Case Study

Caring for cybersecurity at one of Belgium’s leading hospitals

RESULTS

50%

reduction in alerts using Cortex XDR automation

3,000+

medical and IoT devices connected and protected by CDSS

50+

VLANS created to partition hospital services, servers, and medical devices based on sensitivity

In brief

Customer

AZ Vesalius

Services

Emergency, inpatient and outpatient care

Country

Tongeren, Belgium

Industry

Healthcare

Organisation Size

326 beds, 800 staff

Challenges

Complex, outmoded security infrastructure put the hospital at risk from ransomware, business email compromise, and inadvertent disclosure-related attacks.

Requirements

  • Support innovative medical technology and optimise patient care.
  • Provide complete visibility across multiple integrated enforcement points.
  • Reduce attack surface with segmentation.
  • Prevent known and new, unknown attacks.
  • Contain security costs.

Solution

Palo Alto Networks MLPowered Next-Generation Firewalls, Cloud-Delivered Security Services (IoT Security, Threat Prevention, WildFire, DNS Security, URL Filtering), Cortex XDR, Cortex XSOAR
Introduction

Vesalius’ medical applications and patient data are in safe hands with Palo Alto Networks. A connected network and endpoint security portfolio enables this leading Belgian hospital to manage risk across a diverse healthcare threat landscape, focus on delivering better patient outcomes, and transform security productivity.

Hospital cybersecurity required critical care

Security officer Wendy Roodhooft reads cybersecurity books while eating her breakfast cereal. Her level of commitment is just one of the reasons the AZ Vesalius board and ICT Director Peter Laenen chose her to lead the team, and bring to life their vision for cybersecurity at the hospital.

The timing was right because network and endpoint security at this leading Belgian hospital needed critical care. Overlapping siloed security platforms absorbed resources and obscured security visibility. Thousands of Internet of Medical Things (IoMT) devices were either unprotected or undiscovered. This, in turn, made it harder to safeguard patient data that resided on these critical medical devices, prevent cyberattacks, and drive a modern, efficient security strategy.

CHALLENGES

Preventing cyberattacks and protecting patient data

AZ Vesalius hospital is named after the 16th-century anatomist Andreas Vesalius, who is commonly considered the founder of modern human anatomy. His legacy lives on in this state-of-the-art, multidisciplinary Belgian hospital, which has 326 beds, 900 staff, and a catchment population of 100,000 people.

Patient care and everyday administrative services are underpinned by 250 servers, more than 1,000 endpoints, and several thousand IoMT and Internet of Things (IoT) devices. Staff, contractors, and other third-party healthcare providers regularly connect remotely to the network.

“Before Palo Alto Networks, we struggled with cybersecurity,” Wendy explains. “Our old Stormshield firewalls, for example, were not application-aware and lacked VLAN capability. One person spent three hours a day manually examining logs. And there was always the risk that a threat may be missed.”

Wendy outlines another challenge they faced – the sheer volume of security solutions. “We balanced multiple point security products. It’s very hard to manage disparate platforms effectively, any one of which could present a different attack path.”

Up to 3,000 IoMT and IoT devices were also at risk. MRI scanners, bedside monitors, echo devices, X-ray machines, security door devices, and more were often unprotected or undiscovered.

"IoMT devices have a low barrier to entry to the hospital network, making it easier for attackers to exploit vulnerabilities for ransomware and other malicious activity. Although the devices were ostensibly protected by network access control, the endpoint security for IoMT devices remained a weak link."

– Wendy Roodhooft

Security Officer, AZ Vesalius

REQUIREMENTS

Supporting innovative medicine and optimising patient care

Wendy worked with the talented AZ Vesalius teams to reimagine cybersecurity with the support of ICT Director Peter Laenen and the board. “I wanted to change everything, replacing fragmentation with a single, best-of-breed platform. Unification would eliminate complexity, strengthen our cybersecurity, and streamline security management,” she says.

