NHS Dumfries and Galloway spotted its vulnerability to last year's shock Heartbleed SSL flaw in the early days of using Qualys's Cloud cloud-based vulnerability management system, the organisation has said.
The organisation signed up to the service as part of a plan to move to continuous software vulnerability detection and management for its diverse network of 3,500 computing and medical devices.
The first network scan uncovered 10,500 of the most urgent ‘level 5’ vulnerabilities and 23,000 critical ‘Level 4’ vulnerabilities the authority had not been aware of which its IT team was now working to eliminate. The cloud-based nature of the service allowed managers to keep up with the progress of this patching as well as find detect the Shellshock flaw later in the year.
Qualys was chosen after an assessment involving a number of unnamed rivals and is now being used to carry out weekly and monthly scans able to detect vulnerabilities. The plan is to add remediation in the near future using an automated patching system.
In addition to PCs and servers, Dumfries and Galloway manages a range of medical devices, telephony systems, terminals, and a growing number of mobile devices.
The IT must support a population of 1,000 GPs with an additional 4,500 other medical staff in various locations.
“In recent years, we have seen a technology revolution in healthcare, with the number of electronic devices used by medical staff skyrocketing. Storing information digitally offers many advantages such as fast, cost-effective transfer of information between institutions involved in treating a patient, but it also increases our exposure to the risk of data breaches,” said NHS Dumfries and Galloway head of security, Andrew Turner.
“With the number of devices continuing to grow and our remit soon expanding to include IT systems for social care services, we wanted to find a way to safeguard patient data more effectively and efficiently.
“Our aim was to switch from a reactive to a proactive approach to protecting patient information,” he said.
The Qualys system also gave insight into the use of weak passwords and noticed risky guest admin or guest accounts where these were still logged into servers.
A major benefit is that the Council not longer has to use expensive external consultants, something the Council had relied on until last year.
“Not only do we save money, we are also more likely to perform these tests more often because doing so is much easier,” said Turner.
The next stage will be to develop its own custom vulnerability ratings system to better prioritise the flaws that needed fixing most urgently.