Trace Id is missing
June 30, 2023

​​Centro Hospitalar builds up resistance to threats, analyzes 48 million logs a day with Microsoft Security solutions​

When Centro Hospitalar de Trás-os-Montes e Alto Douro needed a way to protect sensitive, highly confidential patient data and applications in its hybrid environment, it chose Microsoft Security solutions. The hospital system’s future-forward strategy calls for a dynamic, cloud-based security approach that will stay on top of threats and position the organization for cloud migration. It now has a centralized view of security events with Microsoft Sentinel, increasing frontline defense with Azure Automation and Microsoft Defender for Cloud. With Azure Arc to extend Centro Hospitalar’s Azure platform protections to its on-premises assets, the hospital system considers its IT security vaccinations up to date.

Central Hospital

Caring for everyone in northwestern Portugal


Portugal evokes thoughts of beaches, football (soccer), scrumptious pastries and other culinary treasures, and port wine. In fact, its 2000-year-old Alto Douro wine region is a UNESCO World Heritage site and the oldest protected wine-growing region in the world.

The country might be less well known for its excellence in healthcare: the World Health Organization ranks the Portuguese healthcare system twelfth in the world as of 2022. Among the 200 hospitals responsible for that excellence is the progressive hospital network of Centro Hospitalar de Trás-os-Montes e Alto Douro (Hospital Center of Trás-os-Montes and Alto Douro, or simply CHTMAD). Trás-os-Montes is Portuguese for “beyond the mountains,” and Trás-os-Montes e Alto Douro is a province in the northeastern corner of Portugal—a place of rich history and challenging geography. 


CHTMAD’s three-hospital system (including a critical care unit) serves about 400,000 people in 34 municipalities, making it one of Portugal’s largest healthcare networks in terms of geographic area. The health system envisions the best possible care through simplified healthcare delivery. Its path to that vision includes better digital services, holistic health education, prevention, and convenient care. Adopting a value-optimized digital health model to coordinate providers and healthcare data and to strengthen patient advocacy is key to that approach. 
 

That ambitious plan calls for seamless connection to a vast array of devices that must access hospital IT systems. Known for its advanced adult and neonatal intensive care units, the hospital’s 3,800 employees are far outnumbered by Internet of Things (IoT) and other medical devices. CHTMAD IT leadership knew that the proliferation of those devices and the hospital’s hybrid environment would require special treatment to create a security posture that could keep pace with rapid developments in technology, healthcare, and of course, cyberthreats. It turned to Microsoft Security solutions for the security information and event management (SIEM) and extended detection and response (XDR) capabilities it needs, unifying its hybrid environment with Azure Arc.

Creating a treatment plan for IT security 


Over time, CHTMAD had built up a complex hybrid environment. Between its cloud platform on Azure and its on-premises environment, it had to contend with 48 aging applications. The challenge of securing that diverse landscape without expanding its small IT team increased with its expanding device inventory and growing security events. 


Those events originated from thousands of devices at CHTMAD, including 11,400 IoT devices and 500 critical medical devices. One hospital alone connects 53,000 medical, IoT, and building control devices to its IT systems. “Managing and gaining centralized visibility over all of our devices and systems was our greatest challenge,” says Victor Costa, Director of Information Management Services at Centro Hospitalar de Trás-os-Montes e Alto Douro and a leading member of HL7 Portugal and e-mais, the Portuguese Association of Health Information Systems. “We have critical infrastructure that must be resilient and operational, yet we have many old systems, vendors, and datacenters in need of modernization. Quickly remedying all of these was a huge challenge.” That disparity not only complicated security, but combining data from so many unconnected systems also complicated essential functions like billing. Victor Costa and his team took on that challenge, addressing one area at a time. 
 

