Background & Overview
In 1988, Cygnet Health Care provided specialist mental health treatment, rehabilitation and support services for over 30 years. It works closely with the NHS to ensure the highest quality of care is offered to all patients.
With a dedicated care team of more than 8,800 employees, working across 150 sites nationally, Cygnet Health Care continually strives to make a positive difference to the lives of more than 3,000 individuals, through a wide range of specialist services for individuals with mental health needs and learning disabilities within the UK.
Project Requirements
As a large and diverse organisation spread across 150 UK locations, Cygnet Health Care’s IT footprint is both large and complex. It is supported by a dedicated in-house IT team, which allows Cygnet to manage its network efficiently.
Working in healthcare, Cygnet has always understood the importance of prioritising the security of patient data amongst other sensitive data. In 2018, Cygnet wanted to engage with a specialist cyber security provider to assess and review its cyber security controls and current security posture.
Specifically, Cygnet was looking to stay ahead of the security battle by conducting a comprehensive assessment of its security to understand what was needed to remain secure, given the increased complexity of threats and the size of its estate, which has grown by acquisition.
The Solution
The first phase was to baseline Cygnet’s current security posture, to review and understand existing security processes, technologies & controls.
To do this, CyberOne conducted various security assessments and consultancy projects to provide a holistic and objective grading of Cygnet’s current security controls. Additional penetration tests and vulnerability scans were performed to uncover any critical security exposures in Cygnet’s network.
From this baseline, CyberOne was able to provide a graded programme of improvement, which broadly fell into three core activities:
- Programme of identified improvements across Cygnet’s people, processes and technologies, prioritised by risk based on CyberOne's review & identified recommendations.
- Ongoing penetration testing/vulnerability scans validate improvements, identify new vulnerabilities, and drive a continual programme of testing, improvement, and review to ensure the highest levels of security governance are maintained.
- Elevate Cyber Essentials certification to Cyber Essentials PLUS. While Cyber Essentials certification provides a good baseline, Cyber Essentials PLUS provides a higher security bar. It will become a requirement for NHS suppliers to achieve the highest level of accreditation.
The identified programme of improvements and ongoing security assessments would ensure Cygnet was employing best-practice security processes and conducting ongoing assessments to identify and address any new cyber security risks.
Benefits & Big Wins
- Understanding current security posture: CyberOne helped Cygnet realise its security status and addressed any vulnerabilities it discovered to protect it from potential risks.
- Level of risk defined: Cygnet gained an objective understanding of the risks faced, specific to their business, and their security priorities.
- Ongoing security programme: An improvement programme and ongoing security assessments have provided Cygnet with a comprehensive security toolset and a robust programme to assess and improve security regularly.