Protecting NHS mobile devices from cyber attacks

Find out how Trustmarque secured a network of clinical mobile devices, to deter cyber criminals and protect the NHS.

Background

This client is a large acute NHS Trust with over 10,000 staff providing compassionate care for over one million patients a year.

With recent cyber attackers targetting the NHS, now more than ever it is vital that tighter cyber security measures and training are in place to allow the continued delivery of this vital patient care.

Recent attacks on the healthcare sector have shown that cybercriminals can wreak havoc if precautions are not taken. As Mike Fell, NHS Digital’s Executive Director of National Cyber Security Operations, explained in October 2022 in an NHS statement:

“Here in the NHS, getting cyber security wrong has the potential to cause significant impacts across the health and care system.

“If a GP can’t access their system, they may not be able to share life-saving prescriptions with pharmacies or critical information with hospitals. Similarly, cyber-attacks can cause cancelled appointments and surgeries, possibly resulting in care diversion to other hospitals.

“Cyber security is as important as health and safety, and in just the same way it’s the responsibility of every person in the NHS to understand security risks and what they can do to reduce them.”

Challenge

We know that more than 90% of cyber-attacks start with email, so how can the NHS ensure their emails on mobile devices are protected?

In 2019 NHS Digital launched strict guidance that emails sent to and from health and social care organisations must meet the secure email standard (DCB1596).

The common purpose of this activity is to ensure that those dealing with sensitive and confidential information can uphold security. To attain this necessary accreditation from NHS Digital, the client enlisted Trustmarque to run an endpoint management discovery workshop, resulting in a point of contact to manage and secure the NHS data. Trustmarque then performed an independent security assessment of their networked mobile devices.

With unrestricted access to patient and hospital data sources, it was paramount the Trust was able to assess the vulnerabilities of the devices associated with their network.

Solution

Working in partnership with the client, Trustmarque helped develop the Trust’s IT strategy and device security knowledge. We facilitated the implementation of Microsoft security and modern management platforms, to which the Trust was entitled under the Microsoft N365 agreement.

Following this, Trustmarque reviewed the standards and guidance from NHS Digital and fine-tuned the Trust’s current email and mobile device configuration.

A set of actionable recommendations were then shared with the Trust regarding their cyber security posture, as well as defining a road map for improvements. Once this activity had been completed, the client was then subjected to a penetration testing exercise whereby a critical health check of the set up was performed in an artificial environment.

Outcome

The client has now successfully gained the necessary DCB accreditation, and boasts a modern endpoint management solution. Endpoint security secures you end-user devices – desktops, laptops, and mobile devices. Endpoints by use and design are access points your network. However, they also entry points that can be exploited. Through encryption and application control, endpoint security software controls and secures devices accessing your network and monitors and blocks unsafe activities.

Although the wider rollout of modern device management across personally owned devices is still yet to be signed off, the Trust has made significant headway in enrolling corporate devices in some use cases:

• Android Zebra handheld devices – 270
• ipad – system for electronic notes documentation tablets – 230
• Corporate iPhones – 60

The team plan to enroll new iPhone devices on Intune but have yet to start the migration from Airwatch or MobileIron.

Looking back on the project, the client added:

“There’s no room for hesitation or slack when it comes to cyber security and the NHS. That’s why we knew we were in safe hands with Trustmarque throughout this project and we now hold the required secure email standard (DCB1596) as a result of these swift actions.”

Why Trustmarque for your cyber security

As with any other cyber security solution, getting the right fit for you can be difficult. At Trustmarque we work with many different providers and can help you to choose which services and solutions will meet your requirements and compliance needs.

Whatever security you have in place right now we can help you prevent, protect, and recover from ransomware. To get started talk to us and arrange a call for a ransomware workshop with a Trustmarque cyber security expert.