Healthcare provider Carinova offers home care, residential care, and domestic support to elderly people and people with disabilities. A Microsoft Software Asset Management (SAM) Cybersecurity investigation into the IT environment and processes taught Carinova how to reduce cyber threat risks while complying with the General Data Protection Regulation (GDPR, Privacy Act). Partly thanks to the advice of the Quexcel SAM team, Carinova now has a secure, flexible workplace environment and IT infrastructure in the cloud.

“Based on the SAM Cybersecurity process, we decided to use Microsoft 365 cloud technology to manage all our mobile devices, with the information security and identity management functionality we need to comply with the GDPR.”

Ton Kuiper: IT Specialist, Carinova

From Caring for People to Caring for Data

Carinova provides trusted, personalized care in the eastern Netherlands. It offers around-the-clock services across eight care locations, with home care workers visiting clients up to five times a day. To maintain public trust and stay the preferred care provider, data security and compliance with care standards are top priorities. Employees handle personally identifiable information (PII), which is highly sensitive, such as electronic client records. This information falls under various standards, regulations, and legislation, such as the General Data Protection Regulation (GDPR), which came into effect in May 2018.

IT plays a key role in complying with the GDPR, but Carinova also views IT as a strategic advantage. “There is high demand for professional caregivers and a limited supply in the job market. To attract the best talent, care providers need to offer a modern, flexible, cloud-based workplace,” says Ton Kuiper, IT Specialist at Carinova. Kuiper notes that, contrary to expectations, Carinova’s IT infrastructure required significant time for maintenance. For this reason, they sought to move to the cloud to simplify management, enhance security, and streamline maintenance. In early 2017, they contacted Microsoft to inquire about migrating to Office 365 productivity services. Simultaneously, they began a process with Microsoft Software Asset Management (SAM) for an evaluation of their entire IT environment.

A Cybersecurity Check as a Starting Point for Change

IT service provider Quexcel, a Microsoft SAM Solutions Expertise Partner and member of the Microsoft SAM Partner Advisory Council, conducted the SAM Cybersecurity audit. Part of the audit was focused on the software used by Carinova and the software licenses required for it. The SAM Cybersecurity audit aimed to improve security and prepare for the GDPR. The audit included an interview with the Data Protection Officer and a technical and functional assessment of the entire IT environment. Peter van Uden, Software Licensing and SAM Specialist at Quexcel, explains: “We look at technology, processes, and people. This helps us get a complete picture of the entire environment. What many organizations don’t realize is that you can have the most modern technology in place, but you also need to consider how employees interact with that technology to keep information secure.”

The SAM Assessment confirmed that Carinova’s IT infrastructure was fundamentally secure. However, it revealed areas that needed adjustment to comply with the GDPR. Additionally, it became clear that the organization could benefit from security training and adjustments to application virtualization to give mobile care workers the flexible workplace they need to work effectively and efficiently. The SAM team recommended solutions and best practices to fully leverage the benefits of an integrated cloud platform, including heightened awareness, simplified management, scalability, flexibility, and device and employee identity management.

Benefits of an Integrated Cloud Platform

  • Increased awareness
  • Simplified management
  • Scalability
  • Flexibility
  • Device and employee identity management
  • GDPR compliance

Complying with the GDPR

Carinova had already encrypted communications within its IT infrastructure and workstations, and used a basic mobile device management (MDM) solution for smartphones and tablets. However, this solution did not meet the requirements of a modern environment, such as tracking mobile devices, device usage, and the ability to remotely delete information.

The SAM team advised switching to a solution that also included rights management to prevent care workers from storing sensitive information locally. “Based on the SAM Cybersecurity project, we decided to switch to Microsoft 365 cloud technology to manage all our mobile devices, with the data security and identity management features we need to comply with the GDPR. This helps us secure client information while optimally supporting our field staff,” says Kuiper.

Now that the GDPR is in effect, van Uden notes, organizations must ensure that the person logging in digitally is indeed the person they claim to be and has the appropriate rights to access the secure environment. Van Uden explains, “A SAM Cybersecurity project gives organizations a complete picture of unauthorized software usage by investigating shadow IT and ‘dark data.’ We often recommend a robust identity management solution with Microsoft 365 to track which software employees install and use on which devices.”

Carinova uses the new environment to separate business-related healthcare information from non-business apps, as required by the GDPR. This helps prevent the accidental transfer or copying of secure information to an unsecured environment. Meanwhile, care professionals can now use business chat and video conferencing to consult with colleagues via Skype for Business within Microsoft 365. This makes it easier to keep personally identifiable and privacy-sensitive information within the secure environment when staff discuss a client.

Increasing Awareness for Higher Security

“Security must be holistic,” says van Uden. “For example, when IT requires employees to change their passwords regularly and sign in to core applications with their work accounts, it should also be easy to prevent employees from copying sensitive data from the secure environment to an insecure one. Employees need to be aware of the risks they create by understanding how their actions affect IT security.”

With the ever-increasing cyber threat, it’s no longer enough to patch up technology gaps or introduce new rules. Security is most effective when employees understand how they contribute to security, know what security processes exist (and why), and all technical components are optimally configured. Today, Carinova offers regular security workshops, and employees have access to an e-learning environment to enhance their security skills. “We’re much more security-conscious now,” says Kuiper. “With each new process, we now look at security issues before we implement anything.”

Now that the SAM Cybersecurity project is complete, Carinova is starting a six-month trial subscription to Quexcel’s SAM in a BOX Managed SAM service. “When organizations optimally configure their IT environment to manage processes, provide employees with the modern workplace they need, and standardize cybersecurity, they are at the intersection of technology and compliance,” says van Uden. Managed SAM supports digital transformation by focusing on controlling costs, managing and reducing organizational and legal risks, optimizing software licensing and cloud costs, and aligning IT investments seamlessly with business objectives.

Benefits of Managed SAM

  • Cost control
  • Managing and reducing organizational and legal risks
  • Optimizing software licensing and cloud costs
  • Seamlessly aligning IT investments with business objectives

Kuiper’s experience with the SAM Cybersecurity project fully aligns with this. “We are ready for the GDPR and are implementing our chosen strategy to increase cloud computing usage,” he says. “Carinova employees are much more aware of and better trained in data security. When we look at our IT goals, we now know exactly which direction to take.”

“Carinova employees are much more aware of and better trained in data security. When we look at our IT goals, we now know exactly which direction to take.”

Ton Kuiper: IT Specialist, Carinova

“What many organizations don’t realize is that you can have the most modern technology in place, but you also need to consider how employees interact with that technology to keep information secure.”

Peter van Uden: Software Licensing and SAM Specialist, Quexcel