Case Study

The Royal Orthopaedic Hospital

Cyber Threats are More Than Potential Loss of Data. They Also Can Be Matters of Life and Death

Since 1877, The Royal Orthopaedic Hospital in Birmingham, England has been at the forefront of orthopedic care, pioneering new surgical techniques and advancing treatment for people with bone and joint disorders. It is now one of the largest specialist orthopedic centers in Europe and serves patients from the U.K., Europe and around the world.

In a hospital environment the stakes are high and there is no margin for error. Ray Mian, IT Security Manager and Ajmal Khan, IT Security Officer are responsible for managing cybersecurity within the Hospital’s IT department; ensuring that they have the right tools, controls, and processes to protect critical networks that operate around-the-clock, seven days a week.

The Challenge

“We’re a stand-alone, orthopedic hospital with a 20-person IT Department,” Mian says. “Our mission is to protect patient and healthcare records and the IT infrastructure and stop the organization from being attacked by ransomware. In our environment, there are some systems which cannot go down. If there is any kind of threat in the environment, we need to know; if we don’t know, the result can be drastic.”

A big challenge for Khan and Mian was lack of visibility in the environment. “We weren’t able to identify our assets,” Mian says. “We didn’t have the tools to give us the visibility, discovery and analysis we needed to assess our security posture within the organization. That was the key weakness.”

Rapid7 stuck out to us because it was easy to deploy, which is key since we’re a small security team. The products are deployed in the cloud and have all the elements that we were looking for in terms of automation, ease of deployment and capabilities.
Ray Mian, IT Security Manager

The Solution

Khan is a security veteran with more than 20 years of experience with various solutions, including SIEM, so he knew what was needed for the hospital’s security. One critical factor was real-time visibility into their environment. “We needed to scan everything in our environment to see what we had,” Khan says. “Often, what we expected to have and what we actually had when we scanned were two different things.” Khan’s focus also extended to tools that could help them investigate and automate their remediation processes.

Royal Orthopaedic Hospital implemented Rapid7 InsightVM, InsightIDR and InsightConnect solutions. “Rapid7 stuck out to us because it was easy to deploy, which is key since we’re a small security team. The products are deployed in the cloud and have all the elements that we were looking for in terms of automation, ease of deployment and capabilities,” explains Mian. “We have managed to evolve with the products in the last few months to where we are. So, they do fit nicely with our operations.”

The hospital is located on a single campus with two on-site data centers and 250 virtual servers. Royal Orthopaedic Hospital is deploying Rapid7 Insight Agents on all end user devices. “If a device goes anywhere out of our environment, we still retain the visibility of what is happening on any particular machine,” states Khan.

Richer, More Meaningful Insights

“With InsightVM we can scan all the subnets in our infrastructure and have the ability to prioritize what’s most important in terms of patching and remediation,” explains Khan. “InsightVM provides richer information with regard to the risk and prioritization of patching or remediation of vulnerabilities. So, we have more confidence that we are putting our efforts in the right place to reduce our threat landscape.”

“InsightVM helps us contain vulnerabilities in our environment with dynamic and up to date reporting. It helps us meet various kinds of compliance and regulatory requirements, such as the UK’s DSPT, Cyber Essentials PLUS, and GDPR.

Khan points to another InsightVM benefit that has made his job easier. “The thing that I like about Rapid7, in particular, is that we can define goals & SLAs and create a realistic timeframe to address and track the progress. I don’t think a lot of solutions provides this kind of flexibility.”

Visibility Across the Environment

Khan and Mian have InsightIDR integrated with about 10 systems as event sources, including web application and firewalls, DNS, LDAP, DHCP, Active Directory, Cisco Identity Services Engine for profiling, DMZ assets, and end-user devices. “We look to InsightIDR to give us visibility across our environment," explains Khan. “It provides the log aggregation and user behavior analysis, we can see various kinds of new assets that are discovered, and any new user that has logged onto the environment.”

“InsightIDR provides threat intelligence. We also get the feeds regarding any system that is inactive in our environment, look at the ingress and egress traffic patterns to find any abnormalities. Rapid7 honeypots also help identify if someone is probing the network which adds another layer of security.”

Realistic Alerts

“InsightIDR gives us real-time alerts about whatever is happening in the environment which is really useful in detecting suspicious user or device behavior. Visibility is the key in any modern IT environment, Rapid7 provided us the much-needed visibility of our environment.”

Equally important to Khan is the knowledge that they are getting true alerts and not the false positives. “I can happily say that the alerts that come from Rapid7 are quite realistic. I’m not bombarded with the false positives so I can focus on what’s important to the Trust security.”

Scaling Operations with Automation

Mian and Khan also are working on automating their incident response using InsightConnect , Rapid7’s Security Orchestration Automation and Response (SOAR). They are looking to the InsightConnect Extension Library which offers hundreds of plug-ins and pre-built workflows that they can customize to streamline the process of security automation.

Meeting the Critical Security Requirements of Healthcare Providers

Khan and Mian both agree that Rapid7 has helped them achieve their major security goals. “We needed that real-time view of our environment, what is happening, in order to stay ahead of the curve, in order to be proactive, because if we’re not, it can actually cause loss of human life, because it’s a hospital environment. Rapid7 helped us achieve our goals of visibility, staying on top of the threat landscape and meeting operational security objectives.”

”Rapid7 has a brilliant set of products, to be honest, and they are especially well suited for the healthcare sector,” concludes Khan.