West Suffolk NHS Foundation Trust (WSFT)

Significantly improving IT performance reporting and ongoing NHSD CareCERT compliance

Overview

Being a Global Digital Exemplar means the ‘bar’ for West Suffolk NHS Foundation Trust (WSFT) is raised in terms of expectation. To meet this expectation (as well as its own working practices) the Trust’s IT department has worked tirelessly in achieving and maintaining external standards including ISO9001, 27001 and Cyber Essentials PLUS. Here we find out how WSFT works with ITHealth to maintain such standards by continually monitoring its cyber hygiene and IT performance, as well as proactively addressing compliance issues.

West Suffolk Hospital sign

West Suffolk NHS Foundation Trust provides hospital and community health care services to the population of West Suffolk and is an associate teaching hospital of the University of Cambridge. It serves a population of around 280,000 and employs just over 3,000 staff. At its main site, the 430-bed West Suffolk Hospital, there is a purpose-built Macmillan Unit for the care of people with cancer, a dedicated eye treatment centre and a day surgery unit where children and adults are treated.

Challenge

Whilst the WannaCry attack of May 2017 didn’t affect WSFT directly, its detrimental impact on other Trusts across England was a wake-up call for every NHS organisation. The cyber security of critical health services suddenly rose to the top of board agendas and Executives wanted to know about it. Leaving nothing to chance, WSFT’s CIO responded with an increased frequency in IT performance reporting.

Yet, reporting for WSFT wasn’t as straight-forward as it could be. Whilst the Trust utilises many standard and fit for purpose tools such as Microsoft SCCM for patch management, PRTG for network monitoring, and another for software assets, they are all disparate systems and so ‘reporting was a chore that took at least a day to put together’.

Another demanding, yet necessary, task was ensuring appropriate and timely responses to NHS Digital’s CareCERT bulletins; interrogation of the network to assess associated risk levels took time and relied on having the correct skill sets available to perform the job. As such, WSFT identified this as another area for improvement.

Solution

WSFT has been working with ITHealth for many years, most recently on a ‘tap-and-go’ solution which leverages the NHS smartcard for swift and easy workstation switching with session persistence. On discussing the Trust’s challenges, ITHealth proposed its Assurance Dashboard Solution; a solution which has been designed to provide a consolidated view of all critical security and compliance information pertinent to NHS IT estates.

“The ITHealth solution integrates with many of our systems collating the information in a customisable dashboard giving us an at-a-glance view of the status of our environment”, said Robert Howorth, IT Infrastructure Manager at WSFT.

As soon as the Trust’s IT team saw a demonstration of the solution, they knew that it would provide a visibility of their IT estate that they had been lacking.

As well as key features including patching and AV status, comprehensive asset and user information, direct computer management, customisable reporting and more, the Dashboard also automates much of the NHS Digital CareCERT process. With the need to keep systems up to date and compliant, this proved a key selling point for WSFT.

“The Dashboard’s CareCERT reports are a real time-saver; they allow us to quickly understand our exposure to risk, prioritise vulnerabilities and watch closely how these are remediated over time”, said Robert. “Being able to easily demonstrate CareCERT status is an integral part of our IT performance. It’s something that vendors don’t typically cater for.”

Results

The Assurance Dashboard Solution benefits WSFT in the following ways:

  • Vital time returned to the IT team through streamlined, comprehensive reporting
    The IT team now only go to one place to report on the network. Not only can almost any of the Dashboard’s data be easily exported to excel, but ITHealth also provides comprehensive monthly assurance reports which highlight key stats, figures, trends and more. The Trust’s IT team feed this detailed information up to the Executive Board.
  • Much simpler ongoing compliance through CareCERT automation
    Upon receipt of CareCERT threat alerts, the Trust no longer manually interrogates the network every time to understand exposure to risk. Instead the Dashboard quickly highlights affected assets for nearly all CareCERTs and monitors compliance ongoing.
  • Always confidently cyber assured
    The Trust can access a truthful, reliable picture of its network – at-a-glance, at any time – in near real-time. It can easily pinpoint vulnerabilities and compliance issues and pro-actively address them.
  • A wealth of network insight at their fingertips
    The Dashboard is proving ‘so easy to use’ that it has become ‘an invaluable, everyday tool’ for the Trust’s 2nd and 3rd line teams. Given the depth of information it provides, if the IT team are now curious about anything on the network they simply go to the Dashboard and most usually they get the answer.