Cisco Duo MFA Secures Epic Hyperdrive Against Cyber Threats
Controlled substances are often in the news for both bad and good reasons. In the wrong hands they can lead to drug addictions or other serious health issues. However, when prescribed appropriately by medical professionals they can be a blessing to alleviate or treat sickness. Therefore, government agencies like the DEA and FDA have created strict policies and procedures for prescribing controlled substances to ensure they get into the right hands.
Epic is a leading healthcare software provider for systems that manage electronic healthcare records (EHR). “More than 250 million patients have a current electronic record in Epic.” Epic Hyperdrive for Electronic Prescriptions for Controlled Substances (ECPS) enables physicians with authority to transmit prescriptions for controlled substances electronically to pharmacies.
Epic Hyperdrive
Hyperdrive is Epic’s new flagship EPCS healthcare management software delivered through modern web protocols. Hyperspace is an Epic, application client based, EPCS software often delivered through virtual application delivery solutions provided by Citrix or VMware. “Hyperspace” will be replaced by the newer web service based Hyperdrive in the future. Until then both are expected to be able to run in parallel on clients’ endpoints.
The challenge
Due to the nature of Epic Hyperdrive for EPCS the FDA mandates support for a variety of security protections including Multi-Factor Authentication (MFA) to protect against weak passwords or stolen credentials. According to the 2022 Verizon Data Breach Investigations Report (DBIR) basic web application attacks are the leading cause of digital security breaches in the healthcare sector and over 80% of the breaches in this pattern can be attributed to stolen credentials. These types of attacks can lead to ransomware or malware that may result in data loss, exfiltration, or compliance violation fines.
The solution
Cisco Duo is a leading healthcare MFA provider. Duo uses a zero-trust security model by establishing trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies to protect applications.
Duo has protected Epic Hyperspace against credential vulnerabilities for many years. Now Duo has developed an updated solution to integrate with the new web based Epic Hyperdrive seamlessly to protect it and subsequently medical records.
Duo integrates with Hyperdrive to provide multi-factor authentication. It includes authenticator methods like secure hardware tokens, Duo mobile OTP (One-Time Password), Phone Call Back and Duo Mobile Push.
Duo also integrates with Epic Hyperdrive seamlessly to provide a strong second authentication factor to protect patient electronic health records. During the setup of Duo for Epic Hyperdrive a trust is established between Epic Hyperdrive and Duo. This trust is established by registering a public key, obtained from the Duo Admin Panel, with Epic Hyperdrive.
When an MFA request is initiated by Epic Hyperdrive, the Epic Hyperdrive client requests secondary authentication with Duo who produces a Security Assertion Markup Language (SAML) Token in response to a successful authentication. The Epic Hyperdrive Client presents the signed SAML assertion to Epic Hyperdrive service. Epic Hyperdrive verifies the SAML Token for authenticity using a public key, previously downloaded from Duo, and installed by an Epic admin. Access is then granted if the SAML Token is successfully verified by Epic Hyperdrive.
After the admin downloads a key from the Duo Admin Panel and uploads it to Epic (0) to be used during authentication to establish trust:
Client submits username and password to Epic
Epic validates the credentials, then sends a response to let the Client know
The Client presents MFA options; the user selects one and the Client sends a request to Duo for MFA
Assuming the Push option is selected in this flow, Duo sends a Push authentication request to the user’s mobile phone
The user confirms the Duo Push on the mobile phone
Duo validates and returns a SAML assertion
The Client forwards the SAML assertion to Epic for validation
Epic validates the SAML assertion and grants access
Want to learn more about how Duo fits into a zero-trust model?
Duo is a cornerstone in healthcare MFA and is leading the fight to secure applications like Epic Hyperdrive with the latest protection technology. Duo provides the foundation for a zero-trust security model by establishing client trust before granting access to applications, ensuring secure access for any user connecting to Epic Hyperdrive.
Download the Duo Zero Trust Evaluation guide to learn more about user trust, device visibility, device trust, adaptive policies, and access to all apps with Duo.