Healthfirst applies an identity security-first approach to implement Zero Trust

Company profile

Healthfirst is the largest not-for-profit health insurer in New York State. It offers high-quality, affordable plans to fit every life stage, including Medicaid, Medicare Advantage, long-term care, qualified health, and individual and small group plans. Healthfirst’s unique advantage is to put members first by partnering closely on shared goals with its broad network of providers. Healthfirst is also a pioneer of the value-based care model, where hospitals and physicians are paid based on patient outcomes.

Annual revenue:US$14 billion
Employees: 5,000

Challenges

Brian Miller, CISO at Healthfirst, has no illusions about the cybersecurity threat landscape and where to target the defense. “There are an infinite number of variables when it comes to cyberattacks. Think of an army crossing a desert. To challenge it, we would need a security fence across the desert,” stated Miller. “But with just 300 people in a mountain pass, we can stop the whole army. Identity is the mountain pass of your environment and identity is where Healthfirst is investing heavily.”

Miller was brought into Healthfirst, the largest not-for-profit health insurer in New York State, because the organization wanted to evolve its cybersecurity operations. Founded nearly 30 years ago, Healthfirst has worked with its network of hospital systems, community providers and partners to steadily improve health outcomes and advance health equity through better access to care especially for underserved communities.

This success means Healthfirst experienced rapid growth and now serves some 1.8 million members in New York state. But growth and the increasingly complex needs and demands facing a modern health insurer demand a similarly robust cybersecurity program.

Digitally enabling members

Healthfirst has one of the most comprehensive databases of member related information comprising enrollment and billing, customer care, payments, processing claims and health data. Protecting the highly sensitive healthcare records and identities of 1.8 million members and 5,000 staff is paramount. For its computing environment, the organization adopted a cloud-first strategy. Approximately 70% of systems and applications are now cloud-based and the organization has 10,000 endpoints – 70% remote – requiring sophisticated and robust security. “Healthfirst aims to transform the industry by digitally enabling our members,” said Miller. “Part and parcel with that is providing security and high assurances. We have invested heavily in our digital apps, our virtual community-based offices and lots of mobile solutions. Whether a member comes in on an app, the phone, or walks into a community office, all roads lead to identity.”

Solutions

Because of the market-leading position of CyberArk, Healthfirst had already deployed a range of CyberArk products including Privileged Access Manager and Vendor Privileged Access Manager. The insurer trusted CyberArk to provide best-of-breed privileged access management and decided to adopt additional technologies from the Identity Security provider to secure its digital transformation. For example, Healthfirst has also migrated several legacy secrets management apps to Conjur because it integrates seamlessly with developer workflows and can handle a large volume of secrets.

Business importance of security

Alongside the CyberArk solution, Healthfirst ran an education and adoption program to help staff understand the risk and impact that modern cyberattacks, like ransomware, could have on the organization and its members. “After implementing CyberArk, we went through a period of having to educate the business about privileged access management,” recalled Miller. “But it was really a change management effort to help people understand the value of security. Then there is a tipping point where you stop pushing through resistance and people realize the importance of security for them as a business.”

Having recognized identity as one of the critical elements in building an effective cybersecurity infrastructure, Healthfirst has now turned to the CyberArk portfolio of workforce identity management solutions. The company recently deployed CyberArk Identity to provide staff with simple yet extremely secure access to business resources using single sign-on and multi-factor authentication (MFA). “The objective is to make it as hard as possible to break into systems, software and development chains from inside the system, as it is from outside on the internet. Strong identity control is a part of that Zero Trust idea where it does not matter where the bad guy is; they cannot harm anything,” added Miller.

“One of the things Healthfirst is very excited about as we evolve workforce identity management is the ability to federate,” disclosed Miller. “With other systems we are spending lots of dollars on licenses, for example, to allow call centers to access our systems. With CyberArk, we will be able to federate with their identities, cut costs and licensing fees, and use CyberArk desktop soft tokens for MFA. That will give us a very robust and cost-effective solution.”

Because CyberArk solutions are integrated across several areas of privileged access management and identity protection, Healthfirst can now control security more efficiently and cost effectively than when it had multiple tools performing similar functions, thereby driving significant operational efficiencies in the company.

Results

Zero Trust controls identity

“If we can control identity, we can stop most modern attacks. And if you control identity, then you control every perimeter, application, container – effectively every part of the environment. That is what I call true Zero Trust and that is why we use CyberArk. This is what helps me sleep at night”
-Brian Miller, CISO, Healthfirst

Partnership with CyberArk has been one of the key elements in helping Healthfirst build an effective privileged access management and Identity Security program. “I like to work with vendors that have a culture and vision, and are excited about what they are doing,” concluded Miller. “At CyberArk, I see a company with a solid culture that works to make value flow for both organizations. Some of the CyberArk staff have been in the company for many years but they are not stale because the company continues to grow and evolve. As a CISO, that is the kind of partner I am going to bet on.”

Key benefits

• Builds comprehensive privileged access management
• Strengthens ability to protect human, machine and third-party identities
• Protects Personal Health Information (PHI) for 1.8M members
• Reduces security costs with solutions like federated identity control
• Removes the need for expensive security software licensing
• Replaces multiple tools with a unified Identity Security platform