Pennine Care NHS Foundation Trust Earns Top Cyber Innovator Award for its Zscaler Zero Trust Architecture

Shifting the old security paradigm with a zero trust model

Providing outstanding—and safer—care for a population of more than 1 million residents requires a more innovative approach to cybersecurity. With an outdated perimeter security architecture creating barriers to efficient care and greater risk to patient data, Pennine Care NHS Foundation Trust chose to displace legacy hardware and appliances with the cloud native, multitenant Zscaler Zero Trust Exchange™.

"We realized that we had an old-school security mentality," said Mike Culshaw, CTO at Pennine Care NHS Foundation Trust. "Embracing zero trust helped us shift that paradigm. Zscaler has empowered true, transformational change for us."

Zscaler breathes new life into a tired security architecture

According to Culshaw, a tired network infrastructure built around legacy security appliances was simply not compatible with the way a modern healthcare organization needs to operate. “Our entire infrastructure was nearing end-of-life, so this presented an opportunity for us to radically modernize,” Culshaw elaborated.

Pennine Care collaborated with Virgin Media Business (VMB) to manage its cloud-first transformation. VMB, a valued member of the Zscaler partner ecosystem, recommended that Pennine Care adopt the Zscaler platform as the foundation for its zero trust security architecture.

Deep integrations with Microsoft presented another compelling reason to choose Zscaler, since Pennine Care is—as Culshaw describes it—a "Microsoft house." Zscaler delivers zero trust security and provides seamless integration with Microsoft 365, including one-click setup, traffic visibility for bandwidth prioritization, and an improved user experience. For securing and managing corporate and BYOD mobile endpoints, Zscaler integrates with Microsoft Entra ID and Microsoft Intune to provide endpoint posture control enforcement. And integration with Microsoft Defender for Endpoint helps protect against ransomware and other sophisticated cyberthreats.

“We wanted a cloud native, comprehensive zero trust security platform that could reduce our technology estate, improve user experience, increase operational efficiency, and bolster our security posture,” recalled Culshaw. “The Zero Trust Exchange helped us achieve our goals. It’s also been the easiest platform I’ve ever deployed and managed, including the automated integrations with our Microsoft solutions.”

Protecting a hybrid workforce with zero trust security

Approximately 4,500 staff provide care services from locations across Greater Manchester. These care providers need the flexibility to work from anywhere, and a legacy Cisco network stacked with traditional firewalls and proxy solutions wasn’t making remote work particularly efficient.

Zscaler Internet Access™ (ZIA™) enables secure connections to the internet and SaaS applications across Pennine Care facilities, as well as remotely. The Zero Trust Exchange displaces legacy point products as a better way to broker outbound connections.

Users enjoy direct-to-internet access while the comprehensive Zscaler platform includes functionality for cloud firewall protection, URL filtering, TLS/SSL inspection, and advanced threat protection.  Zscaler delivers zero trust connectivity as a service from the edge via more than 150 data centers strategically located around the world. This eliminates the need for organizations to backhaul all of their traffic to a central data center and maximizes user experiences. The Zscaler platform gives Culshaw greater confidence that Pennine Care is providing a safer and more productive hybrid environment.

That confidence has even led Pennine Care to recruit outside Greater Manchester, since many roles can be accomplished remotely. “With Zscaler, I know we can provide safe and reliable internet connections anywhere in the UK,” said Culshaw. “Because remote users are protected by the same zero trust security measures in place at our facilities, we can cast a wider net when recruiting for the best care providers." 

Securing patient data with the Zero Trust Exchange

Remotely accessing electronic patient records (EPRs) had become a significant challenge for Pennine Care providers working across community locations. Using a VPN solution to access EPRs across data centers was unreliable and risky because traditional VPN appliances inherently create a wider attack surface.

“Care providers struggled to reliably access EPRs in the field,” said Culshaw. “Sometimes, they would print and carry records they’d need for patient visits. We wanted a better way to safeguard patient data while also providing efficient care from remote locations.”

Zscaler Private Access™ (ZPA™) provides zero trust protection for Pennine Care private applications, as well as essential EPRs. Private applications—hosted across Microsoft Azure, a supplier’s private Cloud, and on premises—are all hidden behind the Zero Trust Exchange and never exposed to the internet, minimizing the attack surface. Connecting users directly to the resources they need, rather than to the network as a whole, prevents lateral threat movement. User identity and device posture verification, along with inline traffic inspection, also help stop compromise before an inbound connection is made.

“We used to connect users to the open network with limited control around private resource access,” shared Culshaw. “Now, we securely connect users directly to applications. With Zscaler, we’ve achieved greater control over private resource access, greater visibility into those access attempts, and a better security posture.”

Zscaler technology removes barriers to better patient care

Providing a seamless and positive user experience for staff is a top priority at Pennine Care. “If our care providers are struggling with connectivity issues, they can’t give patients their full attention and energy,” explained Culshaw. “I want to identify and address user issues before they become a barrier to patient care.”

Zscaler Digital Experience™ (ZDX™) enables Culshaw and his IT team to monitor and optimize the user experience across all Pennine Care physical and remote locations. Zscaler provides end-to-end visibility from user to application, meaning Culshaw has a comprehensive view across devices, networks, and applications.

Zscaler simplifies administration and enables faster issue identification and resolution—often before an issue noticeably impacts staff workflow. “Help desk support requests have dropped by 30% since deploying ZDX as part of the Zero Trust Exchange,” Culshaw shared.

Further evidence that user satisfaction is on the rise comes from the latest national NHS staff survey: Pennine Care was ranked as the best place to work out of all the mental health and learning disability trusts in North West England.

Making better decisions for today and tomorrow with Zscaler

Built-in dashboards on the Zero Trust Exchange give Culshaw greater visibility into user behavior. “We had very limited visibility and next to zero reporting capabilities before Zscaler,” explained Culshaw.

Leveraging the visibility and insights gained through the Zscaler platform helps Culshaw better advise Pennine Care leadership about operational issues, including equipment procurement. For example, Zscaler-driven intel helped Culshaw identify an obscure issue with older docking stations causing frequently dropped connections. Culshaw made the case for replacing them with new, more energy-efficient screens featuring built-in docking—both resolving the original problem and supporting sustainability efforts.

Culshaw recently deployed Zscaler Risk360 for even greater risk awareness. This comprehensive quantification and visualization framework provides a holistic, data-driven assessment of the top risk drivers at Pennine Care, allowing Culshaw’s team to prioritize remediation efforts more strategically. A diverse range of automated reporting capabilities also helps them communicate more effectively about cyber risk with Board of Directors members and other stakeholders, without adding to their administrative overhead.

“Through the Zscaler platform, I have a better understanding of our security posture today,” said Culshaw. “I also have richer insights about issues I need to have on my radar tomorrow.”

Less complexity and a stronger security posture with Zscaler

The multitenant Zero Trust Exchange is purpose-built for easy management, enabling Pennine Care to achieve a more robust security edge with less administrative overhead, a lighter tech stack, and at a lower cost.

In a single three month period, Zscaler processed more than 884 million transactions and nearly 52 TB of traffic for Pennine Care, preventing 20 million policy violations and blocking more than 24,000 security threats. Zscaler assists in stopping around 6,000 cyberattacks monthly. Because Zscaler automates these mitigations, human intervention isn’t required—meaning staff time can be directed toward other mission priorities.

As an example, mitigating phishing attacks related to Black Friday deals and sales has traditionally been a heavy lift for the IT team each Autumn. Culshaw estimates that during the most recent Black Friday time frame, the Zscaler platform saved about 2,400 hours of staff time.

Pennine Care is also saving money, in addition to time. Displacing legacy point solutions with the comprehensive Zscaler platform saves more than £300,000 annually on licensing fees that are no longer needed. Removing 100% of the VPN infrastructure also eliminated around £70,000 in hardware costs.

From ‘cyber naughty list’ to top honors on the Zero Trust Exchange

In partnership with Zscaler, Pennine Care has completely transformed its security infrastructure in a matter of months, and that transformation is garnering national attention. The organization just took home top honors for the Innovation in Cyber category at the NHS England Cyber Associates Network (CAN) Awards—winning for its deployment of the Zero Trust Exchange.

“A year and a half ago, Pennine Care was on the cyber naughty list with NHS England because we were dangerously close to not being compliant with the NHS Data Security and Protection Toolkit regulations,” Culshaw recalled. “Now, we’re recognized as a top cyber innovator in England for our zero trust approach. We could not have achieved this without Zscaler.”

Looking forward, Culshaw will continue to enhance zero trust architecture at Pennine Care with additional Zscaler solutions. He’s currently working to deploy Zscaler Data Protection to expand data loss prevention efforts.

“An outdated security architecture was preventing our organization from doing its best work,” concluded Culshaw. “Zscaler helped us shed the burden of legacy appliances, simplify our security architecture, and achieve a stronger  security posture. Zscaler continues to be a true partner on our zero trust journey.”