Digitization in the hospital environment has many advantages: More efficient treatment and utilization of resources and personnel, as well as convenience and better information for patients. But more and more data is attracting more and more criminals who want patient data or simply ransom money
The CTO of our customer sums it up: “There is a lot of pressure to make our IT more resilient, because the answer to ransomware cannot be that we allot money for ransom payment,” he says, “especially since the hackers would then become aware of it, when we do nothing to prevent them from entering the system in the first place".
Jens Hennig, comdivisions lead architect for this customer, knows about the challenges: "Hospitals with more than 30,000 inpatient cases (among others) are subject to the regulations of the Critical Infrastructure Act (KRITIS)," says Hennig, "so, for example, systems for attack detection must be introduced. In addition, if a hospital wants to receive urgently needed funding from the Hospital Future Act (KHZG), part of it must be used for security measures ”.
"The customer had already installed a large number of solutions," reports Hennig, "most of these systems were not bad in themselves, but the administrative effort was immense". The customer approached comdivision to propose solutions for holistic reports that document both end device security and access as well as (cloud) app security.
One part of the challenge was, that device management should secure cell phones, tablets and notebooks of employees such as nurses and doctors, as well as be used for devices that patients could use. “One of the services offered by the hospital was the possibility – especially for young patients – to use tablet computers for entertainment purposes” says Jens Hennig.
The new solution should reduce the multitude of individual solutions to a unified solution. “Our approach was based on four pillars,” explains Hennig, “device management, access (identity), app access and security in the area of antivirus / EDR. We are already mapping a large part of an all-encompassing zero-trust architecture without having to tear everything out and redo it, "says Hennig with a wink.
The heart of Zero Trust is an access model in which users are only given the authorizations they absolutely need to use the app called up and no longer have access to the entire data center.
This trust relationship is checked ... First of all,whether the device is also what it claims to be, the identity of the user is determined and it is checked whether the transport route of the data packets issecure.
This is superimposed on all types of applications, i.e.cloud-hosted SaaS applications, on-premises software, virtual or OS-native apps- and then we see what are the lowest permissions that this application needs to run.
“Network Virtualization is also in the future, but first we had to deal with the most pressing problems“
„We first made compliance and security settings for all devices via Workspace ONE UEM " Hennig continues "so we can use automation to specify that devices not only have to be patched and updated, we can also proactively counter malfunctions, for example by automatically reinstalling apps in the background, and thus increase acceptance and user satisfaction."
The CTO of the hospital added: “We have an immense need for training, but we have a very difficult time to meet those requirements, due to the work overload the staff is facing. A simplification of the access and the app display helps a lot here!“
„We have migrated access control to Workspace ONE Access. This enables us not only to carry out context-based authentication in preparation for a comprehensive zero trust architecture, but also to implement multi-factor authentication and risk-based access, ”explains Hennig.
More and more apps are being moved from their own data center to the cloud. Our customer is no exception. "In order to guarantee uniform access and to prevent staff from falling victim to phishing attacks, we now control access to cloud apps such as Office 365 with the Intelligent Hub from Workspace ONE," describes Hennig, "in this way we are shifting the security perimeter from the data center firewall to the cloud. We no longer have to drill new holes in the firewall for each new application, but can manage access centrally. “
With the integration of VMware Carbon Black, so-called audit and remediation measures can be implemented – this could also be described as weak point management:
“With Carbon Black in the context of Workspace ONE, we harden the devices in order to reduce the attack surface, so we make them less vulnerable to attacks. Then we have to prevent the attacks that we cannot simply fend off by hardening and finally we have to recognize and react to attacks that we cannot simply prevent, " describes Hennig the individual steps. "Technically speaking, the data is fed into Workspace ONE Intelligence – there, with the help of VMware SASE, an individual decision is made who / when with which device and how can access the resources.“
With this solution from the VMware Anywhere Workplace Suite of products, comdivision was able to prevent the threat situation
1. Is not viewed in isolation, but standardized
2. is not threat-centric, but rather context-centric
3. does not take place in silos, but is integrated
As mentioned above, once the remaining work has been completed, the customer plans to move on to the next phase of the all-encompassing zero trust strategy: network virtualization with NSX. The micro-segmentation makes it possible to define even more precisely who can access which virtual machine.