The Cwm Taf Morgannwg (CTM) University Health Board is the local health board of the National Health Service (NHS) of South Wales. It serves about a half million people in southern Wales with three main hospitals, providing a variety of healthcare services. Thomas Evans, head of cybersecurity operations, oversees a team of six full-time staff. The hospital’s environment includes conventional IT assets such as computers, laptops, mobile devices, switches, access points, and firewalls, as well as medical devices, cameras, IoT assets, and a few vehicles, including a van that performs endoscopy scanning.
The Challenge
The biggest challenge Evans faced in securing and protecting the environment was a lack of visibility into traffic flows and assets on the network. In particular, he was concerned about legacy medical devices and IoT assets that could have unidentified vulnerabilities. “You can’t start fixing stuff or prioritizing what to remediate until you know what you’ve got,” Evans pointed out.
Some of the organization’s medical devices that are critical to hospital operations and delivery of medical care run on legacy operating systems that cannot be updated at the moment. Evans needed a way to get visibility into these EOL and EOS assets in order to get a handle on potential vulnerabilities and make decisions about whether these assets need to be remediated with patching or updates. Having visibility to understand what these assets are doing on the network and being able to segment them is important to securing the environment and ensuring continuity of care.
Continue reading to learn how Armis helped identify 65,000 to 70,000 IP-connected assets, enabled segmentation and supported compliance and audit reporting for key directives like NIS2 and GDPR.
Challenges
-
Lack of visibility into traffic flows in the environment -
Securing and segmenting mission-critical legacy medical devices
-
Identifying, prioritizing, and remediating a backlog of vulnerabilities in the environment, particularly IoT assets
-
Complying with UK government security standards, including NIS2 Directive and GDPR
Results
-
Provided visibility into how traffic and data flow across the environment -
Enabled segmentation of departments and legacy servers
-
Deployed a third-party patching solution based on data from Armis
-
Established a plan to remediate vulnerabilities in the endpoint estate
-
Set up passive monitoring of the environment to comply with regulations
-
Support compliance and audit reporting for key directives like NIS2 and GDPR
