We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

NHS informatics service ditches aging IPS for network access control

Sussex Health Informatics Service monitoring 40,000 devices

The NHS's Sussex Health Informatics Service (HIS) has completed a major migration project that saw it move from an Intrusion Prevention System to a new security design based around ForeScout's CounterACT network access control.

The giant IT service said it had taken the decision last year after dissatisfaction with the number of false positives generated by the aging IPS system that was proving too "reactive."

Although such a system would have been due for replacement in time, the decision also marks a change in security architecture from a perimeter model to one based on realtime device control according to policy.

The problem for such a huge organisation is the vastness and diversity of the devices that access its network, covering 11 NHS Trusts, GP surgeries and other organisations on 500 sites. That involves protecting and monitoring 40,000 devices accessed by 36,000 users.

"In a healthcare environment, everything from sterile washers, MRI scanners, medical kiosks, patient monitoring systems through to the chief executive's iPad, all need to be classified correctly and monitored," said HIS senior client devices engineer Peter Ward.

"If the organisation inadvertently identifies a patient monitoring system incorrectly as a rogue device, and subsequently blocks it, that is potentially life threatening."

CounterACT would allow the organisation to see which devices were connecting to the network while maintaining endpoint compliance without causing service disruption, he said.

All devices would be assessed for security-worthiness by policy when they connected to the network form a central location.

As well as eliminating IPS false positives the HIS believed using network access control design would also save money in terms of admin time.

"Some NAC suppliers never made it past this first stage, as they didn't grasp the technical and cost implications of these two basic requirements," said Ward.

Other requirements included that the NAC must work in an agentless fashion (i.e. without each device requiring software), and the ability to integrate with the organisation's VPN, asset management and patching system.

Other NAC systems equipment looked included Cisco, Juniper, Bradford Networks, Symantec, Novell, McAfee and Sophos.

The deployment began last July and was up and running within two weeks, the organisation said.

IDG UK Sites

Windows 10: the complete guide… so far

IDG UK Sites

8 reasons you should start a blog

IDG UK Sites

Apple says Watch April release date 'not confirmed' for the UK

IDG UK Sites

Apple Watch release date & UK price rumours: Apple Watch 'shipping in April' Tim Cook