Europe’s Leading Hospital Group Boosts Efficiency, Enhances Resilience, and Safeguards Care Delivery with Claroty

Introduction

Quirónsalud is the leading hospital group in Europe and largest in Spain, where it operates more than 150 world-renowned centers that provide comprehensive patient care backed by innovative technology, advanced research, and decades of experience in all medical specialties. The group’s deep commitment to patient satisfaction is a testament to its prestigious team of nearly 50,000 professionals — including Pau Giménez, Chief Biomedical Officer, and Javier Zapata, Chief Information Security Officer.

Mr. Giménez joined Quirónsalud in 2013 and is responsible for ensuring the thousands of medical devices that underpin caredelivery operations are available, well-maintained, efficiently utilized, and safe. Having long been concerned about the cyber risks facing these devices, he was pleased when Mr. Zapata joined in 2019 to lead a comprehensive cybersecurity plan to empower all Quirónsalud centers to continue providing quality care despite escalating risks.

This case study examines how Mr. Giménez, Mr. Zapata, and their respective biomedical and cybersecurity teams are working together with Claroty to drive unprecedented resilience and efficiency while safeguarding care-delivery operations globally at Quirónsalud.

The Goal

Like many healthcare organizations, Quirónsalud embraces internet of medical things (IoMT) and other connected care devices due to their undeniable benefits — from boosting productivity and innovation to improving patient outcomes. At the same time, Mr. Giménez and Mr. Zapata recognized that this type of connectivity can also increase the attack surface and, therefore, the risk of cyberattacks.

Both decision-makers were deeply determined to enable Quirónsalud, its providers, and its patients to continue reaping the benefits of connected care without added exposure to risk — so they aligned and committed their respective teams to this shared goal.

The Challenge

Beyond the standard difficulties inherent to managing the risks of connected care, Mr. Giménez and Mr. Zapata noted various persistent barriers that had limited Quirónsalud’s biomedical and cybersecurity teams from achieving their objectives:

• Fragmented visibility: Quirónsalud had long lacked a central, comprehensive inventory of all devices connected to each of its hospitals’ networks. Since this type of visibility is foundational to all subsequent cybersecurity controls, the hospital group had struggled to implement effective segmentation, threat detection, and other core capabilities.

• Complex infrastructure due to M&A activity: Quirónsalud has been involved in a series of mergers and acquisitions in recent years, resulting in a broad and inconsistent range of network architectures, device types, security controls, and governance models across its dozens of care centers globally. These conditions complicated nearly every aspect of the hospital group’s cybersecurity journey at the technical and process levels.

• Zero tolerance for care disruption: Quirónsalud has long been recognized as the trusted, go-to private healthcare provider for tens of thousands of patients due to its high standards of care delivery and zero tolerance for disruption or other negative impacts on the patient experience. Recognizing that the complexities of healthcare environments and medical devices make them uniquely prone to disruption from traditional technologies and approaches, Mr. Zapata and Mr. Giménez knew that any new solutions would need to be thoroughly vetted and proven safe and viable beforehand — potentially delaying progress toward their teams’ common goal.

The Solution

Considering the scope of the above limitations, Mr. Zapata and Mr. Giménez knew achieving their objectives would require specialized technology designed to protect and manage medical devices without interrupting care delivery. Both decision-makers and their teams set out in search of a trusted solution provider — and, following ample market research, business and technical evaluations, and multiple proofs-of-concept — Quirónsalud chose Claroty.

“Our selection criteria and evaluation process were extensive. Having a robust presence in the European market, strong recommendations from industry analysts and associations, and — of course — scalable technology that supported our current and future objectives at the global and local levels while also being compatible with the complexities of our critical networks were all must-haves. [Claroty] was the only vendor to check all of our boxes and then some.”

