National Health Insurance Fund (VLK) is working with NRD Cyber Security to strengthen its cyber resilience

National Health Insurance Fund (VLK), which operates under the Ministry of Health, ensures healthcare by compensating for its costs and coordinating the transparent and effective use of funds. The organisation manages large amounts of sensitive personal data relating to preventive medicine, medical assistance, medical rehabilitation, nursing and other services. It also handles data relating to individuals insured under the Compulsory Health Insurance (PSD) scheme, as well as the reimbursement of costs for reimbursable medicines and various medical devices from the PSD fund. To prevent targeted attacks by hostile parties and various types of hacking attempts, the organisation pays particular attention to cybersecurity. For this purpose, the VLK cooperates with the cybersecurity company NRD Cyber Security, using their external Security Operations Centre (SOC) service, CyberSOC.

Conventional cybersecurity measures are no longer enough

Like other organisations that process large amounts of sensitive data, VLK recognises that a cyber incident carries the risk not only of operational disruption or data loss but also of reputational damage. After all, this institution is trusted not only by other public and private sector organisations, but also by the citizens of Lithuania.

“We realised that basic security measures such as firewalls and antivirus software were no longer sufficient. To strengthen our cyber resilience, we decided that the most reliable solution would be to supplement our security technologies with proactive network monitoring to identify vulnerabilities, anomalies and other early phases of attacks. As it is extremely difficult to build and maintain cybersecurity competence in-house, particularly for a public sector institution, we began looking for an external provider. We wanted a reliable organisation with experience in network monitoring and an existing circle of trusted customers. The information security certifications held by its specialists were also important, and price was likewise a key criterion. NRD Cyber Security met all our expectations,” says Eimantas Minkevičius, Head of the VLK Information Systems Maintenance Department.

Augustinas Daukšas, a cybersecurity consultant at NRD Cyber Security, agrees that experience and an established customer base are common decision factors for this type of service:

“How many clients we have, the experience we have accumulated, and the size of our analyst team are very frequent questions. We are also asked whether we provide cyber threat intelligence, penetration testing or incident investigation services in addition to analytics. Occasionally we hear the opinion that such proactive network monitoring is only relevant to certain sectors or types of organisations. However, cyberattacks are a concern for large organisations as well as small and medium-sized ones. Our external SOC service, CyberSOC, is provided to organisations of different sizes and sectors – banks, manufacturing and retail companies, telecommunications providers, international organisations and public institutions. We are pleased that VLK is one of the public sector organisations paying particular attention to strengthening cyber resilience.”

Monitoring with advanced technologies

A.Daukšas points out that, due to the vast quantity of data processed, it is essential for VLK not only to monitor in detail but also to correlate data:

“A range of SIEM-type technologies, such as IBM QRadar, are commonly used for monitoring. NRD Cyber Security uses various technologies and has also developed its own log and traffic monitoring technology, Natrix, which performs detailed traffic analysis and correlates different cybersecurity events. The main aim is to identify an attack as early as possible and minimise its potential consequences. Naturally, alongside threat monitoring, vulnerability scanning must also be carried out periodically to eliminate or reduce weaknesses that could be exploited by malicious actors. Our Natrix sensor technology is used not only in Lithuania, but also abroad – for example, to protect central, national and private banks in Egypt, critical information infrastructure in Bangladesh, and also in EU member states. We use this technology for VLK as well. It is important to note that when providing the CyberSOC service, we connect to the customer’s Natrixt sensor within their network – all data is processed locally, and we do not store it ourselves.”

As cyberattacks become more sophisticated, expectations placed on monitoring technologies continue to rise. These technologies are advancing rapidly and can already do far more than detect malicious code – they can also identify various anomalies. However, they are not yet capable of fully replacing human expertise. Strengthening cybersecurity requires not only technology, but also a strong team of competent specialists with the required experience and skills, supported by the processes and procedures guiding their work.

How are external SOC services beneficial to VLK?

According to Minkevičius, the advantages of choosing an external cybersecurity service provider include not only access to a team of experienced specialists, but also the removal of burdens related to internal resources:

“In recent years, security expertise has become very costly and difficult to attract and retain, even for private sector organisations. For the public sector, the challenge is even greater – it is not only difficult to attract these employees, but also to retain them under competitive conditions.”

He also notes that as ongoing cybersecurity services are delivered externally, confidence grows that support can also be sought for other cybersecurity issues:

“It is beneficial when an external provider specialises specifically in cybersecurity and its specialists have broad and deep expertise. We can contact them with various questions and expect support. For example, following the Log4j incident, the NRD Cyber Security analyst team conducted scans and recommended steps to check systems. We also receive notifications and guidance on newly discovered IT vulnerabilities – for example, we received instructions on the PwnKit vulnerability identified in Linux distributions in January. We also receive rapid response and assistance with hardware issues – when one of the deployed components failed, NRD Cyber Security specialists came outside working hours to inspect and replace it with a fully functional component.”