Passwordless login credentials have been used to replace long passwords and SMS codes to access digital devices at a regional not-for-profit organisation supporting unpaid carers in the Australian Capital Territory.
This complements ongoing privacy and security improvements at Carers ACT, part of the wider not-for-profit Carer Gateway in Australia.
The organization provides caregivers with a range of support services at four locations in ACT, including advice and support with care planning, counseling, peer support, care interruptions, educational workshops, social activities, advocacy, mobility and technology aids.
THE PROBLEM
Carers ACT have noted the recent increase in advanced cyber threats, including spear phishing attempts against their employees. There are also threats from unsecured devices and users accessing guest wifi systems within their facilities.
“Account compromises are a huge concern for us. We have some of the most sensitive personal data, (so) we take the responsibility to protect that data very seriously.”
Thomas Pike, ICT innovation lead, Carers ACT
Recognizing these concerns, the organization has strengthened its privacy and security posture, including fully migrating to Microsoft Entra ID. It has also implemented multi-factor authentication schemes, such as the use of authenticator apps, the implementation of which has been recommended by the Australian Cyber Security Centre to mitigate cybersecurity incidents.
“Having robust technical controls in place is essential when implementing a customer data management approach. Organizations, regardless of industry, need to take the security of their customer data very seriously and using multi-factor authentication is an essential tool,” Pike said.
When the organization recently switched to electronic progress notes in its shelters, many support staff found it difficult to access devices with multiple layers of security, resulting in the IT help desk being inundated with requests for assistance.
“We ended up spending a lot of time resetting passwords or users simply couldn’t log in due to platform issues.”
PROPOSAL
To improve the user experience, the organization turned to passwordless access to Microsoft Surface Go tablets using YubiKeys. This FIDO-based security key, made by California-based Yubico, provides an additional layer of protection, complementing the FIDO2 and conditional access features of Microsoft Entra ID.
TOOK UP THE CHALLENGE
According to Pike, strengthening an organization’s security doesn’t have to be complicated for its employees.
According to him, staff would rather opt for something simple than having to remember usernames and long passwords when using their devices.
“Our support staff enthusiastically embraced the change when we were able to demonstrate a simplified and reliable login experience. This reduced frustration and allowed them to focus on providing care to our clients.”
“We were able to deploy the YubiKeys within a few days.”
Pike stressed that in any change management process, “it is important to show value to individuals.”
RESULTS
The passwordless security key, which complements Microsoft Entra ID, has simplified the login process for Carers ACT staff. “This has allowed us to enhance our existing security posture while dramatically improving the user login experience,” Pike exclaimed.
Ultimately, prioritizing user experience is essential to continuously improving security in healthcare.
“What this project has shown is that increasing security does not mean increasing complexity or staff overhead. All organizations need to consider their user experience,” he concluded.
_
Thomas Pike’s comments have been edited for brevity.