Javier Zapata, Chief Information Security Officer

More specifically, Quirónsalud selected the Claroty Platform and chose to deploy the following modules in accordance with the hospital group’s objectives:

• Visibility & Insights to discover, locate, profile, and map the communications and connectivity paths of every medical and non-medical device, as well as to ensure this information is always up-to-date and can be centrally managed from a global viewpoint

• Anomaly & Threat Detection to continuously monitor for risky device activity, unencrypted PHI or credentials, and other indicators of threats to care delivery

• Clinical Vulnerability & Risk Management to gain a clearer picture of — and ultimately reduce — the attack surface by revealing all vulnerable and/or unmanaged devices, contextualizing risks, and driving prioritization and remediation actions

• Network Security Management to implement and optimize net work segmentation by first defining granular, device-specific security policies and then seamlessly enforcing them via Quirónsalud’s existing network access control (NAC) and firewall solutions

• Clinical Device Efficiency to streamline device maintenance and lifecycle management, inform procurement decisions, and boost operational efficiency

The Journey

Quirónsalud’s journey with Claroty began with executing a plan to deploy, integrate, and harness the value of the Claroty Platform across dozens of Quirónsalud’s sites in order of priority. The following Q&A shares Mr. Giménez’s & Mr. Zapata’s perspectives on this journey:

QUESTION 1

Claroty was deployed across more than 30 of Quirónsalud’s care centers in less than six months. What was that experience like?

Mr. Zapata: The deployment was very fast, which far exceeded my expectations. Admittedly, my expectations at that time were quite low because my team and I had just come from a network access control project that we’d started the year before and still isn’t finished! And because that ongoing NAC project is in the same hospitals, I was expecting the [Claroty] deployment to be similarly complex and lengthy. Thankfully, I was wrong!

QUESTION 2

Did you learn anything new about your networks after completing the device inventory phase of your deployment?

Mr. Zapata: We knew there were complexities in our environment, but we were still surprised to uncover many end-of-life devices and core switches that needed to be replaced. I was particularly surprised to see we also had overlapping IP addresses across different sites. This initially made it tough for us to differentiate network traffic between hospitals, but [Claroty] solved the issue by providing native visibility support for each site from a global viewpoint.

Once we gained this visibility, we were also able to better understand many of the issues we’d been having with the NAC project. Especially with NAC and segmentation in healthcare, success requires the right information and infrastructure. [Claroty] helped us realize we hadn’t previously had those things — but finally, now, we do.

Mr. Giménez: This was the first time we’d ever had holistic, global visibility into all of our medical devices at each of our hospitals — so simply being able to see all of that in one place was eye-opening. As Javier noted, we did identify more devices approaching end-of-life than expected, but we were then able to use that information to ensure those devices were replaced before any disruption — or worse, harm — occurred.

QUESTION 3

Had any of those previously unknown complexities with your network played a role in the challenges you’d been facing with the NAC project?

Mr. Zapata: Yes, those surprises definitely explained some of our issues. Especially with NAC and segmentation in healthcare, success requires the right information and infrastructure. [Claroty] helped us realize we hadn’t previously had those things — but finally, now, we do.

QUESTION 4

How has your NAC project progressed since the Claroty deployment?

Mr. Zapata: The visibility and policy recommendations from [Claroty] have helped it progress considerably. [Claroty] gives us a view not only of our devices but also the different VLANs (virtual local area networks). We’re using this information to improve segmentation at each hospital by first allocating the right devices to the right VLANs, then ensuring each VLAN has the correct communication policies, and finally enforcing those policies with our NAC solution.

The global and site views from [Claroty] make it easy to track and communicate progress with our hospitals, each of which has its own networking team on the ground supporting this project. [Claroty] enables us to show them, for example, “okay, these are your different VLANs, and these are the policies we’ve written for each. You have to have the lab devices on the lab VLAN, the radiology equipment on the radiology VLAN, and all users on a separate VLAN.”

The current phase of this project is all about homogenization, which is nearly finished. The next phase will focus on using our NACs and firewalls — as well as custom ACLs (access control lists) from [Claroty] — to enforce more-granular controls on each VLAN for stronger protection.

QUESTION 5

Quirónsalud also leverages Claroty's monitoring capabilities to support biomedical and cybersecurity objectives. What are each team’s top use cases and benefits?

