The municipal company Haßberg-Kliniken operates two primary health care facilities in Haßfurt and in Ebern, in the Würzburg area. A total of around 10,300 inpatient and almost 17,200 outpatient cases are treated by a highly qualified team of doctors and nurses each year.
Haßberg-Kliniken have a high level of competence in the field of modern surgical and diagnostic procedures. An IT network with 1,000 endpoints ensures high-quality, fast and reliable patient care. The network integrates modern medical devices via a network connection and can thus provide doctors and nurses with secure and direct access to digital information, such as MRI data.
The workstations of the clinic employees are equipped with 160 thin clients, 165 computers and 75 laptops. Among the endpoints are 250 printers. 76 medical devices such as MRI, sonography or X-ray machines are currently networked, and this figure is set to increase. Surveillance cameras or card readers are also part of the infrastructure. Traditional IT networks that integrate endpoints such as MRI systems are now becoming medical networks. This means that a risk assessment based on DIN 80001-1 must be carried out for every device, no matter how small, for example a camera or laptop. Effective monitoring and security of these hybrid networks is essential; a disruption can have life-threatening consequences for patients if, for example, ventilators in the intensive care unit are affected.
Jan Schmitt, System administrator, Haßberg-Kliniken
“The goal of our IT security concept is to protect against internal and external attacks, guarantee the functionality of all systems and, of course, to provide data security, as we are dealing with highly sensitive patient data. The security of particularly critical areas such as the operating theaters or recovery rooms, the laboratory and the intensive care unit also forms part of our security concept. Systems that require special protection include: the hospital information system (HIS), the laboratory information system (LIS), the radiology information system (RIS) and various diagnostic systems."
In practice, the clinics use macmon NAC to block unknown MAC addresses as soon as they connect to the network, for example if an employee plugs a new device into the data socket. Likewise, an unknown device belonging to an attacker cannot access the company network and therefore cannot cause any damage — a major advantage given the increasing volatility of security issues for hospital IT. Since the clinic is housed across two locations, according to Schmitt, the IT department did not have an immediate overview of changes in the network before using macmon NAC. PCs or thin clients were reconfigured by the site maintenance team, or service engineers made changes to essential endpoints such as MRI machines without consulting IT.
Changes in the network are now immediately visible to the IT department and the devices are managed according to the situation. Untrustworthy devices can be switched to a visitor or quarantine VLAN by macmon as soon as they appear in the network. macmon NAC also shows when a device was last active in the network. According to Schmitt, this means that "dead entries can be identified in the network." Devices that have not been seen on the network for a long time or are classified as unsafe after a "compliance check" can be kept in a quarantine network until the status has been clarified. Schmitt adds: “macmon reliably supports the work of the IT department. Now the users and the service engineers keep us informed of changes well in advance, otherwise they cannot continue working."
In general, Haßberg-Kliniken have three security zones: Unauthorized devices in the LAN and WLAN are detected by macmon NAC and blocked. Devices that identify themselves using a known MAC address are permitted to access specific parts of the network. Devices with a recognized computer identity can work in a third zone. This includes, for example, laptops or PCs.
Jan Schmitt, Systemadministrator, Haßberg-Kliniken
“A penetration test showed that there were significant deficits in network transparency. Based on a recommendation from a security advisor, we opted for macmon NAC. With macmon Network Access Control we know at all times which devices are on the network and can automatically grant or deny access to them using switch port-specific rules. The security vulnerability has been eliminated and the network security has been significantly improved."
Zone 1: Authorized devices in the LAN/WLAN with computer identityät
Zone 2: Authorized devices in the LAN/WLAN with MAC address
Zone 3: Unauthorized devices in the LAN/WLAN
Christian Bücker, CEO, macmon secure
“Cyber criminals are increasingly targeting critical infrastructures. In response to a request from a parliamentary group, the government advised that the number of hacker attacks in the health sector, and in hospitals in particular, had increased from eleven in 2018 to sixteen in 2019 and to forty-three in 2020. The example of Haßberg-Kliniken shows how network security can be improved with minimal effort. Thanks to our solution, which has already been thoroughly tested in a number of hospitals including Frankfurt University Hospital—where there are 500,000 network events every day—networks with diverse endpoints can be securely protected against unauthorized access by criminals."
The high level of security provided by macmon NAC not only makes the software easier to handle and operate, but also allows users to interface with other leading security products. In conjunction with IT security solutions, macmon NAC can, for example, automatically quarantine a non-compliant device and inform the network administrator of an attack before it has a devastating impact on the hospital. macmon has interfaces to popular antivirus solutions, to endpoint security, IT incident management, intrusion detection or prevention systems (IDS/IPS), asset management, inventory, security incident & event management solutions (SIEM). macmon NAC can also be seamlessly integrated into other security products such as compliance connections, infrastructure connections, asset management and identity stores.
Users can exploit the full potential of existing solutions as well as macmon NAC and, thanks to its scalability, the software can be gradually adapted to growing requirements.
Summary by Jan Schmitt:
"macmon NAC runs reliably in the background. I only need to access the web interface to activate MAC addresses or to remove a device from the network. The implementation was smooth and quick. The OVA template was used and integrated into the virtual environment, the IP address was assigned and the switches were added. After a two-week test phase, we assigned the MAC addresses to the individual groups and were able to start live operation. Updates are easy to download from the macmon service portal." In summary, concludes Schmitt: "macmon functions exactly as we had hoped."