The NHS Midlands and Lancashire Commissioning Support Unit (MLCSU) provides wide-ranging IT support services to Integrated Care Systems (ICS) groups across the Midlands, Lancashire and North-West England. Unlike Acute Trusts, which typically focus on a few large sites (usually hospitals), primary care is much more diverse. There are around 8,000 GP practices in the UK, many operating across multiple sites. This fragmentation leads to a wide range of technology, sites spread over a wide area, and surgeries with small teams with little or no IT skills. MLCSU provides a broad range of services to approximately 200 organisations and their services range from desktop deployment and clinical systems to Cyber Security.
A fundamental requirement for cyber security in the NHS is the Data Security and Protection (DSP) standards set by NHS Digital. MLCSU helps its clients conform and show conformity with DSP. A vital element of the service is using ITHealth’s Assurance Dashboard, which provides a comprehensive inventory of an NHS organisation’s IT estate, revealing the security state of IT systems, software and user accounts, and highlighting potential vulnerabilities.
DSP places specific requirements on healthcare organisations around user and administrator accounts management. Administrator accounts are particularly sensitive due to their elevated privileges when used with IT systems. These accounts can be used to exfiltrate sensitive patient data, interrupt services, or make it easy for ransomware attacks to strike (the NHS was one of the earliest high-profile ransomware victims when WannaCry struck in 2017). A significant part of the DSP requirements involves monitoring and managing how user accounts are created, maintained, and removed when no longer needed, especially those with elevated privileges.
When a new team member joins a practice team, the traditional process is to send a request to an IT Service Desk to provision the user’s accounts, which may be in 4 or 5 systems, including Active Directory (AD), Office365, EMIS, and/or clinical systems. This places significant demand on the Service Desk and may introduce a delay before that new team member can start work.
When someone leaves, the reverse must happen: all those accounts must be removed quickly which is not always possible due to service demand spikes.
In some situations, if a user needed an elevated account, a manual process would be used to create a temporary login and then remove the account when no longer needed. Across the integrated care system group, such account management tasks are happening every day. It’s often an urgent demand for the IT Service Desk which impacts productivity at the GP practice and opens potential security risks.