The clinic's employee workstations are equipped with 160 thin clients, 165 desktop computers, and 75 laptops. There are also 250 printers. Seventy-six medical devices, such as MRI scanners, ultrasound machines, and X-ray equipment, are networked, and this number is expected to increase. Surveillance cameras and card readers are also part of the infrastructure. Traditional computer networks integrating endpoints like MRI systems are being transformed into medical networks. This means that a risk assessment based on the DIN 80001-1 standard must be carried out for every device, no matter how small (e.g., a camera or a laptop). Effective monitoring and security of these hybrid networks are essential; an outage could have life-threatening consequences for patients if, for example, the ventilators in the intensive care unit are affected.

In terms of critical infrastructure, macmon NAC provided invaluable help to Haßberg-Kliniken when it comes to network security.

challenge
provides invaluable assistance with network security.

In practice, clinics use macmon NAC to block unknown MAC addresses as soon as they connect to the network—for example, if an employee plugs a new device into a data port. Similarly, an unknown device belonging to an attacker cannot access the company network and therefore cannot cause any harm—a significant advantage given the increasing volatility of security issues for hospital IT departments. Because the clinic is located in two sites, according to systems administrator Jan Schmitt, the IT department lacked immediate visibility into network changes before implementing macmon NAC. The center's maintenance team would reconfigure PCs or thin clients, or service engineers would make changes to critical terminals, such as MRI machines, without consulting the IT department.

Network changes are immediately visible to the IT department, and devices are managed accordingly. macmon can change untrusted devices to visitors or quarantine them on the WLAN as soon as they appear on the network. macmon NAC also shows when a device was last active on the network. According to Schmitt, this means that "dead entries on the network can be identified." Devices that have been absent from the network for a long time or that are classified as unsafe after a "compliance check" can be kept on the protected network (quarantined) until their status is clarified.

In general, Haßberg-Kliniken has three security zones: macmon NAC detects and blocks unauthorized devices on the LAN and WLAN. Devices identified by a known MAC address can access specific parts of the network. Devices with a recognized computer identity can operate in a third zone. This includes, for example, laptops and PCs.


The objective of our IT security concept is to protect against internal and external attacks, ensure the functionality of all systems and, of course, guarantee data security, as this involves highly sensitive patient data.

The security of particularly critical areas, such as operating rooms or recovery rooms, the laboratory, and the intensive care unit, is also part of our security concept. Systems requiring special protection include the hospital information system (HIS), the laboratory information system (LIS), the radiology information system (RIS), and various diagnostic systems,” says Jan Schmitt, systems administrator at Haßberg-Kliniken.

photo-macmon-doctors-w

Figure 2: Medical staff will always need access to confidential data. macmon NAC, however, prevents unauthorized third parties from accessing this data.


“A penetration test revealed significant shortcomings in network transparency. On the recommendation of a security consultant, we opted for macmon NAC. With macmon Network Access Control, we know at all times which devices are on the network and can automatically grant or deny them access using specific switch port rules. The security vulnerability has been eliminated, and network security has been significantly improved.” – Jan Schmitt


Discovery:
A Safe and Sustainable Investment in Critical Infrastructure Security.
The high level of security provided by macmon NAC not only makes the software easier to manage and operate, but also allows users to interact with other leading security products. Alongside IT security solutions, macmon NAC can, for example, automatically quarantine a non-compliant device and notify the network administrator of an attack before it has a devastating impact on the hospital. macmon features interfaces with the most popular antivirus solutions, endpoint security, IT incident management, intrusion detection/prevention systems (IDS/IPS), asset management, inventory, and security incident and event management (SIEM) solutions. macmon NAC can also be seamlessly integrated with other security products, such as compliance connections, infrastructure connections, asset management, and identity stores. Users can leverage the full potential of existing solutions as well as macmon NAC, and thanks to its scalability, the software can be gradually adapted to growing needs.

 

solution
- comprehensive network protection for hospitals

- Integration of all medical technology without compromising the existing network or medical devices
. - Enabling physicians to have flexible access to patient data in terms of time and location, while protecting against unauthorized access.
- Providing dedicated, time-limited internet access for guests and patients without data loss.
- Ensuring network integrity by granting network access only to selected (internal and approved) devices.
- Monitoring and control of all network devices (real-time inventory management) and documentation of all access to the hospital network.
- Support for ISO 27001 compliance certification, implementation of BSI standards for information security management, IT security catalogs, and hospital certification procedures (e.g., KTQ or DIN EN 80001 certification).


Results
: Jan Schmitt states, “macmon NAC runs reliably in the background. I only need to access the web interface to activate MAC addresses or remove a device from the network. Implementation was quick and easy. The OVA template was used and integrated into the virtual environment, IP addresses were assigned, and switches were added. After a two-week testing phase, we assigned MAC addresses to individual groups and were able to go live. Updates are easily downloaded from the macmon services portal.” In summary, Schmitt concludes, “macmon works exactly as we expected.”

"macmon reliably supports the work of the IT department. Now, users and service engineers inform us of changes well in advance; otherwise, they can't continue working." - Jan Schmitt

About Belden:
Belden Inc. provides the infrastructure that makes the digital journey simpler, smarter, and more secure. We go beyond connectivity: from what we manufacture to what we enable through a performance-driven product portfolio, a future-oriented experience, and purpose-built solutions. With a legacy of quality and reliability spanning more than 120 years, we have a strong foundation to continue building the future. We are headquartered in Louis and have manufacturing facilities in North America, Europe, Asia, and Africa.