Executive Summary
A global healthcare technology firm serving 12 million patients across 400+ hospital networks needed to modernize its identity and access management (IAM) infrastructure. Legacy perimeter‑based security left sensitive patient data—including EHR, imaging, and billing systems—vulnerable to lateral movement attacks. With HIPAA audits tightening and ransomware threats escalating, the organization engaged THNKBIG to design and implement a comprehensive zero‑trust identity framework that would protect data at every layer without disrupting clinical workflows.
Key Scope Items
Solution Implemented
- Azure AD Conditional Access + FIDO2 — Deployed passwordless MFA for all 8,500 clinical and administrative users, achieving 99.7% MFA adoption in 60 days.
- Micro‑segmentation on AKS — Implemented Kubernetes Network Policies and Calico for east‑west traffic control, isolating EHR, imaging, and billing workloads into zero‑trust zones.
- Just‑in‑Time (JIT) privileged access — Replaced shared service accounts with Azure PIM (Privileged Identity Management), granting time‑bound, audited access to sensitive systems.
- SIEM + SOAR integration — Unified security telemetry in Microsoft Sentinel with automated playbooks that cut mean‑time‑to‑detect from 14 days to under 4 hours.
Outcomes Expected
- Achieve 99%+ MFA adoption across all user populations within 60 days.
- Reduce over‑privileged accounts by ≥ 80% through JIT access and least‑privilege enforcement.
- Cut mean‑time‑to‑detect (MTTD) for unauthorized access from 14 days to < 6 hours.
- Pass HIPAA and SOC 2 Type II audits with zero critical findings.
- Eliminate lateral‑movement risk across patient data systems via micro‑segmentation.
Challenge
The client's existing security posture relied on VPN‑based perimeter controls and shared service accounts, creating several critical gaps:
- Over‑privileged access — 68% of service accounts had broader permissions than required, exposing PHI to insider threat and lateral movement.
- No micro‑segmentation — Once inside the network, applications could communicate freely, meaning a single compromised endpoint could reach patient databases.
- HIPAA compliance gaps — Audit findings flagged insufficient MFA adoption (only 42% of clinical users) and inadequate access logging for EHR systems.
- Slow incident response — Mean time to detect unauthorized access was 14 days, well above industry benchmarks.
Challenge
The client's existing security posture relied on VPN‑based perimeter controls and shared service accounts — a model built for a pre‑cloud era that left critical gaps in a world of distributed microservices and remote clinical access:
Over 68% of service accounts had broader permissions than required, exposing protected health information (PHI) to insider threat and lateral movement. Once inside the network perimeter, applications could communicate freely with no micro‑segmentation, meaning a single compromised endpoint could reach patient databases across the entire system.
HIPAA audit findings flagged insufficient MFA adoption — only 42% of clinical users — and inadequate access logging for electronic health record (EHR) systems. Mean time to detect unauthorized access was 14 days, well above the 24‑hour industry benchmark for healthcare organizations.
Solution
Our team designed and implemented a comprehensive zero‑trust framework across four pillars:
Identity & Authentication
Deployed Azure AD Conditional Access with FIDO2 passwordless authentication for all 8,500 clinical and administrative users. Achieved 99.7% MFA adoption within 60 days through phased rollout starting with administrative staff, then extending to clinical users with workflow‑optimized authentication flows that minimized disruption to patient care.
Micro‑Segmentation on AKS
Implemented Kubernetes Network Policies and Calico for east‑west traffic control, isolating EHR, imaging, and billing workloads into zero‑trust zones. Each service can only communicate with explicitly authorized endpoints, eliminating lateral movement risk across the 400+ hospital network.
Just‑in‑Time Privileged Access
Replaced 340 shared service accounts with Azure PIM (Privileged Identity Management), granting time‑bound, audited access to sensitive systems. Administrators now request elevated access for specific tasks with automatic expiration — reducing the over‑privileged account footprint by 83%.
SIEM + SOAR Integration
Unified security telemetry from all identity, network, and application sources into Microsoft Sentinel. Built 47 automated detection playbooks covering common attack patterns — from brute‑force attempts to anomalous data exports — cutting mean‑time‑to‑detect from 14 days to under 4 hours.
Implementation
The engagement unfolded in three phases over 14 weeks:
Phase 1 — Assessment & Design (3 weeks): Mapped all 2,100+ service accounts, catalogued inter‑service communication patterns, and designed the zero‑trust zone architecture. Identified 23 critical data flows requiring immediate segmentation.
Phase 2 — Core Implementation (8 weeks): Rolled out Azure AD Conditional Access and FIDO2 authentication, deployed Calico network policies across all AKS clusters, and migrated shared accounts to Azure PIM. Ran parallel monitoring to validate no clinical workflows were disrupted.
Phase 3 — Detection & Response (3 weeks): Integrated all telemetry into Microsoft Sentinel, built automated playbooks, and conducted red‑team exercises to validate detection coverage. Trained the client's security operations team on the new platform.
Results & Impact
Within 90 days, the zero‑trust framework delivered transformative security improvements:
Security incidents dropped by 50%, with the most significant reduction in lateral movement and credential‑based attacks. MFA adoption reached 99.7% — up from 42% — with clinical user satisfaction scores remaining above 4.2/5 thanks to the passwordless FIDO2 experience.
Over‑privileged accounts were reduced by 83%, from 340 shared service accounts to time‑bound, audited JIT access. Mean‑time‑to‑detect fell from 14 days to 3.8 hours, with automated playbooks resolving 67% of common alerts without human intervention.
The client passed their annual HIPAA audit and SOC 2 Type II certification with zero critical findings — the first clean audit in three years.
Key Takeaways
Zero‑trust is a journey, not a product: Success required integrating identity, network, and detection — not just buying a tool.
Passwordless MFA drives adoption: FIDO2 eliminated the friction that kept clinical MFA adoption at 42% for years.
Micro‑segmentation prevents the blast radius: Calico network policies on AKS stopped lateral movement cold in red‑team exercises.
Automation is the force multiplier: Sentinel playbooks resolved 67% of alerts automatically, letting the security team focus on novel threats.
Industry Context
Sector-Specific Challenges
Healthcare organizations face unique infrastructure challenges, including strict data privacy requirements under HIPAA, the need for high availability systems that support critical patient care, and complex integration requirements with legacy electronic health record (EHR) systems. These organizations must balance innovation with regulatory compliance while managing sensitive patient data across distributed systems.
Technical Considerations
Key technical considerations for healthcare infrastructure include end-to-end encryption for protected health information (PHI), audit logging for compliance reporting, disaster recovery with minimal downtime requirements, and secure API integrations with clinical systems. The infrastructure must support both on-premises and cloud deployments to meet varying compliance requirements.
Regulatory Environment
Healthcare infrastructure must comply with HIPAA Security Rule, HITECH Act requirements, and often state-specific healthcare data protection laws. Organizations handling Medicare/Medicaid data may also need to meet CMS security requirements.
Our Approach
Our security practice implements defense-in-depth strategies for cloud-native environments. We design and deploy zero-trust architectures that verify every request, minimize blast radius through microsegmentation, and provide comprehensive visibility into security posture. Our approach integrates security into the development lifecycle through DevSecOps practices.
Engagement Phases
- 1Security Assessment: Threat modeling, vulnerability scanning, and compliance gap analysis
- 2Zero Trust Design: Identity-centric architecture, microsegmentation strategy, and access policy design
- 3Security Implementation: Deploy network policies, service mesh, secrets management, and SIEM integration
- 4Compliance Automation: Implement policy-as-code, automated scanning, and continuous compliance monitoring
- 5Security Operations: Establish incident response procedures, security monitoring, and threat hunting capabilities
Key Deliverables
- Zero-trust network architecture with microsegmentation policies
- Secrets management system with automated rotation
- Security scanning integrated into CI/CD pipelines
- Compliance dashboards with automated evidence collection
- Incident response playbooks and security runbooks
Frequently Asked Questions
What compliance frameworks do you support?
We have experience implementing controls for SOC 2, PCI DSS, HIPAA, FedRAMP, NIST 800-53, and CMMC. Our approach uses policy-as-code to automate compliance validation and evidence collection, reducing audit burden while maintaining continuous compliance posture visibility.
How do you implement zero-trust in Kubernetes environments?
We implement zero-trust through multiple layers: service mesh for mutual TLS between services, network policies for microsegmentation, workload identity for cloud resource access, and policy engines like OPA for fine-grained authorization. Every request is authenticated and authorized regardless of network location.
How do you approach client engagements?
Every engagement begins with a thorough discovery phase to understand your current state, business objectives, and constraints. We develop tailored recommendations rather than applying one-size-fits-all solutions. Our consultants work alongside your team to transfer knowledge and build sustainable capabilities. We measure success by business outcomes, not just technical deliverables.
What ROI can we expect from this type of engagement?
Organizations typically see significant improvements across multiple dimensions. Common outcomes include 50-80% reduction in deployment time, 30-50% decrease in infrastructure costs, 60-90% reduction in incident resolution time, and substantial improvements in developer productivity. The specific ROI depends on your starting point and investment level, which we help quantify during the assessment phase.
Related Solutions
This case study demonstrates our expertise in the following service areas. Learn more about how we can help your organization achieve similar results.
Cloud Complexity is a Problem —
Until You Have the Right Team
From compliance automation to Kubernetes optimization, we help enterprises transform infrastructure into a competitive advantage.
Talk to a Cloud Expert
