It takes a lot of courage to yank out most of your existing security products and replace them in one fell swoop, but that is just what has taken place at Basildon and Thurrock University Hospitals NHS Foundation Trust.
Out has gone Symantec Corp.'s antivirus and management software, along with email and Web filtering from SurfControl (now a company of Websense Inc.), and in has come a complete range of defences from security vendor Sophos Plc, located near Oxford.
The man in charge of the project is pretty pleased with the result, which rolled out in August. Antony Barke, a senior technical engineer with the trust, says that since the introduction of the new systems, he not only has better security but greater control over network usage and the software that users install.
But why take such a drastic step in the first place? He says the move was triggered earlier this year, when they were contemplating an upgrade from version 10 of Symantec Anti-virus to version 11. Barke did a trial upgrade among the IT department and found that it took around 20 minutes per machine to complete, putting the client device out of action during the process. With 2,500 users to upgrade, he felt the impact would be unacceptable.
But with government demanding greater security across the public sector, especially in health, he felt his whole security estate needed upgrading. "The old systems were not fully manageable," he says. "Email filtering was okay, but rules could disappear for no apparent reason, and likewise for the Web filtering. You'd block a particular site, and then it would be magically unblocked again, usually by some sort of auto-update."
Basildon and Thurrock is one of the UK's first NHS Foundation Trusts, and is an associate teaching hospital providing acute medical services across its three sites in South West Essex. Its main site at Basildon is also home to the Essex Cardiothoracic Centre.
The whole organisation relies heavily on technology to work efficiently. The IT infrastructure has recently undergone radical re-organisation with the introduction of VMware, which allowed the trust to reduce its estate of physical servers from 130 to 95. VMware allowed the readjustment of its whole storage infrastructure, while reducing power consumption and heat output at the same time.
But efficiency had to be matched by security and Barke needed to be confident that he was protecting data and systems against all types of threats, both internal and external. "We are subject to strict government policies, especially in the bulk transfer of data. A lot of material goes outside the trust for reporting or to an outsourced function," he says. "In emails, we had to make sure there was no personal identifiable information (PII) going out, for example."
Having decided against products from his existing providers, Symantec and Websense, Barke eventually chose to implement Sophos Endpoint Security and Control, which he says "won hands down when it comes to endpoint protection. We had to cover every eventuality or possibility for data leakage, and Sophos was the only product that ticked all the boxes."
He says the AV implementation went without a hitch, allowing easy importing of all computer accounts. Deploying the Sophos AV client, and removing the Symantec software, took less than five minutes per client. "It seemed to do it in CPU idle time as far as I could tell. So there was no impact on the users, 99% of whom didn't even notice. In fact," Barke says, "one engineer told me he thought he still had Symantec on his PC because he hadn't noticed anything going on. It was only when I pointed out the blue shield [the Sophos symbol] on the screen that he realised [the change]."
The email and Web filtering appliances also proved no problem, and were ready to be tested just 20 minutes after being taken out of the box. "We did some testing within IT for a few weeks and then pushed it out to the trust with no problem at all," he says. The content-filtering features, Barke says, have proved effective in ensuring no PII goes out in emails, by accident or design.
One unexpected benefit was the ability to control the applications that users run on their PCs. For instance, the trust has standardised on Internet Explorer 6, but many users had installed their own browsers, notably Firefox. "We could not detect [browser use] using SMS [Symantec's Sygate Management Server] because hash values changed with each new version of the software. So it made it hard for us to block the use of browsers we didn't like."
Barke says the Sophos system allows him to block anything, including peer-to-peer applications, which has the added benefit of reducing bandwidth usage.
One area that has caused embarrassment in some parts of the NHS is the careless use of USB drives to carry off personal data. Barke uses software from Safeboot (now part of McAfee Inc.) to restrict the use of non-approved USB pen drives. Users can read from them, but writing is blocked.
Where USB sticks are a requirement, Barke is using the Sandisk Corp.'s Cruzer Enterprise, which is a password-protected USB drive with built-in encryption.
With plans underway for a trust-wide wireless network, Barke knows that new security challenges will arise, but for the moment, he is confident he has all potential vulnerabilities covered. "With all the data leakages in the public sector, there is a realisation that we are under scrutiny, and we are going to be monitored. So we have to be on top of our game," he says.