We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,721 News Articles

NHS informatics service ditches aging IPS for network access control

Sussex Health Informatics Service monitoring 40,000 devices

The NHS's Sussex Health Informatics Service (HIS) has completed a major migration project that saw it move from an Intrusion Prevention System to a new security design based around ForeScout's CounterACT network access control.

The giant IT service said it had taken the decision last year after dissatisfaction with the number of false positives generated by the aging IPS system that was proving too "reactive."

Although such a system would have been due for replacement in time, the decision also marks a change in security architecture from a perimeter model to one based on realtime device control according to policy.

The problem for such a huge organisation is the vastness and diversity of the devices that access its network, covering 11 NHS Trusts, GP surgeries and other organisations on 500 sites. That involves protecting and monitoring 40,000 devices accessed by 36,000 users.

"In a healthcare environment, everything from sterile washers, MRI scanners, medical kiosks, patient monitoring systems through to the chief executive's iPad, all need to be classified correctly and monitored," said HIS senior client devices engineer Peter Ward.

"If the organisation inadvertently identifies a patient monitoring system incorrectly as a rogue device, and subsequently blocks it, that is potentially life threatening."

CounterACT would allow the organisation to see which devices were connecting to the network while maintaining endpoint compliance without causing service disruption, he said.

All devices would be assessed for security-worthiness by policy when they connected to the network form a central location.

As well as eliminating IPS false positives the HIS believed using network access control design would also save money in terms of admin time.

"Some NAC suppliers never made it past this first stage, as they didn't grasp the technical and cost implications of these two basic requirements," said Ward.

Other requirements included that the NAC must work in an agentless fashion (i.e. without each device requiring software), and the ability to integrate with the organisation's VPN, asset management and patching system.

Other NAC systems equipment looked included Cisco, Juniper, Bradford Networks, Symantec, Novell, McAfee and Sophos.

The deployment began last July and was up and running within two weeks, the organisation said.


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made