Poole Hospital NHS Foundation Trust and The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Mitigating cyber risk through a ‘single pane of glass’ network view and near real-time risk reporting

Overview

NHS IT teams typically employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, ‘moment-in-time’ reports are pulled from disparate systems that require data to be cobbled together to understand the organisation’s overall security posture. It’s an approach which is reactive, labour-intensive and leaves the organisation open to risk. The IT team at Poole Hospital NHS Foundation (PHFT) and The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust (RBCH) wanted to reduce its reliance on such an approach and find a more proactive way to manage its cyber security.

Poole Hospital NHS Foundation Trust (PHFT) is an acute general hospital with a 24-hour major accident and emergency department. It is the designated trauma unit for east Dorset, and provides specialist services such as cancer treatment for the whole of Dorset. The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust (RBCH) runs Christchurch Hospital and the Royal Bournemouth Hospital and provides health care for the residents of Bournemouth, Christchurch, East Dorset and part of the New Forest with a total population of around 550,000.

Challenge

PHFT and RBCH, although two separate trusts, share a single IT function. As with many other NHS organisations, the complexity of their joint IT infrastructures and heterogeneity of installed security tools made keeping track of all assets a challenge. To get an overall view of network assets required reports being pulled from disparate systems, often exported to excel, and then manually aggregating the data into some sort of uniformed format. It was a time-consuming approach reliant on ‘moment-in-time’ snapshots running the risk of devices with issues or vulnerabilities appearing on the network after the exports had been run.

Ensuring timely responses to NHS Digital’s CareCERT threat bulletins was also a challenge. Although processes were in place to interrogate the network for associated risks and remediate accordingly, the processes were labour-intensive and again reliant on snapshot reports, which meant there was no assurance for ongoing compliance.

The Trusts’ IT team was also using a mixture of in-house developed databases, excel spreadsheets, and SharePoint sites to manage and track hardware inventory – it was a convoluted process which they knew could be better managed.

Solution

ITHealth had been working with the Trusts’ IT team for many years, previously with secure remote access and end-user protection, and so introduced its Assurance Dashboard Solution – a solution which is helping other NHS Trusts better manage their infrastructures through dynamic, consolidated visibility of their IT assets and security controls. The Trust immediately saw the Dashboard’s potential and so agreed to undertake a trial.

The Dashboard shows us live reports for a large variety of security and compliance issues”, said Martin Davis, IT Security Manager at PHFT and RBCH. “The ‘single pane view’ of infrastructure data is a huge time-saver and we no longer need to access several systems to get the same information.”

As well as benefiting from near real-time security auditing, the Trusts’ IT team was also impressed with how the Dashboard simplifies NHS Digital CareCERT compliance. “As CareCERTs are released, we go straight to the Dashboard which tells us which of our assets are affected so we know exactly where to focus remediation”, added Martin. Since the Dashboard continuously scans the network, the team can now monitor CareCERT compliance ongoing.

Since implementation, the IT team have also replaced previous hardware/software monitoring tools with the Assurance Dashboard and are now uniquely working on using the Dashboard to complement their hardware procurement process so it will become their singular source for IT hardware inventory. For example, the Dashboard allows the IT team to scan barcodes to track the stock of IT assets before they even connect to the network and ensure devices received into the organisation are recorded with an audit trail of who received the device, who took it out of stock, who built it and deployed it, etc. It will assist the Trusts with future audits and enable them to replace many legacy data sources, in house developed databases, and excel spreadsheets with a single source for all IT asset hardware tracking and information.

Results

The Assurance Dashboard Solution is currently benefiting PHFT and RBCH in the following ways:

  • One common and trusted network view – provides consistency for all users
    A single, dynamic view of network assets is now accessible by the whole of the IT team; various IT departments go to the same place to monitor, manage and control the parts of the network for which they are responsible and can see the effects of remediation as it is being administered throughout the organisation. “The Dashboard is being used by multiple teams on a daily basis for reporting and information gathering”, Martin Davis, IT Security Manager, PHFT and RBCH.
  • Near real-time network visibility and reporting mitigates cyber risk
    Continuous near real-time insight into the network is proving crucial for the Trusts’ IT teams to prevent and mitigate risk as it happens allowing a far more proactive security approach and more thorough remediation.
  • Streamlined and automated security and compliance reporting
    No longer does the IT team spend hours collating data from multiple exports into a unified report – instead security and compliance information is readily available from a single source meaning valuable resource time is now spent on more strategic security initiatives.
  • A complete asset management tool – eradicating the use of spreadsheets
    The Dashboard has improved transparency and accountability for the Trusts by eradicating all manual hardware inventorying and acting as a central database for the recording of detailed information relating to all IT assets from acquisition (before devices are even connected to the network) through to asset disposal. Barcode detail is captured as well as an audit trail of who received the device, who took it out of stock, who built it and when, install date, location, etc.