NHS Lanarkshire is the third largest NHS authority in Scotland and cares for over 655,000 people. With three main acute care sites, 15 community hospitals, over 90 GP surgeries, and more than 14,500 staff, the trust’s IT department is responsible for a complex and disparate IT estate. With over14,000 Windows endpoints, 900+ servers, over 200 admin accounts, and more than 300 service accounts across their systems, it was impossible to safely manage all accounts and devices manually.
Following the WannaCry attack of 2017, the Scottish Government published its Public Sector Action Plan for Cyber Security that included a range of new standards which all critical infrastructure providers were required to meet, including Cyber Essentials accreditation, and NCSC baseline standards. NHS Lanarkshire were nominated as a “Cyber Catalyst” for the NHS in Scotland to pioneer the new requirements.
A key improvement was to be in privileged access for both internal staff and the many third-party suppliers that have access to internal systems. Lack of visibility and control of supplier access using these powerful accounts was identified as a significant risk.