Case Study - The Medical Specialist Group

Background

The Medical Specialist Group (“MSG”) has been operating for over 30 years, providing important secondary healthcare for the Bailiwick of Guernsey. They have a staff of 180, consisting of approximately 55 specialist consultants, a team of nurses and support staff.

In December 2021, the MSG was subject to a cyber incident, which soon became publicly known. Whilst the incident was contained through assistance of various external parties, it highlighted some matters that the MSG needed to consider.

We reached out to the MSG to offer to help them to evaluate their cyber risk exposure, with the understanding that there were expected gaps in the effectiveness of their cyber risk governance.

We were engaged by the MSG because we are an independent company who understand risk and could approach the engagement from a highly objective, non-technical perspective. We subsequently began working with the MSG’s senior management, IT team and external vendors to undertake a detailed cyber risk assessment.

The physical

The assessment was conducted, over a period of 10 working days, against:

• an adapted version of the Internationally recognised National Institute of Security and Technology Cybersecurity Framework (“NIST CSF”) to meet the requirements and size of the organisation.

• the Centre for Internet Security Controls (“CIS”) that are the recommended set of actions for cyber defense best practice.

The analysis work included:

• interviews with staff and vendors;

• review of policies and procedures adopted by the MSG; and

• review of other documents to support the assessment.

All information and evidence gathered was recorded into our specialist assessment tool to make the assessment process as straightforward as possible.

The diagnosis

The output of the assessment was detailed in a report which we presented to the MSG. The report highlighted where gaps existed against the NIST CSF framework and the CIS best practice, a clear analysis of the areas that needed attention on a risk-based prioritisation, and that once they were actioned, the majority of the gaps we identified would be closed.

The report noted the MSG would benefit from:

• reducing levels of residual risk;

• strategic investment, both financial and organisational, in appropriate services and technology to underpin its business operations, and

• enhancing governance to enable management to oversee cyber risk effectively as part of its over-arching risk management program.

The operation

The report detailed risk reduction actions to address the risk-based areas which had the highest potential impact upon the MSG.

By addressing the matters highlighted in the report, the MSG would:

• have an enhanced cyber risk governance demonstrating a structured approach to cyber risk management in the business;

• be operating an IT function under best practice; and

• put the MSG in a good position to meet its business objectives which includes the ongoing protection of client data.

We managed an intensive four-month project of remediation works to transform their cyber risk position and embed effective cyber risk management and governance within the business. The project covered the following workstreams:

• Resourcing

  • Managed IT vendor selection process to identify an appropriate vendor to deliver the MSG requirements.

• Governance

  • Developed a cyber risk management framework, undertook a refresh of IT and cyber security policies, defined and guided the implementation of a clear vendor management process and ensured the documentation of controls and procedures.

• Cyber monitoring

  • Defined the MSG requirements to ensure management teams would have the appropriate management information to manage cyber risk effectively.

• Cyber security training and awareness

  • Ensure appropriate ongoing training solution selected and embedded within the business.

• Cyber incident preparation.

  • Developed a clear plan for all stakeholders to consider, resolve and recover from a cyber incident to include roles and responsibilities and have draft communications for PR purposes.

Our work around the vendor selection to find a suitable technology partner was extensive, including the elicitation and documentation of the MSG requirements, identifying suitable potential vendors across the Channel Islands and UK, managing the whole tendering process including all tender documents, tender responses and evaluation. We were also the MSG’s main point of contact with all the vendors to enable MSG staff to maintain BAU activities. We prepared the cost-benefit analysis and ensured the senior management team was presented with a clear review of all the work undertaken and recommendations.

Jon Buckland, Chief Executive, the MSG said

“The CentricalCyber Team offers a personalised service and very quickly established a close working relationship with the MSG team.  We had regular weekly progress meetings which meant that we were able to adopt a collaborative approach and deliver at pace.”

Post-op

At CentricalCyber, we’re currently exploring how we can further work alongside other non-regulated organisations, who like the MSG, take their data protection, cyber risk and reputation seriously.

Project Duration:

Gap analysis: 10 working days

Remediations: 4 months