Institute for Mental Health in Altrecht identifies employees using tokenless two-factor authenticationSecurEnvoy 11/03/2014, Archive
The Dutch Institute for Mental Health in Altrecht states that “It is a very modern solution”. This vote of confidence has been given to the recently installed SecurAccess tokenless two-factor authentication solution provided by the developer SecurEnvoy. It replaces the previous token-based system used to identify staff when they logged into the corporate network. SecurAccess will provide security regarding, among other things, access to electronic patient records. This allows staff to retrieve protected data even when working remotely, for example when patients are visited at home. A feature that provides benefits in terms of finances and user-friendliness is that SecurAccess provides the necessary authentication passcode by text message and via various other methods – so there is no need for additional, dedicated tokens.
Around 3,000 employees at the Altrecht Institute take care of approximately 20,000 patients per year. The provision of care doesn’t just take place at the 130 official walk-in centres, which are predominantly located in the Dutch province of Utrecht. If necessary, staff also visit people at home or in other places, such as a police station. Therefore, employees need to be able to access patient records and the database from anywhere.
Personal details together with passcode
Such access previously involved a token-based system, for which employees needed dedicated hardware tokens. In addition to the complex configuration required and the need to distribute the tokens to the staff, the management noted the considerable costs associated with such a system, not least because tokens were often lost or stopped working. As an alternative, SecurAccess from SecurEnvoy had a particular strength. The two-factor authentication solution does not require a dedicated token, but instead it uses mobile phones that the staff already have with them anyway. If carers want to view a patient record, they must first prove their identity. This is done by entering a user name and a password. If these details are correct, the user then receives a six-digit numeric passcode on his/her mobile device by text message, which is also entered on the login screen. If this is also entered correctly, the user is granted access. The users also have the choice to use the code via an email, app or through a voicecall.
The system installation was carried out by the SecurEnvoy partner Motiv, who also provided training on the system for two IT managers at Altrecht. Around 500 employees currently use SecurAccess and it is expected that all 1,500 carers will be working with it over the next twelve months. As smart phones are becoming increasingly common, Altrecht would also like to use the SecurAccess soft token app in the foreseeable future altogether. This generates passcodes directly on the mobile device, thereby eliminating the costs of text message transmission. Altrecht is currently testing the soft token app internally before implementing it throughout the organisation.
"Mental health problems still constitute a taboo subject for many people," comments Frans van Vugt, security officer at Altrecht. "If you are in hospital, you usually get a lot of attention, but entering a centre for mental health is a much more sensitive matter - as is the handling of patient data. With SecurAccess we can clearly authenticate our staff and hence prevent information from falling into the wrong hands.“