Mr. Zapata: [Claroty] provides many different categories of alerts relevant to different teams. On the cybersecurity side, our global security operations center (SOC) has [Claroty] integrated with our SIEM for two alerting categories: 1) infected devices, and 2) malicious communications. Whenever the SOC receives one of these alerts, they manage it from the SIEM. Whenever additional context is needed, they can easily reference it directly in the [Claroty] platform.

In terms of benefits, these capabilities address key blindspots we’d had previously. Prior to [Claroty], our SOC’s coverage was limited to the IT devices where we have an EDR (endpoint detection and response) agent installed. We had no visibility into what was happening with our medical devices — as well other types of devices, like our OT (operational technology) equipment — because those devices cannot tolerate agents. As a result, not only were our non-IT devices largely invisible — they were unmanaged and unprotected.

From a monitoring standpoint, those conditions also meant we would, at times, overlook important events until the incident had worsened. For example, an infected device might not have been apparent until the traffic hit our internet-facing firewalls. By that point, the infection had usually spread, making it tougher to remediate. Now with [Claroty], while we still deal with infected devices, we’re able to identify and contain the damage almost immediately. The details in these alerts makes it easy for the SOC to respond quickly without guesswork.

Mr. Giménez: Our biomedical technicians rely on [Claroty] to alert them to functionality recalls, exploitable vulnerabilities, and other issues affecting our medical devices. The context [Claroty] offers enables technicians to turn these alerts into action — whether that’s upgrading firmware, installing a patch, quarantining a device, or escalating the issue to the OEM (original equipment manufacturer) or technical service provider when further support or updates are required.

Before we deployed [Claroty], our biomedical teams had no option but to support these types of use cases manually — and by that I mean frequently checking online for advisories relevant to the devices in their purview. This process was inefficient, tedious, and — because it was manual — relatively error-prone. The technicians had to spend much more of their time achieving far less than they do today with [Claroty].

QUESTION 6

How is the Claroty platform’s Clinical Device Efficiency (CDE) module helping Quirónsalud save time and money?

Mr. Giménez: With CDE, we’re able to understand the specific level and type of utilization of our medical devices. We use this information to not only optimize our daily biomedical work and ensure each hospital has the optimal allocation of devices based on patient and provider needs, but also to negotiate device maintenance prices with suppliers.

Since we are charged a fixed price for each device, we have to pay the same amount no matter how efficiently (or inefficiently) it’s utilized — whether that device is supporting, for example, 5,000 patients per year or just a few. But having the utilization data gives us considerable leverage to negotiate these fixed prices with the device suppliers.

We’d actually been trying to obtain this sort of utilization information for this purpose for years prior — but it wasn’t until we started working with [Claroty] that we were able to get it. And now that we have it, I can say with certainty that it’s enabled us to save quite a bit of money. The ROI has been significant.

The Results

“I’ve had many nice surprises since we began working with [Claroty] — but two stick out the most. First, the platform is very easy to use. Not only are we able to leverage in-depth visibility information like we’ve never had before, but we’re also able to take action on it without any friction. Second, the cost savings have been substantial. We’ve been using [Claroty's] device utilization data to negotiate lower maintenance fees with device vendors. I never expected us to be able to do that.”

Pau Giménez, Chief Biomedical Officer

Quirónsalud started working with Claroty in January 2022 — and by November of that same year, the global hospital group had achieved the following across dozens of its care centers:

• Device visibility: Gaining a centralized, real-time, comprehensive inventory of all medical devices at each of Quirónsalud’s dozens of care centers globally

• Vulnerability management: Implementing highly scalable controls to enable the identification, prioritization, and remediation of vulnerabilities affecting those devices

• Device management: Empowering biomedical technicians to more easily and efficiently track, service, and manage the hospital group’s medical devices

• Network segmentation: Further hardening of Quirónsalud’s care-delivery operations against cyber threats by optimizing and accelerating an existing — and lengthy — network segmentation project

• Threat detection: Enabling Quirónsalud’s global SOC to expand their monitoring and response coverage to medical devices and any related threats that could impact care delivery or compromise electronic health record (EHR) systems, personal health information (PHI), or other critical assets at each care center

• Cost reduction: Harnessing device utilization data to negotiate lower maintenance fees with device vendors — and, ultimately, prove a clear ROI of the Claroty platform