From Reactive to Proactive Security at ZINN

The relevance of our solutions, experience, and expertise only becomes tangible when we can apply them to our clients. Therefore, we like to ask them about their experience with our services and the products we deliver.

Below, you can read the story of ZINN (Zorginstelling In Noord-Nederland), which provides various types of elderly care from six locations.

24/7 Elderly Care

The conversation with Joke Rietel, who has been the ICT manager at ZINN for five years, is inspiring. Joke is happy to talk about her organization, and her stories give the technology a human touch. ZINN offers the elderly a comprehensive package of care in their familiar environment. They stay at home as long as possible and move to a facility if staying at home is no longer feasible for any reason. ZINN’s locations are in Groningen itself, as well as in Haren and Hoogezand. “You shouldn’t move people who have lived in the city their whole lives to a village, and vice versa,” says Joke

ZINN focuses on various forms of elderly care. It offers home care and rehabilitation, but clients can also live ‘intramurally’ or in one of the organization’s residences. With a team of 3,200 employees—including in-house doctors, dentists, physiotherapists, and other care professionals—ZINN operates 24/7. Therefore, electronic client records (ECDs) must be accessible at any time of the day and night. Because this involves very personal information, it carries certain risks.

Safety First

Where ZINN’s systems previously operated from a thin client (on-premise) environment, five years ago, they transitioned to the principle of ‘everything SaaS, unless…’. This also meant working only with standard applications instead of custom solutions, with suppliers taking over their management.

By now, all network connections have been optimized and made scalable, new WiFi access points and firewalls have been installed, on-premise servers have been phased out, and the switch from Citrix to Microsoft has been made. Protecting client data is a top priority in all these changes. Joke: “It’s not a question of if you will become a victim of cybercrime, but when.” This was the main reason she wanted the earlier security measures to be objectively tested by an external party.

Where do we stand? Are we really as good as we think we are? What are our blind spots?

Changes in laws and regulations also played a role, and it was a way to justify IT costs to the Supervisory Board. On Microsoft’s advice, ZINN turned to QS solutions. For years, Microsoft has been using our in-house developed Cyber Security Assessment Tool (CSAT) worldwide to test the cyber resilience of organizations of all sizes.

No Extra Costs

ZINN has now conducted an assessment for two years in a row. Despite the fact that the first one was a gift from Microsoft, Joke still asked critical questions about what would be tested and what might come out of it. Because aside from any investments, an assessment always brings action points—and therefore work—with it. Action points that need to be followed up on, according to Joke. “There’s no point in doing an assessment if the report then ends up in a drawer.”

Improvements don’t necessarily cost money. You don’t always need to buy a tool to score better

The first CSAT revealed a number of expected action points, but also a few ‘blind spots’ that the IT team had previously overlooked. And it’s precisely the latter that makes the assessment so valuable. “If improvements are needed, it’s absolutely no disgrace,” says Joke.

Based on the first report, ZINN’s IT team took steps to fill the ‘gaps.’ Without incurring extra costs, that is! That’s an important message Joke wants to convey to organizations hesitant about conducting an assessment: “Improvements don’t necessarily cost money. You don’t always need to buy a tool to score better.”

Balance Between Security and Ease of Work

The challenge for ZINN in increasing data security lies—like for many other organizations—in finding the right balance between security and ease of work. Protecting sensitive data is, of course, extremely important, but it must remain workable and not negatively impact productivity. 24/7 access to applications remains the goal, as does the ability to log in easily.

A maximum security level is not our goal because a care institution cannot function that way.

In dat opzicht is de mindset bij ZINN de laatste jaren wel veranderd: waar IT vroeger leidend was, wordt nu keer op keer de vraag gesteld ‘hoe kan IT ondersteunen?’. Het doel is nog steeds het vergroten van de cyberveiligheid, maar het is simpelweg een kwestie van een ander vertrekpunt. Op de vraag of Joke van plan is om ZINN naar het maximale veiligheidsniveau te brengen, geeft ze dan ook kort en bondig antwoord: “Nee! Want dat zou betekenen dat je als zorginstelling niet meer kunt functioneren.”

Digicoaches

In this regard, ZINN’s mindset has changed in recent years: where IT used to be leading, the question is now repeatedly asked, ‘how can IT support?’ The goal is still to increase cyber security, but it’s simply a matter of a different starting point. When asked if Joke plans to bring ZINN to the maximum security level, she gives a short and concise answer: “No! Because that would mean that a care institution can no longer function.”

It’s also all about communication. At ZINN, ‘digital coaches’ are now employed. These are existing (care) workers who get extra hours to help their colleagues very accessibly with the technological side of their work. Using care-related examples, they explain why certain things need to be done, such as two-factor authentication. And that’s necessary because for many employees, the threshold to ask a question to the IT team is simply too high.

From Reactive to Proactive

The second assessment—this time paid for by ZINN—was intended to test the effect of the previously taken measures. “Only then can you compare apples to apples,” says Joke. The report showed that the organization’s cyber maturity had grown significantly.

The next step is to see what can be done to take cyber security to an even higher level. The goal? Not just being reactive, but also proactive. For example, ZINN has a cybersecurity insurance that provides assistance if something goes wrong, but for Joke, it’s about what you can do proactively to avoid ending up in that situation. One of the possibilities is an automatic location check when employees log into the system.

CSAT has really motivated us to tackle ZINN’s cyber security.

“Cybersecurity is also a hot item for the Board of Directors, and that’s why we are regularly asked how we, as an organization, are doing. CSAT has given us concrete tools to report objectively instead of subjectively,” says Joke.

In collaboration with ZINN’s Data Management Officer, all action points from the report have been put on a work list, which is reported on every two months. This report also serves as a basis for getting approval from the Board of Directors for further IT initiatives. The goal is to stay ahead of changes in the quality standards and requirements that care institutions must also comply with, such as ISO 27001, NEN 7510, and NIS2.

Collaboration

Joke has found the CSAT process and the collaboration with QS solutions very pleasant both times: “During the first assessment, there was clear and smooth collaboration with the consultant, and agreements were consistently kept. That was absolutely the motivation to have the second assessment conducted by QS solutions, which also went smoothly.”

The world doesn’t stand still; you have to move with it. CSAT helps you make conscious, well-considered choices.

For organizations still hesitant about conducting an assessment, she has a clear message: “CSAT is completely comprehensive. It makes clear where you stand and what you can still improve. Don’t be afraid of what will be discovered, but approach it positively. It’s not finger-pointing!”

Want to Know More?

Would you like to know how your organization stands in terms of cybersecurity? Are you looking for a partner who will work with you to improve the security of the organization and make employees as productive as possible? Let us know! Our experts are happy to help you get started.