A Lincoln medical practice with four GP partners and a team of 22 staff asked IT Support Lincoln to review their cyber security posture following a letter from their primary care network flagging concerns about shared password use and unmanaged personal devices.
The Challenge
The practice had no formal IT policy and no dedicated IT support contract. Historical decisions had been made in an ad hoc fashion: some workstations were managed by the NHS login infrastructure while others were personal machines brought in by members of staff. Password policies were inconsistent, and there was no visibility over which devices were accessing the clinical system.
The primary care network had flagged that an audit had identified the practice as having elevated risk, and the partners wanted to address this before any formal review took place. There were also practical concerns: the practice manager spent time each month dealing with account lockouts and password resets that could have been handled automatically.
Data protection obligations under both the DSPT (Data Security and Protection Toolkit) and UK GDPR made this a compliance matter as well as a technical one.
The Solution
IT Support Lincoln began with a full device and account audit, cataloguing every machine that had accessed the clinical network in the previous 90 days. Personal devices being used for work were identified and flagged; partners were given clear options for either enrolling them under a mobile device management policy or replacing them with practice-owned hardware.
Password management was addressed through Microsoft Entra ID, with multi-factor authentication enforced for all accounts accessing clinical data. Single sign-on was implemented for compatible applications to reduce password fatigue without weakening security.
A written IT and data security policy was drafted in plain language, reviewed by the practice manager, and issued to all staff with a sign-off process. IT Support Lincoln also ran two 30-minute staff briefings covering phishing awareness and how to report suspicious activity.
Automated monitoring was set up through Microsoft Defender, with alerts configured to notify IT Support Lincoln directly so the practice team did not need to interpret security dashboards themselves.
The Results
The device audit identified six unmanaged personal devices accessing the clinical network. Four were enrolled under MDM; two were replaced with practice hardware. All staff accounts were brought under MFA within two weeks.
The practice completed its DSPT submission the following month with no outstanding high-risk items for the first time in three years. The practice manager estimated that account management tasks had been reduced by around three hours per month.
- Six unmanaged devices identified and resolved within the first two weeks
- MFA enforced across all 26 user accounts within 14 days
- DSPT completed with no high-risk items outstanding
What the Client Said
"The team understood the NHS context straight away and did not try to over-complicate things. They gave us a clear picture of our risks and a realistic plan to deal with them."
Want Similar Results?
We work with healthcare and professional services organisations across Lincolnshire where data protection and regulatory compliance sit alongside day-to-day IT support. Get in touch with IT Support Lincoln to discuss how we can help your practice.