The Moscow Scientific and Practical Center for Laboratory Research has completed a comprehensive analysis of internal and external penetration systems

2024: Complete Integrated Penetration Analysis of Internal and External Systems

GBUZ "Moscow Scientific and Practical Center for Laboratory Research of the Moscow Department of Health" MNPCLI DZM completed a comprehensive analysis of internal and external systems for penetration (pentest), audit of objects critical information infrastructure () CUES and processing processes and (personal data protection PD) for resistance to modern threats and compliance with the latest requirements of legislation in the field. cyber security The results of the audit carried out by INFORMATION SECURITY the integrator team iTPROTECT made it possible to update the protection strategy scientifically of the practice center taking into account the expertise and experience of independent specialized experts. This was announced on November 6, 2024 by representatives of iTPROTECT.

As reported, the Center is engaged in a wide range of diagnostic studies and processes more than one hundred thousand samples of biomaterials of patients every day. Such activities are related to the processing and storage of large amounts of personal data, in the event of a successful cyber attack, there is a risk of affecting the life and health of patients. The Center carefully checks its systems, procedures and documents to ensure the most effective protection and full compliance with the requirements of the legislation of the Russian Federation. The Center pays special attention to the protection of its CII facilities, being its subject, as well as the protection of PD. To ensure the reliability and full compliance of its systems with regulatory requirements, the Moscow Scientific and Practical Center for Laboratory Research turned to iTPROTECT, which acted as an independent expert.

Specialists of the information security integrator implemented the project in several stages. First of all, they assessed the security of the internal network, analyzed the vulnerabilities of communication channels, web services and the site. After that, the team made an assessment of the compliance of documentation and procedures for processing information with the requirements of the legislation of the Russian Federation, in particular 187-FZ and 152-FZ, and updated the documentation necessary to comply with these standards.

The scientific and practical center is a medical institution, therefore it is especially important for us that our systems and personal data of patients are reliably protected, and all processes of working with information and the objects of CII themselves comply with all the norms of the legislation of the Russian Federation. With the help of iTPROTECT specialists, we were able to solve these problems in a short time and without downtime. commented Kirill Suchkov, Deputy Director for IT GBUZ MNPCLI DZM

During the internal pentest, the iTPROTECT team checked the internal networks of the center, and during the external one - its web services and Wi-Fi networks, as well as the website. According to the results, experts did not identify critical vulnerabilities, and for all non-critical ones, recommendations were issued to eliminate them, which formed part of the strategy for the development of the company's protection system.

In total, the information security integrator team examined 5 sites of the institution and 7 web applications, studied 6 used personal data information systems (ISDS) and 91 documents on CII and PD processing and protection, after which it helped the client bring all related processes in line with No187-FZ and No152-FZ requirements. In total, 2 CII facilities were identified, for which threat models and categorization acts were prepared, as well as a set of organizational and administrative documentation and documents for sending to the FSTEC of Russia, including a response plan in case of incidents. In total, the company's specialists developed 39 documents - 15 on CII and 24 on PD.

Such comprehensive consulting projects, when it is necessary to simultaneously and take into account all the requirements of regulators, which are mandatory for such organizations, and at the same time ensure the protection of systems and data, are not uncommon in our practice. However, projects in the field of medicine, when the lives and health of citizens depend on the safety of CII facilities, require special attention. Therefore, auditing processes and systems by an independent market player is definitely the right step. comments Roman Pisarev, Head of Audit and Consulting at iTPROTECT