Unifying a varied landscape with Microsoft Security solutions


Leadership didn’t need to be convinced of the need to upgrade the hospital’s security posture with a more agile cloud-based infrastructure. “We emphasized the dynamic nature of the cloud,” explains Victor Costa. “Agility calls for greater security. We wanted both, and we knew it was possible.” The CHTMAD IT team also pointed to the rapid increase in access to patient data through mobile devices, leading to more APIs. “APIs add a new, vibrant aspect to our healthcare systems, but they also increase the need for greater visibility and security,” adds Victor Costa. Staying ahead of an evolving threat landscape called for hastening its security deployment. 
 

Victor Costa’s team began by implementing Microsoft Defender for Cloud as its XDR, applying its Defender for Servers capabilities to its on-premises servers. The team connected its on-premises and cloud resources to Azure Arc, consolidating its diverse landscapes under a single management platform. “Because we have so many devices connected to our on-premises datacenter and growing cloud landscape, it was critical that we had a single place to manage everything. Azure Arc provides that for us,” says Victor Costa. 
 

CHTMAD needed to continue using specialized network perimeter security and antivirus solutions, Check Point and Mediagate respectively, for specialized functionality. The hospital system found that its Microsoft Security solutions communicate seamlessly with its Check Point firewall to protect its virtual network resources. The hospital system uses that connection to create a unified security event log and deploy automated responses to threats with Azure Automation runbooks. “We didn’t have to change everything at once because we can manage our local hardware and diverse security solutions with Defender for Cloud,” Victor Costa explains. With 48 million logs to ingest every day—more than 3.2 billion events in the first quarter of 2023—CHTMAD needed an AI-driven SIEM capable of ingesting data and integrating the vectors from multiple Microsoft and non-Microsoft systems. It deployed Microsoft Sentinel. “Unifying visibility over millions of security events sent from a diverse landscape was one of our greatest challenges,” says Victor Costa. “We used the automation, rules, and playbook capabilities in Microsoft Sentinel to do that extremely well.” 
 

The hospital’s IT team created rules in Microsoft Sentinel that help detect command-and-control (C2) servers, a hallmark of nation-state attacks and ransomware attacks that often target healthcare facilities. “One advantage of consolidating event data in Microsoft Sentinel is our ability to create disputed IP block rules that prevent access by high-risk IP addresses,” continues Victor Costa. “I’m very pleased with the effectiveness we’ve gained by using Microsoft Sentinel as our sole SIEM. The high quality of data we get from it vastly reduces false positives and alert fatigue.” 
 

Flexing for the future 


CHTMAD overcomes the perennial healthcare challenges of budgetary limitations through innovation. Funds are prioritized for patient care, and the subsequent reduced spend on software resulted in outdated but still required applications that couldn’t run on the latest operating systems. Victor Costa felt that virtualization was the solution. His team envisions an Azure Virtual Desktop rollout as an alternative to upgrading desktop and laptop devices, combining the technology with the Citrix App Delivery and Security service to automate app delivery. “We’re approaching the issue of outdated but necessary software by using Azure Virtual Desktop to solve support and performance issues,” says Victor Costa. “That reduces our dependency on software updates related to hardware and operating systems and makes it easier for us to keep our staff productive and resilient.” 
 

The team found consolidating non-Microsoft solutions with its Microsoft Security solutions easier with Configuration Manager in Microsoft Intune, an endpoint management system. And Configuration Manager simplifies deploying Azure Arc agents to CHTMAD servers and configuring domain policies. 
 

Victor Costa considers how far the organization has come—and the challenges ahead. “Continuity of business is absolutely critical for any healthcare system,” he concludes. “Microsoft solutions lend themselves to the layered approach we needed to improve security and performance in an incredibly diverse environment with no interruption to the vital work we do.”
 

“​​I’m very pleased with the effectiveness we’ve gained by using Microsoft Sentinel as our sole SIEM. The high quality of data we get from it vastly reduces false positives and alert fatigue.”

Victor Costa, Director of Information Management Services, Centro Hospitalar de Trás-os-Montes e Alto Douro​

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft