NHS informatics service ditches aging IPS for network access control

Sussex Health Informatics Service monitoring 40,000 devices
  • John E Dunn (Computerworld UK)
  • — 03 May, 2013 16:13

The NHS's Sussex Health Informatics Service (HIS) has completed a major migration project that saw it move from an Intrusion Prevention System to a new security design based around ForeScout's CounterACT network access control.

The giant IT service said it had taken the decision last year after dissatisfaction with the number of false positives generated by the aging IPS system that was proving too "reactive."

Although such a system would have been due for replacement in time, the decision also marks a change in security architecture from a perimeter model to one based on realtime device control according to policy.

The problem for such a huge organisation is the vastness and diversity of the devices that access its network, covering 11 NHS Trusts, GP surgeries and other organisations on 500 sites. That involves protecting and monitoring 40,000 devices accessed by 36,000 users.

"In a healthcare environment, everything from sterile washers, MRI scanners, medical kiosks, patient monitoring systems through to the chief executive's iPad, all need to be classified correctly and monitored," said HIS senior client devices engineer Peter Ward.

"If the organisation inadvertently identifies a patient monitoring system incorrectly as a rogue device, and subsequently blocks it, that is potentially life threatening."

CounterACT would allow the organisation to see which devices were connecting to the network while maintaining endpoint compliance without causing service disruption, he said.

All devices would be assessed for security-worthiness by policy when they connected to the network form a central location.

As well as eliminating IPS false positives the HIS believed using network access control design would also save money in terms of admin time.

"Some NAC suppliers never made it past this first stage, as they didn't grasp the technical and cost implications of these two basic requirements," said Ward.

Other requirements included that the NAC must work in an agentless fashion (i.e. without each device requiring software), and the ability to integrate with the organisation's VPN, asset management and patching system.

Other NAC systems equipment looked included Cisco, Juniper, Bradford Networks, Symantec, Novell, McAfee and Sophos.

The deployment began last July and was up and running within two weeks, the organisation said.

Tags: NHS, security, public sector

Report: Attackers have their sights set on the cloud

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.