Tommi - Fotolia

NHS regional health board adopts proactive approach to data security

The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment

The NHS Dumfries and Galloway health board has adopted a proactive approach to protecting patient data through continual vulnerability assessment.

As electronically stored data has increased, data security has become essential to mitigate the risk of breaches and comply with national and industry regulations.

The challenge is also growing with the addition of IT systems for social care services and with the introduction of an ever-increasing array of computing devices.

Digital data offers many advantages, such as the fast and cost-effective transfer of information between health institutions, but it also increases the risk of data breaches.

The health board’s IT department, which is responsible for managing IT systems for all medical facilities in south-west Scotland, recognised that vulnerability management was key.

In meeting the challenge of keeping patient data safe while ensuring that IT systems have 100% availability, a high priority is keeping systems up to date.

To check how well the systems were performing, the IT department used a free version of a vulnerability management tool from Qualys.

The results provided the business case for investing in the full version of the tool and IBM Endpoint Manager, formerly known as BigFix.

The board’s IT department had previously relied on open-source vulnerability scanning and network mapping tools such as Nessus and Nmap.

Read more on vulnerability management

  • The main function of vulnerability assessment tools hasn't changed much, but enterprises must be aware of edge cases like cloud and virtualisation.
  • Michael Cobb discusses three free vulnerability risk assessment tools you should consider leveraging in the enterprise.
  • A comprehensive vulnerability management program is vital for cloud providers.

But these and other tools did not support the central reporting across all systems that was essential to improving efficiency and effectiveness in data protection.

These tools could only generate reports for individual machines, rather than providing an overview of the whole IT environment managed by the board’s IT department.

After evaluating several tools on the market, the IT department found the best fit was Qualys' vulnerability management product.

“We found that it offered the functionality we wanted and delivered its findings in a helpful, user-friendly manner,” said Andrew Turner, head of information assurance and security at NHS Dumfries and Galloway.

“It is a tool we can use across all our systems and it enables us to conduct our own external penetration testing and bring all the data back to a single dashboard and generate a report from there.”

Turner’s first goal was to demonstrate just how poorly systems and software across the region were being kept up to date with security patches.

“Poor patching is one of the top five threats to information security and I knew it was important for us to measure and manage our performance,” he said.

Turner used the free version of the Qualys tool to establish the business case for investing in the full Qualys Cloud Platform and its integrated suite of security and compliance solutions for future monitoring.

The fact that the vulnerability services are cloud-based was never a security issue because none of the data going to the cloud is patient data.

I realised that automation was essential to look after our 300 servers after it took me four days to manually patch just three test servers

Andrew Turner, NHS Dumfries and Galloway

The results of the Qualys scans also helped make the business case for investing in IBM’s Endpoint Manager to ensure all systems and software are kept up to date through automated patch management.

“I realised that automation was essential to look after our 300 servers after it took me four days to manually patch just three test servers,” said Turner.

“Using the IBM patch automation tool, I was able to patch 10 test servers in just 15 minutes.”

Qualys was then useful in measuring the effectiveness of the IBM system once it had been implemented and in providing ongoing assurance that it is working as required and to identify anything it has missed.

The Qualys tool also provides assurance that third-party outsourcers responsible for supporting GP systems are meeting their obligations to keep patching up to date.

Turner said the IBM tool takes care of about 60% of the vulnerabilities flagged up by the Qualys system, which is vital for identifying the remaining 40% that need to be tackled in other ways.

Within the Qualys Cloud Platform, Vulnerability Management continuously monitors the organisation’s entire IT environment to pinpoint potential weaknesses, scanning about 3,500 end-points, including servers, PCs, medical devices, telephony systems, shared terminals and mobile devices.

“One of the most useful features of Qualys Vulnerability Management is its ability to integrate with a huge range of systems,” said Turner. “It provides much more comprehensive coverage than many other solutions.

“This enables us to rely on a very small number of tools to monitor vulnerabilities across our huge and diverse environment, reducing complexity and unlocking efficiencies.”

The initial discovery scan highlighted 33,500 previously undetected vulnerabilities and enables the IT department to generate reports to keep managers informed on progress in eliminating those and any new vulnerabilities discovered.

We now have extremely robust security monitoring capabilities in-house, reducing our dependence on external consultants

Andrew Turner, NHS Dumfries and Galloway

With automated weekly and monthly scans, the IT department can now identify and address new threats as they emerge. Asset scans enable IT staff to detect any new devices on the network and assess their vulnerability.

The Qualys Cloud Platform also informs IT staff of weak passwords and instances of guest and administrator accounts left logged into machines, enabling them to take corrective action promptly.

As far as passwords are concerned, the health board is rolling out single sign using Imprivata, which is supported by proximity cards to provide two-factor authentication.

The Imprivata system manages the passwords on all the application servers and is used to enforce strong password policies.

Good password practices are also covered by mandatory information governance and security training, which every employee has to complete every two years.

 “We now have extremely robust security monitoring capabilities in-house, reducing our dependence on external consultants,” said Turner.

“For example, last year we paid a third party to conduct penetration testing on our internet-facing landscape. Now we can do this with the Qualys system. Not only do we save money, we are also more likely to perform these tests more often because it is much easier.”

Turner found that when he used the Qualys tool to probe the health board’s external gateway, many of the results were identical to what had been in the pen tester’s report.

“It made more sense to get the capability in-house and be able to run the pen tests whenever required without having to pay an external pen tester,” he said.

When Heartbleed broke, I ran the vulnerability report and within minutes was able to show exactly which of our systems were potentially at risk

Andrew Turner, NHS Dumfries and Galloway

The value of the vulnerability management system was demonstrated when the threat from the Heartbleed and Shellshock vulnerabilities emerged in 2014.

“When Heartbleed broke, I ran the vulnerability report and within minutes was able to show exactly which of our systems were potentially at risk,” said Turner.

It is also easy to identify when digital certificates for web services are out of date and which servers are vulnerable to Poodle attacks, he added.

As NHS Dumfries and Galloway proactively seeks out new threats and addresses them before they can have disastrous consequences, the organisation can prove to patients that it is adopting technologies and processes to protect their data.

At the same time, Turner says automating report generation lightens the burden on the IT team – reducing the need to hire additional staff even as the IT environment and organisational remit grow in size and complexity.

“This benefit, combined with the savings from reduced dependence on external consultants, will help to keep costs down, which is a huge advantage for publicly funded organisations such as NHS Dumfries and Galloway,” says Turner.

“As the threats we face increase in frequency and sophistication, we are confident that we will be able to overcome any new challenges that the future brings, quickly and effectively.” 

The NHS Dumfries and Galloway health board is currently working towards achieving ISO27001 certification and plans to use the Qualys tools to help identify security project priorities.

Read more on IT risk management