The relevance of our solutions, experience, and expertise only becomes tangible when we can apply them to our customers. That’s why we like to ask them about their experience with our services and the products we deliver.
Below you can read the story of ZINN (Healthcare Institution in Northern Netherlands), which provides various elderly care services from six locations.
24/7 elderly care
The conversation with Joke Rietel, who has been the ICT manager at ZINN for five years, is inspiring. Joke loves to talk about her organization, and her stories give technology a human face. ZINN offers the elderly a complete package of care in their familiar environment. As long as possible at home, and on location if for some reason it is no longer possible at home. ZINN’s locations can be found in Groningen itself, but also in Haren and Hoogezand. “You shouldn’t move people who have lived in the city all their life to a village, and vice versa,” says Joke.
ZINN focuses on various forms of elderly care. It offers home care and rehabilitation, but clients can also live ‘intramurally’ or in one of the organization’s homes. With a team of 3,200 employees – including its own doctors, dentists, physiotherapists, and other healthcare professionals – ZINN is active 24/7. The electronic client files (ECDs) must therefore be accessible at any time of the day and night. Because this concerns very personal information, this entails certain risks.
Where ZINN’s systems previously operated from a thin client (on-premise) environment, the switch was made to the principle of ‘everything SaaS, unless…’ five years ago. This also meant that from then on, only standard applications would be used instead of custom solutions, and that the suppliers would take care of their management.
All network connections have now been optimized and made scalable, new Wifi access points and firewalls have been installed, the on-premise servers have been phased out, and the switch has been made from Citrix to Microsoft. Protecting client data is – in everything – a top priority. Joke: “It’s not a question of if you will fall victim to cybercrime, but when.” That is also the main reason why she wanted to have the previously taken security measures objectively tested by an external party.
“Where are we? Are we really doing as well as we think? What are our blind spots?
Changes in laws and regulations also played a role, and it was a way to justify IT costs to the Supervisory Board. On the advice of Microsoft, ZINN turned to QS solutions. For years, Microsoft has been using the in-house developed Cyber Security Assessment Tool (CSAT) worldwide to test the cyber resilience of organizations of any size.
No additional costs
ZINN has now had an assessment carried out two years in a row. Even though the first time was a gift from Microsoft, Joke also asked critical questions about what would be tested and what might come out. Because apart from any investments, an assessment always brings action points – and therefore work – with it. Action points that must be followed up, at least that’s what Joke believes. “There’s no point in doing an assessment if the report then disappears into a drawer.”
“Improvements don’t necessarily cost money. You don’t always have to buy a tool to score better.”
The first CSAT revealed some expected action points, but also a few ‘blind spots’ that the IT team had previously overlooked. And it’s precisely that which makes the assessment so valuable. “If improvements are needed, that’s absolutely no shame,” says Joke.
Based on the first report, ZINN’s IT team took steps to close the ‘gaps’. Without any additional costs, mind you! That is also an important message that Joke wants to convey to organizations that are hesitant about having an assessment carried out: “Improvements don’t necessarily cost money. You don’t always have to buy a tool to score better.”
Balance between safety and ease of work
The challenge for ZINN in increasing data security is – just like many other organizations – in finding the right balance between safety and ease of work. Protecting sensitive data is of course extremely important, but it must remain workable and may not adversely affect productivity. 24/7 access to applications remains the starting point, just like the possibility to log in easily.
“Maximum security is not our goal, because then a healthcare institution cannot function.”
In this respect, the mindset at ZINN has changed in recent years: where IT used to be leading, the question is now repeatedly asked ‘how can IT support?’. The goal is still to increase cyber security, but it’s simply a matter of a different starting point. When asked whether Joke plans to take ZINN to the maximum security level, she answers briefly and concisely: “No! Because that would mean that you can no longer function as a healthcare institution.”
Healthcare workers prefer to focus solely on their clients during their work, but no one can escape a bit of administration. Due to laws and regulations, but also because that is simply laid down in the agreements with health insurers. So it’s important to keep the approach to cyber security as simple as possible, for example by using single sign-on and standardizing the layout, regardless of which device.
In addition, it’s all about communication. ZINN now works with ‘digicoaches’. These are existing (care) employees who get extra hours to help their colleagues in a very accessible way with the technological side of their work. Using care-related examples, they explain why certain things need to be done, such as two-factor authentication. And that’s necessary, because for many employees the threshold to ask a question to the IT team is simply too high.
From reactive to proactive
The second assessment – this time paid for by ZINN itself – was intended to test the effect of the previously taken measures. “Only in this way can you compare apples with apples,” says Joke. The report showed that the organization’s cyber maturity had grown enormously.
The next step is to see what can be done to raise cyber security to an even higher level. The goal? Not just being reactive, but also proactive. For example, ZINN has a cyber insurance policy that provides assistance when things go wrong, but for Joke it’s all about what you can do proactively to avoid ending up in that situation. One of the options is an automatic location check when employees log into the system.
“CSAT really motivated us to tackle ZINN’s cyber security.”
“Cybersecurity is also a hot topic for the Board of Directors, which is why we are regularly asked how we are doing as an organization. CSAT has given us concrete tools for this, with which we can report objectively instead of subjectively,” says Joke.
In collaboration with ZINN’s Data Protection Officer, all action points from the report have been put on a work list, which is reported on every two months. This report also serves as a basis for obtaining approval from the Board of Directors for further IT initiatives. The goal is to stay ahead of changes in the quality standards and requirements that healthcare institutions must also meet, such as ISO 27001, NEN 7510, and NIS2.
Joke found both the CSAT process and the collaboration with QS solutions very pleasant both times: “During the first assessment there was a clear and smooth collaboration with the consultant, and agreements were kept time and time again. That was definitely the motivation to also have the second assessment carried out by QS solutions, which went just as smoothly.”
“The world doesn’t stand still, you have to move with it. CSAT helps you make conscious, well-considered choices.”
For organizations that are still hesitant about having an assessment done, she has a clear message: “CSAT is completely complete. It makes it clear where you stand and what you can still improve. Don’t be afraid of what will be discovered, but approach it positively. It’s not pointing fingers!”