An enlightening account of the issues and solutions at stake
Pierre Taveau, CISO at Poitiers University Hospital, discussed the crucial importance of security in healthcare establishments, highlighting the current challenges faced in this sector.
Firstly, the increasing digitization of the healthcare pathway increases the attack surface, with a multitude of software and business applications following the patient's care pathway. In addition, the exposure of medical equipment on the Internet, particularly in the IoT domain, presents a significant point of vulnerability.
It highlights three major challenges: the technical debt accumulated over the years, the crucial need to train healthcare staff and raise their awareness of cyber risks, and the lack of technical resources in this field.
Reinforcing the security of healthcare services: Olfeo's Crucial Solutions
The year 2023 saw an intensification of challenges for healthcare services, both public and private. Institutions such as the Centre Hospitalier de la Réunion were affected, reminding us of the scale of these challenges in the healthcare sector. Among the crucial solutions, Olfeo and its Web security gateway play a central role.
The proxy challenge
The real challenge for a web proxy today is to effectively control users' use of the Internet. This involves not only monitoring user activities, but also managing IoT devices and other connected objects present on the various UHC sites. Olfeo, with its advanced security engine, offers essential protection through the deployment of clear filtering policies and by implementing data decryption mechanisms essential for complying with regulations such as the RGPD.
Security challenges go beyond simple anti-malware. Olfeo offers a comprehensive approach that includes DNS security, detailed logs, improved visibility of online activities and user awareness pages. An effective filtering policy is essential to control Internet access, prevent threats such as malware, phishing and illegal sites, and ensure compliance with IT charters.
A notable innovation introduced by Olfeo is the Trust-Centric concept, based on a solid URL content base developed over the last 20 years. This approach automatically blocks any content that has not been verified and validated by Olfeo, thus considerably reducing the risks associated with surfing the Internet.
In concrete terms, what does Olfeo bring to a healthcare establishment?
To return to the specific case of the Centre Hospitalier Universitaire (CHU) de Poitiers, the approach adopted to ensure the security of some 10,000 users was to simplify filtering policies by concentrating on Internet access based on predefined categories, validated by all authorities.
In this context, the healthcare establishment switched from a solution based on an American solution, which was becoming increasingly complicated to manage internally because there were dozens of exceptions. The switch to the Olfeo solution was initially complicated by the various exceptions. However, with Olfeo's support, the complete architecture of the in-house solution was reviewed and adapted to all CHU establishments.
So there's a proxy for load balancing, a master and four slaves to manage the 10,000 users, which represents around 7,000 workstations on all the sites (5 sites across the whole department).
Defining and implementing filtering
The filtering security policies were defined in several stages, i.e. an initial validation by the CHU's highest authorities, followed by a validation by all the authorities. This approach enabled all users to be informed in order to determine a simple policy for each level of workstation hierarchy.
The first policy level is no Internet access, which is perfectly feasible for some biomedical equipment, for example. A second level is limited access, with a white list allowing very restricted access to the Internet, corresponding to the use of operating room equipment, console packs and other such equipment. A third level corresponds to the majority of the CHU, which has what is known as "professional" access, where the various authorities have given priority to business-related access.
Another level is what we call VIP. This category is designed for a number of specific, highly controlled uses. It allows full access to trading sites for buyers, for example. This category can allow specific access for psychologists who are confronted with having to research sensitive sites, and this applies to the various exceptions linked to the specific professions that can be found in a healthcare establishment. The last category of users in place is very limited, and applies to developers who have more specific access requirements, in particular for research and development needs that may be found in an establishment such as the CHU de Poitiers.
Filtering policies
Once again, all the authorities have opted for something simple. What's more, this policy is known and validated by all members of the establishment, since it is written into the internal regulations and validated by the IT charter. On the subject of the IT charter, we wanted to set up individual logs for each user, and Olfeo was particularly instrumental in implementing this solution. Indeed, a certain number of connections in our establishments are generic on shared workstations. So, with Olfeo's help, we created an internal connection portal that requires each user wishing to access the Internet to log in with his or her individual login/password. Firstly, this ensures compliance with all regulations, and secondly, it enables us to track and trace all accesses. Depending on the policy, we can use Elasticsearch to display various alerts on our dashboards, particularly when someone tries to access prohibited categories.
In conclusion
Olfeo has enabled us not only to simplify the management of Poitiers University Hospital's Internet access, but also to strengthen our regulatory compliance and help us improve the traceability of online activities.
To view the full webinar, click here: