Note: If the preview above is unavailable, click the "additional file" link at the bottom of the page.

Narrative Submission
Information submitted by applicant

Project cost: The budget for the communication and education around this project was $2,000.

Audience
Our audience for this project included all BJC HealthCare employees, contractors, some Washington University employees and select vendors.

Goals 
In less than eight months, BJC HealthCare Information Technology needed to smoothly migrate more than 40,000 employees, contractors, and vendors from its multi-factor authentication platform, Duo, to a new solution named Microsoft Authenticator. The switch had the potential to create disruptions in patient care, so effective, targeted internal communication was vital in this project.

Multi-factor authentication (MFA) requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or VPN. For example, an employee may enter a username and password to access email and be prompted on their phone to approve the login with a prompt, phone call, etc.

The use of MFA provides an added layer of protection around BJC’s patient data and other sensitive information. With an enterprise agreement in place with Microsoft, moving to its MFA tool and discontinuing the use of Duo would achieve significant cost savings for BJC.

The goal of our communication campaign was to drive enrollment numbers above 90 percent by June 2022. Due to our diverse workforce spread out across 14 hospitals and several service organizations, the change needed to be thoroughly communicated systemwide using online and offline communication channels.

Our team needed to provide notice of the change and instructions on how to register and use MS Authenticator before the switch. Audience segments included physicians, other clinical staff and non-clinical staff. Those groups were segmented further into device and application usage to determine how to educate employees on how to use MS Authenticator using a mobile app, phone call or other methods.

For internal research and testing, we created a pilot group of nearly 200 employees to go through the MS Authenticator enrollment process and test the app. Participants in the pilot were surveyed using a Microsoft Form afterward to identify pain points and augment our FAQ documents and instructions before the larger rollout.

Implementation
Strategy
The communication strategy focused on promoting MS Authenticator to employees as something that worked much like their existing MFA solution. We emphasized Microsoft Authenticator’s strong similarity in functionality compared to Duo in articles about the change to reduce any anxiety employees might have regarding new steps they would need to take to access their accounts. We commonly used phrases including, “as you do with Duo” or “like Duo.”

We repeatedly emphasized MS Authenticator’s benefits to employees, including the ability to register without using a computer on the BJC network. This was especially appealing to our fully remote employees. The integration with existing Microsoft products used by employees was another key benefit mentioned, including the ability to use Microsoft’s password reset tool off of the network.

Tactics

During the first round of communication, we incentivized early adoption of MS Authenticator with a prize drawing. Anyone who enrolled before April 1 was entered into the drawing. Twenty employees were awarded Amazon gift cards. By April 1 around 10,000 employees had registered for MS Authenticator.

We utilized numerous internal digital channels to notify employees of the change:
• Hospital e-newsletters
• BJCnet system intranet home page and other organization intranet sites
• Yammer (internal social media channels) posts for the prize drawing and deadline reminders for the migration
• Direct-to-user email notifications
• Leader e-newsletters and PowerPoint presentations
• Employee online town hall mentions
• Implemented a 14-day registration pop-up for users when they logged into their applications if they had not already registered. This was done after our initial communications were sent and the intranet resource page was available.
• Tech Talk video

Offline communications were very important to reach employees who were often working on the floors of the hospitals and were not in front of computers often.

• We frequently utilized tiered huddles at the hospitals and our service organizations.
• We promoted Microsoft Authenticator adoption and answered employee questions at various in-person cybersecurity awareness events at our hospitals.

For training, we leveraged a member of our BJC Institute for Learning and Development to create instruction guides for employees. The guides were formatted using the same look and feel as our other technical guides and refined based on the pilot group feedback. Our training group also focused one of its “Tech Talk” episodes on MS Authenticator. The live Teams broadcast gave employees a chance to ask questions in real-time. It was recorded and used in future communications. Samples of these are included in our files attached to this submission.

Lastly, we provided onboarding resources for new employee orientation and a robust resource page on our IT intranet site that is updated regularly based on any new feedback we receive.
We assisted in equipping the BJC IT Service Desk with detailed knowledge articles so that support staff could quickly resolve any employee issues when contacted by phone or live chat. Each of the articles was written to align with our employee communications to prevent any conflicting information.

Results
The project was considered a huge success by BJC IT leadership. It was completed on time, and all former regular Duo users were migrated to MS Authenticator and teams who monitored its use confirmed it was being used daily to access BJC applications. Duo was shut down at the end of the year as planned.

There were no significant disruptions to patient care reported and the BJC IT Service Desk experienced an increase in calls, but nothing that was not manageable during the weeks leading up to launch and afterward.

By engaging BJC staff six months before the final transition and clearly defining the benefits of the change, we were able to get strong buy-in as to why this migration was important for the security of BJC’s data. Our grassroots method of reaching employees upward through their tiered huddle system ensured employees at every level were informed.

By October, all employees who accessed resources remotely were using MS Authenticator. Some members of the original target group opted to not use the app due to their job roles. Most in that group were non-employees who had limited or no contact with BJC systems.

We surveyed employees at numerous employee events in the fall, and almost all of them said that they found the product easy to use. A few had questions we were able to answer quickly using the online resources available.

Additional File