Robust multi-level user and data protection of Military Hospital Olomouc

We implemented a comprehensive solution for the protection of military hospital, which led to a leap increase in the level of security against advanced cyber threats.

Realization 2021

aricoma avatar

Customer profile

Olomouc Military Hospital was founded in 1748 and is the oldest military hospital in the former Czechoslovak Republic.  It is a contributory organization of the Ministry of Defense of the Czech Republic with supra-regional competence, but it provides its services to patients under all health insurance companies regardless of the connection to the Army of the Czech Republic. To provide its services, it has appropriate medical technology and a working force of 500 highly knowledgeable medical personnel.  Apart from the ENT, surgery, and ICU departments, the hospital is located in the buildings of Klášterní Hradisko.

...In cooperation with a company AUTOCONT, we have begun to pay more attention to cyber security in our IT infrastructure. Thanks to the modern and comprehensive Fortinet Security Fabric solution, we now have high-quality integrated protection and minimized downtime in our infrastructure.

Zdeněk Letocha

HEAD OF INFORMATION TECHNOLOGY GROUP

Initial situation and objectives of the project

Before the implementation of this project, the IT infrastructure was built with regards to the required functionality of IT systems, but it did not consider sufficient attention in the field of cybersecurity.

Applications from the outside network were directly exposed to the Internet, lacking two-factor authentication of login accounts. In the IT environment, there were systems for which manufacturers no longer provided basic security updates. Antispam technologies were operated as an external service, and the absence of redundant firewall configuration potentially compromised key external services such as the e-prescription system. Each of the operated technologies stored operational and security logs in different ways and lacked a unified view of the current security situation. 

The original solution was insufficiently secure in view of the ever-evolving cyber threats. The customer perceived the increasing risk very intensely. The aim of the project was to build a modern, comprehensive solution where individual elements of protection automatically communicate with each other, cooperate and increase the effectiveness of security and the speed of response to detected threats.

Benefits

  • Increasing security of the internal network
  • Unified management of all security technologies
  • Common comprehensive view of the overall security situation
  • Single place with logos of all essential technologies
  • Applications accessible from the Internet are checked by security proxies.
  • Two-factor authentication of all user accounts accessing from an external network.published applications.

Solution Description

It was necessary to provide comprehensive and interconnected technology for higher security of the customer's IT systems. This was achieved through the implementation of Fortinet Security Fabric, thereby building integrated protection of IT systems when communicating from the outside environment. In addition, a pair of firewalls in a redundant configuration was implemented to prevent downtime in the event of a failure of one of them.

Nowadays, email is a necessary and usual key tool for everyday communication and productivity in companies.  Unfortunately, it is also a popular attack vector that seeks to steal credentials, obtain sensitive data, or access operating systems.  As attackers increasingly use sophisticated multi-vector campaigns against their targets, email security solutions must provide multi-layered protection. For this reason, the firewalls are linked to the protection of email services, which are implemented through a virtual server and include antivirus and antispam services.   System FortiMail has supplemented the rented services of external entities and reduced the number of spam messages in users' mailboxes.

The project also replaced an outdated service for controlling web traffic between end stations and servers on the Internet, including the implementation of antivirus control for secure communication.
The check is performed by the FortiProxy solution.

Another part of the project was the replacement of antivirus protection of end stations using FortiClient technology. This exchange was carried out regarding the connection with the firewall's security policy, unified management, and the ability to send antivirus logs to one central location with other technologies.  
The most challenging part of this project was deploying the protection of applications and services that are accessible through an external network and that users can log in to from the Internet. Here, cooperation with suppliers of individual applications played a key role, thanks to which a robust solution was eventually built.   Every user who tries to access the application first uses FortiWEB, which is used for authentication through a username, password, and a second factor in cooperation with FortiAUTH, even if the application itself does not allow the use of the other factor. All data that flows between the user on the Internet and applications are controlled using FortiWEB technology.

The whole system is covered by a central repository and log analyzer – FortiAnalyzer. Here, the logs from all security technologies are collected, and in addition to passive storage, "Indicators of Compromise" are searched above the stored logs – characteristic situations that arise when an attacker enters.  FortiAnalyzer thus contributes to active security and can actively alert IT staff to the potential entry of an attacker.

Used technologies

  • Firewall - 2x FG-200 5Yr
  • Forti MAIL (VM)
  • Forti WEB (VM)
  • Forti PROXY (VM)
  • Forti EMS + Forti CLIENT ZTNA EPP/APT
  • Forti Authenticator + Forti TOKEN (SW)
  • Forti ANALYZER (VM)
Share

DO NOT HESITATE TO
CONTACT US

Are you interested in more information or an offer for your specific situation?

By submitting the registration form, I declare that I have familiarized myself with the information on the processing of personal data in ARICOMA.