Poitiers University Hospital

Ensuring the safety of healthcare facilities

Background

Protecting internet access for over 11,000 people

Working hours

24/7

Number of positions

7,000 positions across 5 sites

An insightful account of the challenges and solutions

Pierre Taveau, Chief Information Security Officer at Poitiers University Hospital, discussed the crucial importance of security in healthcare facilities, highlighting the current challenges facing the sector.

Firstly, the increasing digitization of healthcare increases the attack surface, with a multitude of software programs and business applications tracking the patient's care pathway. In addition, the exposure of medical equipment on the Internet, particularly in the field of IoT, presents a significant vulnerability.

He highlights three major challenges: the technical debt accumulated over the years, the crucial need for training and awareness-raising among healthcare staff regarding cyber risks, and the lack of technical resources in this area.
  1. Optimize computer network bandwidth across approximately one hundred different physical locations.
  2. Ensuring the security of 4,000 employees when browsing the Internet (Qwant has also been deployed).

Strengthening Healthcare Security: Olfeo's Critical Solutions

The year 2023 was marked by intensifying challenges for both public and private healthcare services. Institutions such as the Centre Hospitalier de la Réunion were affected, highlighting the scale of these challenges in the healthcare sector. Among the crucial solutions, Olfeo and its web security gateway play a central role.

The proxy challenge

The real challenge for a web proxy today is to effectively control users' Internet usage. This involves not only monitoring user activities, but also managing IoT devices and other connected objects present on the various CHU sites. Olfeo, with its advanced security engine, offers essential protection by deploying clear filtering policies and implementing data decryption mechanisms that are essential for complying with regulations such as the GDPR.

Security issues go beyond simple anti-malware solutions. Olfeo offers a comprehensive approach that includes DNS security, detailed logs, greater visibility of online activities, and awareness pages for users. Implementing an effective filtering policy is essential for controlling Internet access, preventing threats such as malware, phishing, and illegal sites, while ensuring compliance with IT policies.

A notable innovation introduced by Olfeo is the Trust-Centric concept, which is based on a solid URL content database developed over the past 20 years. This approach automatically blocks any content that has not been verified and validated by Olfeo, thereby significantly reducing the risks associated with browsing the Internet.

In concrete terms, what does Olfeo bring to a healthcare facility?

Returning to the specific case of Poitiers University Hospital (CHU), the approach adopted to ensure the security of some 10,000 users was to simplify filtering policies by focusing on Internet access based on predefined categories, validated by all authorities.

In this context, the healthcare facility switched from a solution based on an American solution, which was becoming increasingly complicated to manage internally because there were dozens of exceptions. The transition to the Olfeo solution was initially complicated due to the various exceptions. However, with Olfeo's support, the entire architecture of the internal solution was reviewed and adapted to all of the university hospital's facilities.

There is therefore a proxy used for load balancing, one master and four slaves to manage the 10,000 users, representing around 7,000 workstations across all sites (five sites across the entire department).

Definition and implementation of filtering

The definition of filtering security policies was carried out in several stages, i.e., there was an initial validation by the senior management of the university hospital, followed by validation by all management bodies. This approach made it possible to inform all users in order to determine a simple policy for each hierarchical level of positions.

The first level of policy is no Internet access, which is entirely feasible for some biomedical equipment, for example. The second level is limited access with a whitelist allowing very restricted Internet access for the use of operating room devices, console packs, and other equipment of this type. The third level corresponds to the majority of the university hospital, which has what is known as "professional" access, where the various authorities have prioritized access related to the profession.

Another level that has been implemented is a category that could be described as VIP. This category responds to various specific and highly controlled use cases. It allows full access to commercial websites for buyers, for example. This category can allow specific access for psychologists who need to conduct research on sensitive websites, and this applies to various exceptions related to specific professions that can be found in a healthcare facility. The last category of users in place is very limited; it applies to developers who have more specific access needs, particularly for research and development needs that can be found in an institution such as the Poitiers University Hospital.

Filtering policies

Once again, all authorities opted for a simple solution. What's more, this policy is known and approved by all members of the institution, as it is included in the internal regulations and validated by the IT charter. With regard to the IT charter, we wanted to set up individual logs for each user, and Olfeo played a key role in implementing this solution. This is because a number of connections in our establishments are generic on shared workstations. With Olfeo's help, we have therefore created an internal connection portal that requires every user who wants to access the Internet to log in with their individual username and password. This allows us to comply with all regulations and also enables us to monitor and track all access. Depending on the policies, we can use Elasticsearch to find various alerts on our dashboards and scorecards, particularly when someone attempts to access prohibited categories.

In conclusion

Olfeo has not only simplified Internet access management at Poitiers University Hospital, but also strengthened our regulatory compliance and helped us improve the traceability of online activities.

If you would like to view the full webinar below: