Doctolib

Doctolib provides secure, reliable e-health services in the EU with Cloudflare

Doctolib is Europe’s fastest-growing e-health service. Founded in France in 2013, the company has expanded rapidly, now serving patients in Germany and Italy as well. Patients can use the platform to make appointments and telemedicine visits with healthcare providers.

Doctolib was a well-established e-health service prior to 2019, but the COVID-19 pandemic drove significant, rapid growth. Pre-pandemic, the platform had approximately 1,000 employees, a number that grew to 3,000 within a couple of years. Doctolib also enables over 390,000 healthcare providers to serve 90 million patients across France, Germany, and Italy.

Challenge: Ensuring service accessibility and data privacy and security

Doctolib faced a multi-faceted challenge in securing sensitive data across a complex cloud environment while adapting to a growing hybrid workforce. As they onboarded over 200 employees a month, Doctolib needed to ensure that it maintained its strong security posture and regulatory compliance. The organization had access to large volumes of sensitive patient and employee data and was subject to stringent GDPR requirements for data protection and localization.

“During the pandemic, we had to adapt to a new work model, offering full office, hybrid, or remote options.” explains Cédric Voisin, CISO at Doctolib. “Ensuring compliance and managing cyber threats became even more critical as we navigated this new work environment. A big challenge was to ensure that, no matter where our employees worked from, they could access resources securely.”

Additionally, they needed to protect sensitive data across a broad range of SaaS applications, such as Google Workspace, Microsoft 365, and Salesforce. With several integrations in place, they were concerned about secure access, misconfiguration management, and potential data exposure across these platforms.

On top of these day-to-day security concerns, the company also needed to ensure the availability of its platform through traffic surges during the COVID-19 pandemic. Greater visibility increased visitors to the platform and made it a larger target for cybercriminals.

Managing rapid growth and sudden traffic spikes

During the COVID-19 pandemic, interest in Doctolib grew rapidly. The company provides online health services and was part of the vaccination effort in France and Germany. As a result, traffic to the company’s site grew dramatically over that time period.This growth in traffic was a primary driver behind Doctolib’s switch from Cloudflare’s free plan to becoming an enterprise customer. This transition ensured that the company’s infrastructure could scale and keep up with demand while providing protection against the greater number of cyberattacks that came with the company’s increased visibility.

This additional scalability and resiliency was especially important in the face of sudden spikes in traffic to the company’s page. Occasionally, Doctolib’s CEO would appear live on television, which caused site traffic to triple shortly after.

However, these spikes paled in comparison to the surges that occurred when the company was referenced by France’s president on live television. According to Cédric Voisin, Doctolib’s CISO, “When the president of France talked about us, our traffic jumped by 10X with no warning. We needed a solution that could sustain the additional workload that we couldn’t forecast, which is where Cloudflare was really helpful.”

Ensuring data security and regulatory compliance

Zero trust is a key component of Doctolib’s data security and regulatory compliance strategy. Voisin says, “We don’t implicitly want to trust the hardware or people at any point during the connection. If you want to access one of our assets, you need to prove that you’re who you claim to be and that you’re using the device that you’re claiming to use.”

To meet these zero trust goals, Doctolib uses Cloudflare’s Zero Trust Network Access (ZTNA) service. All employees and contractors are provided with a company laptop preloaded with Cloudflare’s device agent. This enables the organization to control access to patient data and other resources in accordance with regulatory requirements and its own security policy.

To complement these network-level defenses, Doctolib also uses Crowdstrike for endpoint security. As part of the zero trust validation process, Cloudflare verifies that Crowdstrike is active and up-to-date, protecting the device against malware and other threats to endpoint security. Voisin says, “We work with providers that have access to very sensitive assets. Together, Cloudflare and Crowstrike ensure that they are who they claim to be and that their devices are secure.”

Cloudflare’s Data Localization Service (DLS) is also critical to the company’s compliance strategy, enabling it to prove to customers and regulators that patient data never leaves the EU. Storing and processing data of EU data subjects within the EU helps make compliance with GDPR easier. DLS also ensures that non-EU providers and third parties do not have access to patient data, that only Doctolib-authorized users can access and view patient data, logs, or IP addresses, and that this metadata never leaves the EU. According to Voisin, “DLS is invaluable for us because it allows us to use Cloudflare while remaining compliant. And no one else in Europe has Cloudflare’s capabilities and ability to handle the massive amount of traffic we have.”

Increase visibility of data and misconfiguration risks

"The visibility Cloudflare provides is important in helping us reduce the risk of data breaches.” says Voisin. “Their products enable us to quickly address misconfigurations and ensure compliance with data protection regulations like GDPR."

Voisin explains that Cloudflare has been instrumental in improving Doctolib’s data security and that they plan to continue to collaborate closely with Cloudflare experts to strengthen protection for their employees and customers alike. Cloudflare paves the way for accelerated future growth with a scalable approach to compliance “Next, we want to expand our business to more countries. So we'll have to adapt to more regulation. That's a given. But, we build around Cloudflare, which will be useful for us to be at speed entering the market without many burdens.”

To read more about how Cloudflare helps Doctolib beyond data security and compliance, please read this Medium article in their own words about our application services.