When, back in 2012, the Information Commissioner’s Office (ICO) reprimanded NHS Bournemouth and Poole for passing on the data of 3,700 patients to the Enhanced Care Service without first consulting the individuals concerned, it sparked a major rethink in the way security operated across the NHS in neighbouring Hampshire.
Serving a population of 1.3 million, Southern Health NHS Foundation Trust is responsible, wholly or in part, for 14 community hospitals across Hampshire. Earlier this month, as part of a complete overhaul of its existing IT security strategy, Southern went live with security information and event management (SIEM) and content security technology from Trustwave.
Anthony Guethert, head of IT architecture and design at Southern takes up the story: “We went through Trustwave for most of the software choices we made.
The vertical stack integrates nicely – we found it’s best in breed – and it offers very good support and competitive pricing, so that combination was excellent for us.”
Guethert added that Trustwave “knew what they were talking about”, and offered “excellent service and support, and the range of the products vertically integrated nicely”.
Specifically, Southern Health has deployed Trustwave’s Webmarshal and Mailmarshal products, which filter bandwidth and manage traffic levels through web and email servers, and Trustwave SIEM to collect, analyse and assess security events proactively for rapid identification, prioritisation and response.
The Trust has also implemented McAfee Safeboot, while Good Technology takes care of mobile device management and SecurEnvoy provides two-factor authentication.
As well as a desire to keep in the ICO’s good books, a big driver behind the security overhaul was to make it simpler for staff to communicate with colleagues in a safe way.
“The key was security, and having the staff use equipment in the past that was not encrypted or had a very difficult way of connecting back to the corporate resources was at the forefront of our minds,” said Guethert.
“The more difficult it was for people to use the technology, the less security we had and the more risk we had,” he added.
“So once we’d got encrypted laptops out there, with a nice secure connection back in, we wanted to make sure that the technology was accessible and easy to use, and that users were following corporate policies when out in the field. That’s all managed and monitored now.”
The Good Practice Guide 13 from cyber security consultancy CYSEC forms the basis of the Trust’s security policies. “GBG13 guidelines were important for us to meet,” said Guethert. “When building the infrastructure we had the opportunity to do it properly, and we wanted the security model to reflect best practice in the process of doing that.
“So one of the key things was to understand the marketplace, understand the requirements, and understand the level the Trust needed to reach and maintain, and implement and achieve those levels with minimal total cost of ownership. We didn’t want to put systems in that increased the cost or burden over time.”
As well as hugely increased security, Guethert is enthusiastic about the Trust’s new ability “to share data for the first time, and share a global address list. None of that was possible before – all the suppliers had separate systems, separate data, and email systems. So no stuff could work across them.”
Guethert blames historical NHS IT systems that were “a very complex environment that grew organically [over years]” for creating a system that led to so many security gaffs.
“The CEO and board [of Southern] were fantastic, because they realised strategically that this was crippling the business and there was a real need to bring it together into a single organisation.”