Contact the following healthcare facilities directly:
MS Center Melsbroek
AZ Turnhout
Sint-Trudo Sint-Truiden
AZ Glorieux Ronse
AZ Jan Portaels Vilvoorde
Rehabilitation Hospital Inkendaal
Beware of phishing. There are phishing emails circulating that appear to be from nexuzhealth. Click here for more information and tips to protect yourself.
door nexuzhealth op 2.12.2024
Of course, there are certain minimum legal requirements, but nexuzhealth advances its product development and related services regarding security and privacy even further. “First, we are applying the Centre for Cybersecurity Belgium’s CyberFundamentals fundamental guidelines framework, or CyFun for short,” clarifies Mark Vanautgaerden. “With the risk assessment and self-assessment included, we determine the key priorities to become NIS2-compliant (Network and Information Security Directive 2). By complying with the cybersecurity law and achieving at least the basic level of security, you can therefore prevent over 80% of today’s cyberattacks.
Naturally, we strive to achieve the highest level of security by continually tightening security measures incrementally afterwards. As nexuzhealth is largely a product development company, we extend this to include the OWASP (Open Worldwide Application Security Project) Software Assurance Maturity Model, SAMM for short.
This gives us additional direction in structuring and improving the security processes for our software development in five areas specifically focused on governance, design, implementation, verification, and operations. This leads to appropriating an application security culture, or AppSec for short, which ensures that we introduce all the necessary tasks and processes to our product engineering teams to achieve a secure Software Development Life Cycle (SSDLC).”
“The CyFun and SAMM priorities are implemented into nexuzhealth in several steps. The management team determines the high-level goals first,” says Mark. “Next, the security experts on the security team translate these into practical goals and prepare the actual implementation. Developers will include those recommendations in the roadmap and then fully implement them. Afterwards, tests are carried out to see whether the risk has been remedied or at least reduced, and an evaluation follows. And then this whole process is restarted to eliminate more and more risks.”
Mark Vanautgaerden, Chief Information Security Officer
The first step to building the most secure application possible is the ‘secure by design’ principle. This is what nexuzhealth applies via Threat Modelling. With Threat Modelling, you always start by properly mapping out the architecture of what you are going to create. From there on, you then determine what can go wrong and then how high those risks are and how you deal with them. So you start actively looking for flaws as early as the design phase. This results in early prevention of problems that would otherwise be more difficult to solve later or would incur heavy costs.
In addition, we perform Threat Modelling on a case-by-case basis, even when working with third parties, before putting anything into production. To identify the security risks in such an architecture, we always apply the STRIDE model. With this model, we search for potential vulnerabilities that could allow the following risks:
identity forgery
manipulation of data
denial of having done anything
information leaks
service interruptions
higher access rights
“Following that we also identify and test the security risks that can specifically occur with mobile usage,” Mark continues. “We rely on the MAS VS model and the MASTG model from OWASP for this.” “And last but not least, we also perform privacy threat modelling for which we use the LINDDUN framework from DistriNet, a research group at KU Leuven,” Valerie adds.
Nexuzhealth then categorises and prioritises all risks found via DREAD:
“A risk score is assigned to each threat, making it immediately clear whether the risk level is low, medium, high, or critical. Critical and high security risks are reduced to low or medium risks as quickly and minimally as possible. Once the application is developed, we perform ongoing automatic scans that monitor our external attack surface, Software Bill of Materials, correct use of Transport Layer Security (TLS), and newly discovered vulnerabilities in our supply chain. We use DefectDoJo to keep track of all these risks, their priorities, and the planning of countermeasures to be taken.”
Once everything is up and running, security operations comes into play. “To detect malicious usage or even misconfigurations, we at nexuzhealth are exploring the use of Google SecOps and Security Command Center,” explains Mark Vanautgaerden. “Is someone doing something that isn’t allowed? Updating the software at that point takes too long. Through SOAR (Security Orchestration, Automation, and Response), you can react much faster and close certain paths for hackers automatically. Experience shows that attacks often occur outside office hours. Hackers prefer to go to work at night or on a holiday, just when you’re sitting down at the table with family.”
Lastly, nexuzhealth also engages ethical hackers to address any vulnerabilities. “This can be done, for example, through ‘pentesting’ (also called penetration testing or intrusion testing). An independent third party can then try to penetrate a system with prior authorisation and within a certain framework, for example systemically or through social engineering techniques,” Valerie clarifies. “Also, nexuzhealth has a reward programme (bug bounty) running through the Intigriti platform.”
MS Center Melsbroek
AZ Turnhout
Sint-Trudo Sint-Truiden
AZ Glorieux Ronse
AZ Jan Portaels Vilvoorde
Rehabilitation Hospital Inkendaal