A leading provider of private healthcare in the UK, with 38 hospitals and over 3,700 consultants, Spire Healthcare needed to enhance application security as more of its services moved online. Spire, which holds highly sensitive patient data and works with partners including the National Health Service (NHS) and major insurers, also had to demonstrate to stakeholders that its security was best-in-breed and could be trusted. In 2016, it turned to F5 and Silverline (F5’s cloud-based, managed application services platform).
As Spire developed more customer-facing digital services, such as its MySpire portal for booking appointments, viewing personal information and making payments, it was also putting more sensitive patient data online.
With the risk profile increasing, the technical team found itself in a situation where it lacked critical information about user behavior. The existing system was not able to show which devices customers were using to connect to Spire’s services, and when they might be doing so in an unsecure way. This lack of visibility was inhibiting the team’s ability to make important security upgrades.
“For example, we couldn’t make a decision to restrict access over SSLv3, because we didn’t know if there were users connecting on devices that wouldn’t support TLSv1.0,” Rob Sissons, Technical Operations Manager, recalled.
As well as lacking the information to make crucial technical changes, the IT team often found itself unable to respond to queries from within the business about data security. It also had to prepare for the audits that major insurers and the NHS, both of which routinely refer patients to Spire, conduct to satisfy themselves that their data is being stored securely.
Seeking to improve the security of its digital services without inhibiting customers’ ability to access them, Spire decided to seek out a managed service provider for application security.
To meet its evolving security needs, Spire opted to implement F5® Silverline® Web Application Firewall (WAF) and F5® Silverline® DDoS Protection as managed services, with round-the-clock support from the Security Operations Center (SOC), F5’s hub of customer-facing security specialists.
“The SOC is what really pays dividends for us,” Sissons commented. “It gives us the confidence that, when we implement a change, we have a knowledgeable second pair of eyes scrutinizing it. Quite often, we then get recommendations back from the team about how to optimize what we are trying to do.”
The SOC team has become an integral part of how Spire develops and implements new applications, including from third-party developers. Spire determines WAF policies by starting with a blank template, then allowlisting false positives that are identified through repeated testing.
“When we request something to be opened up, the SOC will double-check what we’re proposing,” Sissons explained. “Niche clinical applications aren’t always as secure as they should be. On a few occasions, F5’s input has led to us going back to third-party software developers to point out issues with their applications.”
In the time Spire has been working with F5, its application ecosystem has continued to diversify and become more complex. This includes incorporating APIs that allow insurers to refer patients and transfer their details more easily. Silverline provides the security that allows Spire to continuously develop and enhance the digital services it offers for its customers, consultants, and key partners.
With the support of the SOC, Silverline services have also helped Spire to implement a level of application security in keeping with the sensitive data it stores, as well as responding rapidly to occasional major incidents.
Furthermore, Silverline supports the evolution of Spire’s overall security policies, providing visibility and data around user behaviour that helps the IT team to refine its overall security policies. It also provides a detailed picture of how its customers access services that previously did not exist.
“As an example, for TLS hardening, the Information Security team has relied heavily on the data Silverline provides about the connections that are coming through, and where insecure connections are coming from,” Sissons said.
Another significant Silverline benefit is the ability to deal with active threats to Spire’s network. During a recent and significant DDoS attack, the SOC actively participated in the response, providing information on the source of the attack, and participating in discussions with Spire’s Internet Service Provider. “With a large-scale attack like that, it’s fast-moving and you are investigating as it happens,” Sissons recalled. “We had an open channel of communication with the SOC throughout, they were with us on calls, and provided invaluable support.”
On an everyday basis, Spire remains confident that expert members of the SOC are always available. “At very short notice we can get really skilled people on the line as part of the managed service,” Sissons added. “There’s nothing we’ve ever requested that the SOC hasn’t been able to do.”
Silverline is also having a positive impact on Spire’s wider ecosystem. Patient referrals from third parties are an important part of its business model, and the presence of F5 as a managed service provider has helped to reassure these partners that data security policies and protections can meet exacting standards. Silverline has even been part of the response to audits by insurance partners, as well as the security toolkit that is a precondition of joining the NHS’s Health and Social Care Network (HSCN). “It’s good for us to be able to say in an external audit that we have a specialist security team protecting these services,” Sissons added.