The NHS's Sussex Health Informatics Service (HIS) has completed a major migration project that saw it move from an Intrusion Prevention System to a new security design based around ForeScout's CounterACT network access control.
The giant IT service said it had taken the decision last year after dissatisfaction with the number of false positives generated by the aging IPS system that was proving too "reactive."
Although such a system would have been due for replacement in time, the decision also marks a change in security architecture from a perimeter model to one based on realtime device control according to policy.
The problem for such a huge organisation is the vastness and diversity of the devices that access its network, covering 11 NHS Trusts, GP surgeries and other organisations on 500 sites. That involves protecting and monitoring 40,000 devices accessed by 36,000 users.
"In a healthcare environment, everything from sterile washers, MRI scanners, medical kiosks, patient monitoring systems through to the chief executive's iPad, all need to be classified correctly and monitored," said HIS senior client devices engineer Peter Ward.
"If the organisation inadvertently identifies a patient monitoring system incorrectly as a rogue device, and subsequently blocks it, that is potentially life threatening."
CounterACT would allow the organisation to see which devices were connecting to the network while maintaining endpoint compliance without causing service disruption, he said.
All devices would be assessed for security-worthiness by policy when they connected to the network form a central location.
As well as eliminating IPS false positives the HIS believed using network access control design would also save money in terms of admin time.
"Some NAC suppliers never made it past this first stage, as they didn't grasp the technical and cost implications of these two basic requirements," said Ward.
Other requirements included that the NAC must work in an agentless fashion (i.e. without each device requiring software), and the ability to integrate with the organisation's VPN, asset management and patching system.
Other NAC systems equipment looked included Cisco, Juniper, Bradford Networks, Symantec, Novell, McAfee and Sophos.
The deployment began last July and was up and running within two weeks, the organisation said.