Homerton University Hospital NHS Foundation Trust

Increasing network visibility to more effectively control cyber risk

Overview

Cyber risk management is increasingly challenging; exploits are becoming ever more variable and difficult to defend against whilst management are asking for more analysis and reporting – seeking assurances that its cyber security measures are working. Homerton University Hospital NHS Foundation Trust knew that a solid cyber risk management program requires reliable inventory and discovery at its foundation. How could the Trust hope to fully combat cyber risks without comprehensive visibility of what needs to be protected and where it is potentially weakest?

Homerton University Hospital NHS Foundation Trust provides general and specialist health services with 4,000 staff working out of 75 different sites across the City and the London borough of Hackney. Its primary site, Homerton Hospital, has almost 500 beds spread across 11 wards, a 9-bed intensive care unit and maternity, paediatric and neonatal wards. The Trust is recognised as an innovator in embracing methods and systems that promise better and safer patient care.

Challenge

As is the case for many NHS IT teams, Homerton University Hospital NHS Foundation Trust (HUHFT) was finding it challenging to keep track of all its IT assets. The Trust was relying on several disparate products just to report on endpoints and their status. It knew that manually aggregating data to get a picture of its network was not only time-consuming, it was also leaving opportunity for error and so could not be trusted. To effectively manage cyber risk and pinpoint vulnerabilities and compliance issues, the Trust needed to have greater visibility of its network – to access a single, reliable source of information.

“We were looking for an asset inventory and discovery solution to provide visibility into devices on our LAN and identify those that may be absent from our existing configuration and compliance solutions”, said Sean Devine, Infrastructure Manager, Homerton University Hospital NHS Foundation Trust.

Solution

ITHealth proposed an Assurance Dashboard Solution to HUHFT which has been tailor-made for NHS organisations. It’s a fully managed solution that enables NHS IT teams to have full visibility of its entire networked estate and to view it in a dynamic risk-based context – all within an intuitive dashboard interface. HUHFT immediately saw the value in the solution and ITHealth soon began implementation.

“The data presented within the Dashboard is based on a live scan of the network, so we can get an accurate picture of the state of our systems and how they’re actually configured”, said Sean. “The solution helps us with SCCM, patch management, anti-virus, vulnerability scanning and ATP on boarding. It’s a solution that allows us to effectively aggregate a number of asset management and security dashboards into one central resource.”

A key feature that particularly benefits HUHFT is the automation of CareCERTs and the ability to track the Trust’s posture against NHSD CareCERT notifications. The CareCERT trending report provides an affected device count for both initial finding and currently outstanding devices; this allows the Trust to easily track its progress and identify those CareCERTs which are not being remediated as quickly as expected.

Being a managed solution, ITHealth also provide monthly assurance reports that detail the Trust’s cyber security status quo. “We value the monthly assurance reports that come with the Dashboard solution. They’re easily digestible and professionally produced. We distribute them to senior management as they provide key indicators on the important aspects of our IT estate”, concluded Sean.

Results

Instead of a top-down approach to managing cyber risk and basing decisions on data from segregated sources, HUHFT now embrace a bottom-up strategy; the Trust relies on a single, truthful, unified view of its IT estate – available at any time in real-time.

Other benefits for the Trust include:

  • Enhanced security through increased network visibility – vulnerability and compliance issues are more easily pinpointed, prioritised and addressed.
  • Simplified compliance to NHSD CareCERTs – the automated CareCERT reports monitor ongoing progress against CareCERT notifications and associated infrastructure risk levels.
  • Streamlined workflows – the Dashboard negates the management of disparate systems and manual collation of information, but allows dynamic, exportable worklists to assist workflows and remediation.
  • Access to knowledgeable experts – ITHealth’s purely NHS focussed technicians have a genuine understanding of NHS infrastructures and challenges.

In addition, the Dashboard helps the Trust with its DSP toolkit submissions as the solution directly meets or supports 79% of the DSP toolkit’s cyber-related mandatory requirements.

HUHFT are now in discussions with ITHealth about additional vulnerability scanning, as well as consolidation of web security.