An open and collaborative risk-based approach, coupled with broad technical experience, helped Digital Health & Care Wales validate their cyber security best practice.
The Background.
Digital Health and Care Wales (formerly known as NWIS) are a relatively new Special Health Authority, tasked with driving the digital transformation needed for better health and care in Wales. Following recent digital investment, the authority plays a leading role in delivering a range of national programmes needed for modern technology-enabled healthcare.
Key responsibilities include:
– Mobilising digital transformation and ensuring high quality care
– Expanding access to the Digital Health and Care Record
– Delivering high-quality digital services
– Enabling big data analysis for better outcomes
Digital Health and Care Wales came to us because they wanted an in-depth and independent review of four technology areas – Security Monitoring, Vulnerability Management, Secure File Share and Security Software Development. Our task was to review the technology areas against appropriate cyber security methodologies, perform a gap analysis and provide a roadmap of recommended improvements.
The Challenge.
The situation was that Digital Health and Care Wales had a good understanding of what the cyber security challenges were, they just needed some independent validation and assistance in how to approach them pragmatically.
We also noted that there were several broader business drivers related to compliance requirements which needed to be satisfied (ISO 27001, NISD), so the recommendations needed to clearly align with these additional factors.
The Solution.
We started the engagement with a discovery process and began by reviewing all of technical, process and procedural documentation that was provided for each of the technology areas. This enabled us to understand the technology as described in the context of the IT estate and to choose appropriate cyber security frameworks to measure against.
The documentation was used to prepare sets of structured questions that were used to guide a series of workshops and interviews. Armed with all of this information, our consultants began analysing the data and identifying any areas of risk and opportunity. There was regular collaborative contact during the process to ensure that the work was in line with expectations.
The next step was to structure the findings in a consistent, readily digestible manner. During this process, some common elements and themes became apparent, so the scope was increased to demonstrate how each area of technology addressed higher level business requirements.
For each technology area, the final report provided:
an overview of associated methodology
a prioritised risk-based gap analysis
road-mapped recommendations for potential reconfigurations, scope increase, or alternative solutions needed to cover the gaps.
Additionally, an overarching alignment to the risks being addressed by each area was provided to help align the technology initiatives with business and compliance drivers.
The Value.
Digital Health and Care Wales really liked our approach and ways of working. In many cases the processes and initiatives were already in place but needed some validation and pragmatic initial direction from an expert third party to endorse that thinking and confirm that they were on the right lines.
Knowing the organisation’s broader compliance requirements, we made sure to cross reference and align any findings, accordingly, even identifying specific compliance clauses for each technology initiative.
As a value-add, we took the overarching risk identification themes and presented them visually to provide a high-level mapping of the business drivers, security initiatives and specific technologies. The mapping made it much easier for Digital Health Wales to understand which strategic requirements were being addressed, and to demonstrate the progress being made to senior stakeholders.
During this engagement, we were able to add real value through a combination of utilising our risk-based approach, our broad technical experience and our open and collaborative contact with the organisation’s staff to really identify the key themes that would help them move forward.
Our technical knowledge, coupled with a solid understanding of what the customer was trying to achieve, meant that we could swiftly work though their requirements, concerns and validation of existing plans and practices. We were able to conclude this piece of work by providing a tailored and well-informed report and plan of attack moving forward.
“Net Consulting were under a very tight deadline, given the fact we needed to complete this piece of work within the financial year. They performed at a significant pace, were very reactive and agile, and never once let their high level of standards slip.“
Jamie Graham
Head of Cyber Security