Salford Royal NHS Foundation Trust

Improving digital compliance efficiency and staying confidently assured through a unified network view

Overview

Following the cyber attacks in 2017, it was clear many NHS IT infrastructures were vulnerable to future attacks for various reasons: lack of compliance, end of life equipment, unsupported maintenance, governance, the list goes on. The drive for cyber and compliance assurance became key for many NHS organisations. Salford Royal NHS Foundation Trust knew that if it were to be fully assured, it required a truthful view of its network – to have greater visibility of compliance and assurance issues to be able to proactively address them.

Salford Royal NHS Foundation Trust (SRFT) is an integrated provider of hospital, community, social care and primary care services and is a University Teaching Trust. Salford Royal is part of the Northern Care Alliance NHS Group with Pennine Acute NHS Hospitals Trust. The Group is one of the largest healthcare providers in the country, serving a population of over one million people across its local communities. Salford Royal’s team of 7,000 staff members provide local services to the City of Salford and specialist services to Greater Manchester and beyond. The Trust is an ‘Outstanding’ organisation, as rated by the Care Quality Commission. Outstanding is the highest rating given by the CQC and in 2015 Salford Royal was the first Trust in the North of England to achieve this rating. The organisation retained this rating following its 2018 inspection.

Challenge

Like most NHS organisations, SRFT found increasing demands were being placed upon them to demonstrate compliance, both at a local and more national NHS Digital level. Executive and external reporting was proving complicated and time-consuming – often requiring the need to delve into multiple security systems and piece information together; an approach that naturally leaves opportunity for error. The Trust wanted to be confident that what they were reporting was a true and accurate reflection of the state of the network.

“We were lacking a clear and concise view of our infrastructure”, said Richard Wakefield, Chief Technical Officer, Northern Care Alliance NHS Group. “We knew that to be assured of our defences and compliance we needed to have access to a picture of our network that we could trust.”

Solution

SRFT had been working with ITHealth for many years, benefitting from their flagship Secure-IT remote access solution, Sophos anti-virus and Sophos email security gateway protection. Trusting ITHealth’s NHS cyber security specialism and proven experience, the Trust explained its challenges. ITHealth quickly responded with its Assurance Dashboard Solution, which has been developed in collaboration with other NHS Trusts experiencing similar issues.

Fully managed by ITHealth, the Assurance Dashboard Solution pulls in-depth detail on all IP addressable assets linked to the SRFT network into a user-friendly dashboard interface. Intelligent reports present the findings in a meaningful and actionable way; NHS IT teams can quickly identify software and hardware vulnerabilities and any issues compromising security and compliance.

“CareCERT compliance in particular is made easier as the Dashboard automates much of the process”, said Janet Eivers, Digital Compliance Manager, SRFT. As CareCERT alerts are released, ITHealth inputs the threat detail into the Dashboard which then rapidly assesses associated vulnerabilities within the Trust’s network. The Dashboard highlights potentially affected assets, so the Trust knows exactly where to focus remediation efforts to ensure it remains protected. As much of the Dashboard detail is exportable, actionable worklists can also be pulled to assist with user workflows. “The CareCERT reports save us huge amounts of time and allow us to see at a glance and prioritise vulnerabilities”, continued Janet.

Being a managed solution, ITHealth provide monthly summary reports of the Dashboard detail to SRFT so the Trust can monitor changes in the network over time and disseminate key information to the board / external parties.

Results

The Assurance Dashboard Solution has streamlined many routine security and compliance processes for SRFT, not limited to:

  • Hardware and software identification and management
  • Patch management visibility across the hardware and software estate
  • User identification and user trends for capacity management
  • CareCERT compliance monitoring
  • Management reporting

SRFT benefit from the solution in the following ways:

  • Being confidently assured at all times – the Trust can always access a truthful, reliable and real-time picture of its network.
  • Enhanced security through increased network visibility – vulnerability and compliance issues can be more easily pinpointed, prioritised and addressed.
  • Swifter remediation – the Dashboard flags priority areas and allows dynamic, exportable work lists to assist user workflows.
  • Huge reduction in time spent on routine tasks – the IT team can focus their efforts on more beneficial projects.

“What I like best is that this system takes away any guesswork and opportunity for error in reporting; it presents a picture of the network and systems as they really are – making it easier to visualise risks and present accurate solutions”, concludes Janet Eivers, Digital Compliance Manager.