NHS Dumfries and Galloway Adopts a Proactive Approach to Safeguarding Patient Data

Guarding against security threats with a state-of-the-art vulnerability management solution

In the UK, state-funded medical care is provided by the National Health Service (NHS). NHS Dumfries and Galloway is the regional health board responsible for providing medical care to more than 148,000 people living in a geographical area spanning 2,400 square miles in the South West of Scotland.

The IT department of NHS Dumfries and Galloway is tasked with managing IT systems for all medical facilities in the region – including around 1,000 general practitioners plus 4,500 staff working in fields such as hospital care, nursing and psychiatry. The systems in question include: servers and network devices in data centres, servers and desktops in hospitals and clinics, and fixed and mobile devices used by medical staff on hospital wards and in doctors’ surgeries.

People fall ill at all times of day and night, so medical institutions must ensure that the IT systems supporting care are available around-the-clock. For critical systems, downtime is simply not an option.

Equally, as more data is stored electronically, rather than in physical files, having proper data security practices becomes essential to mitigating the risk of breaches. Health boards such as NHS Dumfries and Galloway must also ensure that their operations comply with regulations established and enforced by national and industry bodies.

Andrew Turner, Head of Information Assurance and Security at NHS Dumfries and Galloway, explains: “In recent years, we have seen a technology revolution in healthcare, with the number of fixed and mobile electronic devices used by medical staff skyrocketing. Storing information digitally offers many advantages such as fast, cost-effective transfer of information between institutions involved in treating a patient, but it also increases our exposure to the risk of data breaches.”

He adds, “With the number of devices continuing to grow and our remit soon expanding to include IT systems for social care services, we wanted to find a way to safeguard patient data more effectively and efficiently. Our aim was to switch from a reactive to a proactive approach to protecting patient information.”

Sophisticated Security Solution

NHS Dumfries and Galloway evaluated a range of solutions available on the market, and decided to invest in the Qualys Cloud Platform and its integrated suite of security and compliance solutions.

“We found that many vulnerability management tools could only generate reports regarding each individual machine – rather than giving us a clear overview of our entire environment,” recalls Andrew Turner. “When we tested the Qualys Vulnerability Management (VM) solution, we found that it offered the functionality we wanted and delivered its findings in a helpful, user-friendly manner. The Qualys team provided excellent support, helping us to implement the solution quickly and smoothly.”

Within Qualys Cloud Platform, Vulnerability Management continuously monitors essential parts of the organization’s IT environment to pinpoint potential weaknesses, scanning around 1,000 end-points including servers, PCs, medical devices, telephony systems, shared terminals and mobile devices.

“One of the most useful features of Qualys Vulnerability Management is its ability to integrate with a huge range of systems – it provides much more comprehensive coverage than many other solutions,” comments Andrew Turner. “This enables us to rely on a very small number of tools to monitor vulnerabilities across our huge and diverse environment, reducing complexity and unlocking efficiencies.

The initial discovery scan highlighted an uncomfortably high number of previously undetected vulnerabilities, which the IT team is now working to eliminate. Managers receive high-level reports to keep them informed of progress.

With automated weekly and monthly scans, the organization can now identify and address new threats as they emerge. Asset scans enable IT staff to detect any new devices on the network and assess their vulnerability.

The Qualys solution also informs IT staff of instances of guest and administrator accounts left on machines, enabling them to take corrective action promptly.

“We now have extremely robust security monitoring capabilities in-house, reducing our dependence on external consultants,” adds Andrew Turner. “For example, last year we paid a third-party to conduct penetration testing on our internet-facing landscape – now we can do this with the Qualys solution. Not only do we save money, we are also more likely to perform these tests more often because doing so is much easier.”

To reduce its susceptibility to security threats, NHS Dumfries and Galloway plans to select and deploy an automated patch management solution. The organization will use the Qualys solution to investigate the effectiveness of this patching software and address any remaining weak points.

As the health board expands its use of Qualys Vulnerability Management, it will build golden images for servers, test them for compliance and vulnerabilities, then use them as the basis for its environment, unlocking further efficiency gains while heightening security levels.

Identifying and Eliminating Vulnerabilities

The value of having a comprehensive security solution in place was demonstrated when the HeartBleed and Shellshock bugs struck.

Andrew Turner explains: “When HeartBleed broke, I ran the vulnerability report and was able to show my manager exactly which of our systems were potentially at risk. Our enhanced ability to cope with incidents like this proves the value of Qualys Vulnerability Management.”

In the future, NHS Dumfries and Galloway is planning to overlay its own severity ratings on new vulnerabilities it detects so that it can determine which to tackle first.

Adopting a Proactive Approach to Protecting Patient Data

As NHS Dumfries and Galloway proactively seeks out new threats and addresses them before they wreak disastrous consequences, the organization can prove to patients that it is adopting technologies and processes to protect their data.

At the same time, automating report generation lightens the burden on the IT team – reducing the need to hire additional staff even as the IT environment and organizational remit grow in size and complexity. This benefit combined with the savings from reduced dependence on external consultants will help to keep costs down – a huge advantage for publicly-funded organizations such as NHS Dumfries and Galloway.

Andrew Turner concludes: “As the threats we face increase in frequency and sophistication, Qualys gives us confidence that we will be able to overcome any new challenges that the future brings quickly and effectively.”