my work. In the security world, the old adage is: ‘The more secure something is, the less userfriendly it is.’ We challenge this stereotype.”

When Adapta began looking for multi-factor authentication (MFA) solutions to introduce to healthcare settings, popular legacy MFA solutions did not prove suitable. “The most common method organizations choose,” says van Alphen, “is an authenticator app. However, in nursing homes staff need something like a laptop or tablet, not a cellphone. If you have to log in with a code from an app or by clicking a prompt, then you need two devices before you even start.”

This brings complications for many organizations, says van Alphen. “Either all staff need to be equipped with a second device, or be allowed to authenticate using an app installed on a private device. There are also increasing numbers of people who In the security world, the old adage is: ‘The more secure something is, the less user-friendly it is.’ We challenge this stereotype.” say ‘I don’t want work apps on my private device’. You see a trend where people are demanding the right to be left alone; this is even becoming anchored in collective labor agreements in disability care, for example.”

Most healthcare professionals aren’t based in offices, says van Alphen. “If you work in a geriatric or disability care institution, then you have chosen to care for people— not to sit at a computer screen. You want to be able to log in quicker to easily find something, make a note of something or place an order, and that you can do that four, five times a day.”

“In the security world, the old adage is: ‘The more secure something is, the less user-friendly it is.’ We challenge this stereotype.”

YubiKeys stop phishing attacks, and help healthcare workers access patient records faster and more securely

It wasn’t long before the search brought Adapta to the YubiKey, Yubico’s offering of modern phishing-resistant MFA that stops account takeovers and prevents malicious actors from stealing healthcare worker credentials. “In our experience,” says van Alphen, “the YubiKey is the most user friendly, most secure and most affordable method of multi-factor authentication. You have one password and one physical key that works exactly like your front door key. Put it on your keychain when you go to work, grab your device and log in.”

YubiKeys are the only hardware MFA method proven to stop modern cyber attacks, but apart from ironclad security, the usability and efficiency of YubiKey is also significant. Adapta found that YubiKeys allowed users to access critical information much faster. Van Alphen gives the example of a caregiver in a nursing home who has to log in multiple times per day to write reports or search for data about their client. “If that login process takes 30 or 40 seconds,” he says, “then that’s a source of frustration. And that’s true of all other two-factor authentication methods. Typing out a code on an authenticator app or waiting for a prompt from a text message takes time. But, if you combine Google Cloud ChromeOS with a password and a YubiKey, then you can actually get onto your device and straight into your client’s file— including login time—in around 8 or 10 seconds. This really makes a difference to the day-to-day life of healthcare personnel.”

Reducing the risk exposure of passwords

For many healthcare workers, passwords are a common source of frustration. “One of the most common policies in healthcare organizations is that you need to change your password every quarter,” says van Alphen. “It’s also insecure because users typically think of a sequence. If you can come up with a sequence, a hacker can as well.” YubiKeys significantly reduce the risk from passwords because even if a user’s email address and password are stolen or phished, then a hacker would still need that physical YubiKey to log in.” As a hacker can’t access the YubiKey, account takeovers are prevented.

YubiKeys also save time for IT administrators. Citing the ease of manageability of the YubiKey, van Alphen says “You need to distribute, maintain and ensure version control of authentication apps. Now, when someone comes to work, you can give them an ID and an account, you link it with the YubiKey and that’s it.”

“In our experience, the YubiKey is the most user friendly, most secure and most affordable method of multi-factor authentication.”

Phishing-resistant MFA in action with YubiKeys

Adapta have recently introduced YubiKeys to two care organizations in the Netherlands, Zorgcentra De Betuwe and BrabantZorg. These organizations operate nursing homes, short-term care facilities and offer visits to patients’ homes. The staff of these companies include management, support teams, doctors, practitioners and nurses, as well as many volunteers, so it was essential to find a solution that offered security and speed but also ease of use regardless of roles.

Adapta chose the Yubico Security Key, which supports the FIDO U2F and FIDO2/passkey protocols, making it a perfect complement to newly-implemented Google Cloud architectures. At Brabant Zorg, YubiKeys now secure access to care records for 6500 users. “It’s worth noting,” says van Alphen, “how simple it was to implement YubiKeys. It was partly because they gave users ‘one key to the castle’, which meant that instead of having different passwords and different credentials, they just had one. You link a YubiKey on the back end, but the user doesn’t have to do anything themselves. So you don’t need steering committees or working groups to encourage
user adoption.”

Zorgcentra De Betuwe implemented YubiKeys for around 1100 users, mostly medical staff and caregivers. The switch took place overnight, so preparations included instructional videos for staff. “There was a group of around 150 new employees that day,” says van Alphen, “and when they started they were given their YubiKey along with their credentials, and were able to see their first patients immediately!”

Giving healthcare professionals time back in their days

The results of the implementation are clear: happier employees. At both Zorgcentra de Betuwe and at BrabantZorg, YubiKey has improved their overall security but also created a better user experience. “Speed is the operative word,” says van Alphen. “With YubiKeys we have been able to speed up the login process, which means that healthcare personnel have more time to care for their clients.”

For Adapta, fear of users losing YubiKeys has not been a concern. “Sometimes people forget a key that will happen,” says van Alphen. “In Google Cloud, you can have IT Support generate a one-time code to allow people to log in anyway. We noticed that some were afraid of losing keys. We always ask: ‘how often do you forget your own keys?’”

Users have responded positively to YubiKeys, even if they haven’t always understood the underlying technology. “At BrabantZorg, there were a number of employees who told us how happy they were with the ‘stick that stores all the passwords,” says van Alphen. “For those from the security sphere the idea that YubiKeys store passwords is like hearing nails on a chalkboard, but it was a great user experience for caregivers and nurses.” While the YubiKey does not store passwords, which are highly vulnerable to phishing, and instead houses a private cryptographic secret that cannot be exfiltrated from the key, such positive reactions prove that high levels of security are no barrier to an intuitive and delightful user experience.

“With YubiKeys we have been able to speed up the login process from over 40 seconds down to less than 10 seconds, which means that healthcare personnel have more time to care for their clients.”

Paving the way to a passwordless future

For Adapta, the opportunities for more user-friendly authentication are endless. “The YubiKey and Google Cloud is a match made in heaven,” says van Alphen.” The future is going to be ‘passwordless’ and with FIDO2 we will be able to offer a password-free workplace. From the perspective of caregivers or nurses, the powerful combination of Google and the YubiKey can be summarized in a single word: speed!” Van Alphen expects that organizations will be able to save even more time in future by having YubiKeys be used for multiple purposes, such as access to buildings or to print documents.

Offering a smoother digital experience will also be of increasing importance for staff recruitment and retention. “Healthcare professionals can choose where they want to work,” says van Alphen”, so they will go for organizations where they have good facilities. That goes for the digital environment too. As far as we’re concerned, Google Cloud and Yubico are leaders in this respect.” The partnership between Adapta and Yubico is also about values, according to van Alphen. “Our mission is to make the working lives of healthcare professionals more enjoyable, easier and generally better,” he says. “Yubico’s mission is to make the internet more secure and user-friendly for everyone. That’s why we fit so well together.”