Isle of Wight NHS Trust

Increasing cyber resilience with a 360-degree view of managed and unmanaged assets from ITHealth and Cynerio

Project Overview

The Trust lacked endpoint and server compliance and had very limited visibility and reporting of devices. It then discovered a striking gap between managed and unmanaged assets – ‘a black hole’ representing almost a third of the physical hosts on the Trust’s network.

The ITHealth Dashboard proves itself ‘an essential tool for compliance reporting, hardware and software inventory and DSPT’. Cynerio efficiently delivers a complete, accurate inventory of all medical devices and IoT and helps effectively address associated vulnerabilities.

Isle of Wight NHS Trust is somewhat unique in that it is the only integrated acute, community, mental health and ambulance health care provider in England, serving an isolated offshore population of 140,000. Established in April 2012, the Trust employs some 4,400 staff and operates around 3,850 endpoints, with just over 300 servers.

The Situation

In September 2019, the Trust found itself in quite an exposed position due to a historical lack of IT investment and a mutually agreed resignation scheme (MARs) which had led to the loss of key technical posts. With some 2,700 endpoints, the Trust was halfway through an unfunded Windows 10 deployment project; only 50% of endpoints had been upgraded to Win10 and less than 5% of servers were registered in Microsoft Defender for Endpoint (MDE). In addition, 140 Windows 2008 servers and some 1400 Windows 7 endpoints were approaching end-of-life in January 2020. There was no funding or plan in place and it was left only to the best efforts of already-stretched BAU teams to manage the upgrade programme.

Jake Gully, Digital Operations Manager at Isle of Wight NHS Trust had been appointed at this time and explained that the immediate priority for the Trust was to address server and endpoint compliance and onboarding all devices into MDE. It was quickly apparent that the Trust had very limited visibility and reporting on its devices. With an old and broken SCCM 2007 installation and a poorly maintained and unreliable ITSM for asset management, the Trust knew that it needed greater asset visibility to achieve compliance and efficiently manage its upgrade programme.

“One of the major issues that hit us straight out of the blocks was that we had very limited reporting and visibility of our devices.”

Jake Gully

Digital Operations Manager
Isle of Wight NHS Trust

The Solution

To fill the visibility gap, the Trust purchased an initial year of the ITHealth Dashboard in February 2020; it gave the Trust the visibility it needed to better manage endpoint and server compliance, and provided reliable information so it could plan its upgrade and rolling replacement programs. “The ITHealth Dashboard quickly proved itself an essential tool for reporting of overall compliance, hardware and software inventory and DSPT. It was also useful to the Service Desk for minor software patches, deployment and registry files”, said Gully. Another major advantage of the ITHealth Dashboard to the Trust was that it greatly assisted with the migration from Sophos Enterprise on-premise to Sophos Central Intercept-X. The Trust was so impressed that it upgraded its initial one-year subscription to three years come March 2021.

The ITHealth Dashboard assisted the Trust to complete its Windows 10 migration programme, including the replacement of almost all its legacy server estate.

“We liked it [the ITHealth Dashboard] so much that we renewed and upgraded our initial one-year subscription to three years in March 2021.”

Jake Gully

Digital Operations Manager
Isle of Wight NHS Trust

The Gap

An early finding from the ITHealth Dashboard’s reporting was the striking gap between managed devices, for which IT were responsible – some 6,500 hosts – and unmanaged devices (IoT/IoMT), of which there were 2,000. “There was very little information or reporting on these unmanaged devices”, said Gully. “A black hole representing almost a third of the physical hosts on our network”. This presented a significant unmanaged attack surface for the Trust, affecting some of its most critical medical, infrastructure and security equipment.

The Trust quickly embarked on a review of the market to identify an IoT/IoMT security provider. Four leading vendors were identified, including Cynerio – all of which were invited to conduct demonstrations and a mini tender. Although the process was IT-led, demonstrations and scoring were handled jointly by colleagues from IT, Medical Electronics, Radiology, Pathology, Pharmacy and Estates teams. “Tendering was competitive, but Cynerio were chosen as they demonstrated real commitment to developing the product at pace for the UK NHS market”, said Gully.

With Cynerio, the Trust now has complete IoMT/IoT visibility and reporting to address device hardening and north-south segmentation; it can also prioritise risk by criticality and automate mitigation at scale.

Some Cynerio favourites of the Isle of Wight NHS Trust include:

  • Asset risk prioritised based on impact (Patient Safety, Patient Confidentiality, and Service Disruption)
  • Classification of assets by device type and risk exposure per group
  • Actionable DSPT and Cyber Alert Dashboards for IoMT/IoT

“The decision to purchase Cynerio was made prior to any links between ITHealth and Cynerio were announced – the integration between the two was extremely welcome news!”

Jake Gully

Digital Operations Manager
Isle of Wight NHS Trust

Results and Next Steps

With ITHealth and Cynerio, the Trust now benefits from granular, 360-degree security visibility of all assets – both managed and unmanaged. Jointly, ITHealth and Cynerio is a key thread to helping the Trust improve cyber resilience, reduce risk and respond to evolving cyber threat – greatly assisting the Trust’s journey to achieve compliance with:

  • NHS Digital’s Data Security and Protection Toolkit (DSPT)
  • The National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF)
    – particularly to objectives A1-A3 (Managing Security Risk: Governance, Risk Management and Asset Management), B1 (Defending against cyber-attack: Service protection policies and processes) and C1 (Detecting cyber security events: Security monitoring)
  • National Institute of Standards and Technology (NIST) Cyber Security Framework– substantially to ‘identify’, ‘protect’ and ‘detect’

The Trust is currently in beta phase of a new release of the ITHealth Dashboard which is aimed to simplify reporting even further for NHS Trusts and make unmanaged asset insight from Cynerio viewable with managed asset data from ITHealth all from a single pane of glass. Gully’s response so far: “The new ITHealth Dashboard is very responsive and highly configurable; we can see already how it will be of  greater benefit to helping us achieve compliance and cyber resilience.”

“The engagement from Cynerio was excellent with fast delivery of the collectors, onboarding and training of staff in IT, Medical Electronics, Estates, Pathology, Radiology and Pharmacy. We ordered October 2022 – by the end of November, it was delivered, set-up and we were all trained!”

Jake Gully

Digital Operations Manager
Isle of Wight NHS Trust

You may also be interested in…

View all case studies

Take the next step

We’re here to help. Get in touch to discuss your cyber security challenges.

Prefer to talk? Just call us on 0115 987 6339.