Checking the NHS’s Security Pulse

Written by

Security managers in all sectors probably lose a bit of sleep from time to time over the fear of a breach. In healthcare, the idea of being hit results in whole nights lost rather than the odd hour or so. The theft of healthcare records simply does not bear thinking about.

The Pressures of Provision in Healthcare

The UK health sector is under unprecedented pressure to manage increasing workloads with diminishing budgets. Doing more with less is a way of life. In security, this means protecting better against bigger threats with fewer resources. Despite the South-East’s relative prosperity, in August 2015 a parliamentary and health service ombudsman singled out the region for its poor record on health service failures: the South-East is attributable for 14% of complaints to NHS England and UK government departments.

Now part of the NHS South-East Commissioning Support Unit (CSU), this is where Sussex Health Informatics Service (HIS) operates, supporting 40,000 users spread across 11 NHS member organizations. The organization provides a full suite of IT services as well as governance, project management, training, change management and strategy for all NHS trusts in Sussex. Protecting the integrity of the data and its patients is paramount.

Setting out a New Security Infrastructure

Sussex HIS found that it needed a proactive, network-based approach for access and endpoint compliance. Initially, however, it had to cope with an ageing intrusion prevention system (IPS) that only provided reactive security and whose alerts were at least a day old and clouded by false alarms. A real-time network security solution was needed to deliver complete visibility and policy-based control of all devices connecting to the Sussex Community of Interest Network (COIN).

A secure network, with no disruption to users or service, was deemed essential due to the time-critical nature of healthcare. In addition, the solution had to support a variety of IT staff, device types and network member sites with different operating environments. Key factors were ease of deployment, flexible administration and low total cost of ownership.

The IT services team determined that network access control (NAC) would address security challenges. To fund the NAC project, Sussex HIS replaced its ageing IPS. The project success criteria focused on deployment ease, management flexibility and low TCO. In the process of getting the appropriate NAC, the Sussex HIS team weighted each supplier against two initial requirements: the solution had to be agentless to support more rapid deployment and reduce overhead; it must be capable of supporting multiple sites with varying operating infrastructure.

“If the organization incorrectly identifies an A&E patient monitoring system as a rogue device, that is potentially life threatening,”

“Some NAC suppliers never made it past this first stage, as they didn’t grasp the technical and cost implications of these two basic requirements,” recalls Peter Ward, senior security engineer, NHS South-East CSU.

Next, the team created a requirements matrix incorporating more stringent test criteria that included: agentless capability; integration with existing systems; ability to identify and manage unknown devices and users; multiple operating system support for Windows, Linux and Mac; support for machine compliancy checks, e.g. AV, encryption, domain membership; and more.

Once each NAC appliance was tested against the core criteria, Ward wanted to ensure the final selection could be customized, run custom scripts and create custom actions. Additionally, he was looking for an enhanced level of data regarding endpoints and users.

Looking forward

Due to the scale of Sussex COIN, Sussex HIS could not monitor what devices were connecting in real-time, let alone classify, segment and assess endpoints appropriately. CounterACT enabled this, and allowed for the automatic assessment of all devices and users previously and currently on the network, checking their compliance and remediating any problems without disruption.

Accurate device classification was essential, Ward stresses: “In healthcare, everything from sterile washers, MRI scanners, medical kiosks, patient monitoring systems through to the chief executive’s iPad all need to be classified correctly and monitored. If the organization incorrectly identifies an A&E patient monitoring system as a rogue device and subsequently blocks it, that is potentially life threatening.”

By replacing the ageing IPS, Sussex HIS made significant cost savings by removing the high management overhead. The new network security platform provides a better use of funds and adds value across the IT organizations. In today’s NHS, this combination of peace of mind and cost savings is quite the tonic.

Working Smarter and More Profitably

After assessing each NAC product in a test environment and considering performance in context with cost, Sussex HIS selected ForeScout CounterACT.

Ward explains: “CounterACT was agentless and flexible enough to meet the needs of our diverse healthcare infrastructure and customers. The management console allows us to provide our healthcare members with tremendous visibility and more automated control.”

The first appliance was deployed in July 2012. The NAC platform roll-out did not require agents and it could be set to monitor-only mode, making it quick with no user disruption. The ability to centrally manage the system and enforce policy across multiple NAC appliances, regardless of network infrastructure diversity, further reduces typical NAC implementation challenges. Within two weeks, the network teams had installed all appliances and they were up and working.


Sussex HIS found that CounterACT removed the need to place appliances in the data path, reducing implementation costs, making routing reconfiguration unnecessary, and not generating additional points of failure. As such, Sussex HIS could deploy and centrally manage seven physical appliances located at five strategic nodes around the COIN network, covering all NHS member organizations and third-party IT suppliers operating on the COIN.

“We run an extensive network where support of our healthcare provider’s ability to deliver efficient and effective patient care is a top priority. Within any healthcare environment, there is an incredibly diverse range of hardware and users that change daily,” Ward observes.

CounterACT provided NHS South East CSU with visibility of devices connecting to the internal network in real-time. The resulting information was used to make informed access and endpoint configuration and security management decisions in order to more rapidly address, mediate or block any IP device or person highlighted as a risk to NHS data, infrastructure and hardware.

What’s hot on Infosecurity Magazine?