The platform would be required to:

  • Support innovative medical technology and optimise patient care.
  • Provide complete visibility across integrated enforcement points.
  • Reduce attack surface by segmenting resources.
  • Prevent known and new, unknown attacks.
  • Contain security infrastructure costs.
SOLUTION

Eliminating security sprawl

It didn’t take long for AZ Vesalius to identify the right security partner. “We trusted Palo Alto Networks from the start. Almost every authoritative review positions their portfolio as best-in-class; everything connects in a single security ecosystem; and the technologies – especially IoMT – are proven in healthcare,” says Wendy.

Network security

A pair of high availability, ML-Powered Next-Generation Firewalls (NGFWs) in each data centre provide complete visibility and control over the medical network. More than 50 VLANS have also been created to partition hospital services, servers, and medical devices based on the sensitivity of the data and the risk if that data is exposed.

“If someone using a laboratory workstation inserts a USB stick, we know immediately,” says Wendy. “With different areas of the hospital segmented, security can be applied easily without relaxing policies universally or implementing costly temporary measures.”

Cloud-Delivered Security Services (CDSS)

A connected suite of CDSS is natively integrated with the NGFWs to add an additional layer of security to medical devices, users, applications, and data. This includes Threat Prevention, WildFire, URL Filtering, GlobalProtect, and DNS Security.

It also includes an IoT Security service which delivered huge value immediately, says Wendy: “Within 24 hours of switching the service on, we could see all 3,000 medical and IoT devices connected to the network. We identified vulnerable MRI scanners, cameras, and other equipment that used standard passwords. We also discovered an old camera on the roof, used for birdwatching, that we didn’t even know existed!”

Endpoint security

Cortex XDR provides unified detection, investigation, automation, and response. It eliminates blind spots by integrating Vesalius’ 1,000+ managed endpoints and network data with logs and alerts to detect attacks and simplify investigations. It also profiles hospital user and endpoint behaviour with machine learning to find anomalies that could lead to attacks.

“People jokingly call me ‘Big Sister’ now as we’re monitoring data from so many sources,” says Wendy. “We are tracking threats across any hospital source or location, automating containment, and closing gaps for future prevention.”

AZ Vesalius hospital is now testing the Cortex XSOAR security orchestration, automation, and response platform to integrate case management, collaboration, and threat intelligence management across the incident lifecycle. “The playbooks are invaluable, automating the response and improving investigation quality. In time, we may deploy Cortex XSOAR in a managed SOC,” Wendy says.

"We’re monitoring data from so many sources. We are tracking threats across any hospital source or location, automating containment, and closing gaps for future prevention."

– Wendy Roodhooft

Security Officer, AZ Vesalius

BENEFITS

Improving patient safety

AZ Vesalius’ connected security portfolio ensures the best possible patient care, protecting patient safety and privacy. Resilient network and endpoint security prevent patient data compromise, improve uptime, and reduce security threats.

Wendy explains: “The hospital is aiming for NIST framework compliance. By providing full visibility into traffic and preventing cyberattacks, Palo Alto Networks moves us a step closer to NIST compliance and ISO 27001 compliance.”

Supporting the adoption of modern medical technologies

The hospital can connect next-generation scanners, monitors, and other medical intervention technologies to the network, confident they will operate securely and reliably. As noted earlier, IoT Security identified and resolved vulnerable, guessable passwords previously used on devices, optimising their uptime.

“IoMT devices commonly run on legacy operating systems, are difficult to patch, or lack encryption,” says Wendy. “Palo Alto Networks gives us full control and visibility, protecting every medical device on our network.”

Increasing operational efficiency

Wendy and her team now work faster and smarter. For example, Cortex XDR automation has reduced the number of security alerts by 50%, leaving the person who previously spent three hours per day monitoring logs free to focus on more strategic tasks.

She concludes, “We have moved from a suite of unreliable, siloed platforms to a single, modern platform. It’s like switching from a beaten-up old car to a new sports car,” says Wendy.

"We have moved from a suite of unreliable, siloed platforms to a single, modern platform. It’s like switching from a beaten-up old car to a new sports car."

– Wendy Roodhooft

Security Officer, AZ Vesalius

Learn more about Palo Alto Networks Medical IoT, Enterprise IoT, Cloud-Delivered Security Services, and Cortex by visiting the Palo Alto Networks website.