About Birmingham Community Healthcare NHS Foundation Trust
Birmingham Community Healthcare NHS Foundation Trust (BCHC) is a typical NHS Trust, with thousands of employees working in over one hundred sites across a large city – in this case Birmingham.
BCHC provide high quality community and specialist services within Birmingham and the West Midlands. Delivering over 100 clinical services, in patient homes and across 200 hospitals, health centres and clinics. They provide services for adults, children, people with learning disabilities, those with rehabilitation needs and dental services.
The disparate nature of the workforce and the IT landscape made it extremely difficult for BCHC’s IT team to implement an effective cyber security strategy, this was compounded by a lack of internal knowledge or training in cyber security.
Furthermore, the Trust’s IT team had an unwavering precedence to deliver IT services that enables its clinicians to provide patient care, meaning cyber security was not the Trust’s highest priority.
This sizeable challenge was in the shadow of the infamous WannaCry ransomware attack that bought other NHS Trusts across the UK to a standstill in 2017. It resulted in the cancellation of thousands of appointments and operations, and the frantic scramble to continue NHS services with pens, paper and employees’ own mobiles and laptops. Ever since, there’s been widespread acknowledgement that the NHS was suffering from a cyber security crisis. With responsibility for tackling cyber security down to each Trust, BCHC needed to devise its own cyber defence, and continue to support imperative front line IT services.
BCHC’s Head of IT, Gerard Kilgallon, said “Ever since WannaCry in 2017, the Trust’s Board of Directors and I recognised we needed to up our game in regard to cyber security and give it the resource it demands”.
To kick off the project for BCHC, following a period of fact-finding, assessment, audit and solution design, a ‘proof of concept’ was ran for a number of weeks. Allowing the Trust to see and test the proposed CyberGuard solution.
Simultaneously, a Critical Incident Response Service was set up for the Trust. Enabling our Security Operations Centre (SOC) to investigate, react and remediate any threats at source; starting the pro-active protection of the Trust’s systems and data.
The proof of concept irrefutably demonstrated that the CyberGuard solution could be integrated with the NHS’s complex infrastructure to ensure visibility, and therefore detection, of threats against their infrastructure from both an internal and external point of view.
Soon after, we expanded the scope of the SIEM solution (Security Information & Event Management). This provided us with a clear picture of any threats to the Trust, along with possible attack vectors, so that a response can happen accordingly on their behalf. CyberGuard performed a CREST-approved internal and external penetration test on both the standard internet line and on the Trust’s Health and Social Care Network (HSCN) connectivity, identifying specific flaws and weaknesses needing a solution.
Gerard said: “The proof of concept went as well as it possibly could have, the process of integrating new systems and protocols was managed seamlessly”.
Over a year on from the beginning of the partnership, our responsibility for BCHC’s cyber security has developed to include a suite of security services and TTPs (tactics, techniques and procedures).
The benefits to BCHC are:
Usability- With all cyber-security needs being taken care of with CyberGuard, BCHC no longer need to worry about any future cyber-attack.
Reliability- Our SOC allows for constant threat detection, meaning a solution for any future cyberattacks can be implemented as soon as it happens, protecting all of BCHC’s data.
Futureproof- With technology designed to be used now and, in the future, BCHC can be confident in their solution.
“Previously, when completing the Trust’s Data Security Protection Toolkit (DSPT) submission, it was a challenge to tick all of the boxes regarding cyber security,” reflected Gerard. “Now, the department works well within the spirit of the DSPT and I can confidently assert we’re meeting the criteria thanks to our CyberGuard solution.