Cyber
Case Study

 

Brest University Hospital is the leading healthcare operator in Western Brittany, with more than 8,000 professionals working to improve the health of the population. Its activities are carried out on nine sites, with more than 130,000 people hospitalised each year, covering the full range of healthcare services.

It is therefore a critical healthcare activity at the cutting edge of Brittany, where information systems play a major role in healthcare.

How does HarfangLab protect the information system at Brest University Hospital? Jean-Sylvain Chavanne, CISO, explains.

Context

The need for a new managed detection tool

Until 2022, the University Hospital had an anti-virus system to protect its digital systems, but due to a lack of internal resources, it operated automatically, with little human supervision.

The hospital therefore needed to call on a managed cybersecurity service, while strengthening its threat detection capability with next-generation tools such as EDR.

“We wanted to invest in new cyber security equipment and have a service that would monitor our digital equipment 24/7, provide reporting in the event of an alert and advise us in the event of a security event. No-one in-house had mastered EDR technology, so we needed to rely on external teams who knew the technology well, and who were able to advise us on the best tool to protect our information system.”
Jean-Sylvain Chavanne, CISO

Specific needs of the hospital sector

The hospital needed an EDR that met the specific needs of the hospital sector.

For example, the hospital operates very critical servers that provide the interface between applications (EAI – Enterprise Application Integration – and EDI – Electronic Data Interchange) with limited resources (such as RAM). For these servers, it was therefore essential that the EDR consumed few resources without affecting its operation.

In addition, the EDR had to adapt to the existing architecture of the hospital. The workstations and servers are equipped with heterogeneous operating systems, some of which are old and yet critical.

Lastly, the EDR had to guarantee the smooth operation of critical business applications whatever the circumstances, such as biomedical equipment managing medical imaging or medical biology. Indeed, if these systems are blocked, this can have a major impact on patient care.

Why HarfangLab?

As well as meeting the technical prerequisites, the CISO wanted a European technology, in particular to guarantee control over his data. In making his choice, he relied on the expertise and advice of MSSP Advens, which operates in the healthcare sector and is therefore familiar with its constraints and challenges. The HarfangLab solution had also been recommended to him by other CISOs in the healthcare sector.

DEPLOYMENT

Gradual deployment

The EDR was deployed gradually, in particular to validate that it would work properly with critical medical devices, which also helped to reassure the IT Department. The CISO began by deploying EDR on 5% of the Windows servers, 5% of the Linux servers, and 5% of the workstations, and so on until he had almost 100% of the installed base. But not everything went according to plan.

A cyber-attack that accelerated deployment

Just as the deployment was underway, the hospital suffered a computer intrusion, which drastically accelerated the deployment to all equipment.

“Once the EDR had been deployed across the whole computer park, it gave us a view of the entire IT system, enabling us to see if the attacker had left a backdoor, and to monitor any new cyberattack. Knowing that the EDR was deployed on all workstations and servers gave me peace of mind during this difficult period.”
Jean-Sylvain Chavanne, CISO

During the cyber-attack, the CISO appreciated the collective effort made by the Advens MSSP teams and incident response provider Lexfo, as well as the support of the HarfangLab CTI teams, who helped him to identify the attackers.

Support

Brest University Hospital is relying fully on its MSSP Advens, which manages the HarfangLab EDR.

“The Advens teams now have real expertise in the healthcare sector. In fact, like other healthcare CISOs, I’m asked to take part in a continuous improvement process every quarter. They are also very responsive: when I have a problem or a question about the solution, my request is dealt with within half a day. And finally, they are real partners: they listen to me and take into consideration our requests or suggestions for improvement.”
Jean-Sylvain Chavanne, CISO

RESULTS

Granularity of detection and a clear interface

“We like the fact that we can play around with the detection and blocking modes for the different detection engines. We can customise blocking modes and manage whitelists down to the last rule: so when a YARA (signature) or Sigma (behavioural) rule sounds, we know that there is a 90% chance that it is a real positive. The interface is also very clear. When a security event is flagged up by the console, it’s easy to launch investigations straight away, and to provide the first elements of analysis if an incident is suspected. ”
Jean-Sylvain Chavanne, CISO

The role of EDR in information system visibility

According to the CISO, in addition to its use for incident detection, EDR is also the only tool that provides overall visibility of the information system, for example to identify the number of applications deployed on the computer park, or to respond to compliance issues.

“Following the cyber-attack, the IT Department needed to know how many computers were equipped with an older version of Microsoft Office in order to migrate them. Thanks to a simple search with the EDR, we were able to tell the IT department exactly how many workstations were affected, and therefore how long it would take to carry out the migration.  The EDR also gives me the visibility I need to carry out compliance checks on my machines, particularly those that are not identified in the Active Directory. ”
Jean-Sylvain Chavanne, CISO

A tool that adapts to the existing architecture

As the HarfangLab EDR consumes very little RAM (~130 MB), the entire hospital IT infrastructure could be protected without the need to replace hardware or invest in more powerful servers. Only a few servers equipped with fairly old operating systems were not covered. The need to be covered accelerated server migrations by the IT Department.

Easier collaboration between users

One feature of the EDR is greatly appreciated by the CISO: the ability to leave comments about each machine. This enables the CISO to communicate effectively with the MSSP Advens.

“The EDR offers a number of features that facilitate collaborative working between analysts, but also with our MSSP. For example, I can easily indicate whether any of the equipment in our fleet is critical, so that Advens can pay particular attention to it before potentially blocking a process in the event of an alert. It’s an option that may seem basic but has a lot of value in the hospital sector.”
Jean-Sylvain Chavanne, CISO