Strengthening IT Security in Non-Profit Healthcare: KARE’s Cyber Security Journey
Background
KARE is a registered charity in Ireland that provides support to individuals with intellectual disabilities. With over 680 staff members, KARE operates across multiple locations, relying heavily on IT infrastructure to support its mission. Recognising the increasing risks of cyber threats in the healthcare and non-profit sectors, KARE took proactive steps to assess and enhance its cyber security posture.
The Growing Cyber Threats to Healthcare and Non-Profits
Healthcare and non-profit organisations are prime targets for cybercriminals due to their reliance on sensitive personal data, legacy IT systems, and often limited security resources. According to a 2023 report by IBM, the healthcare sector experienced the highest average cost of a data breach at $10.93 million per incident—a 53% increase since 2020 (IBM, 2023 Cost of a Data Breach Report). Similarly, non-profit organisations face growing threats, with 44% of charities reporting cyberattacks in 2022, mainly through phishing and ransomware (UK Charity Commission, 2022).
The Challenge: Securing a Vulnerable Sector
In early 2021, KARE engaged CommSec to conduct a cyber security assessment, identifying key vulnerabilities and necessary improvements. However, during this period, the devastating HSE Conti Ransomware attack in May 2021 underscored the sector’s vulnerability. The attack disrupted Ireland’s Health Service Executive (HSE) systems, causing months-long service delays and highlighting the urgent need for robust cyber defences.
Denis Clancy, IT Manager at KARE, recalls:
“Upon completion of the security assessment, CommSec provided us with clear recommendations to improve our IT security and align with the Cyber Essentials framework.”
The Solution: A Proactive Security Approach
The HSE cyberattack was a wake-up call for many organisations, pushing IT security to the top of executive agendas. With the support of the KARE Board, the organisation prioritised implementing CommSec’s recommendations.
KARE deployed CommSec Business Secure and Sophos Managed EDR (Endpoint Detection & Response), providing a layered security approach that included:
- IT Asset Inventory – Visibility into all hardware and software across the organisation.
- Threat Detection & Response – Continuous monitoring to identify and mitigate threats.
- Anti-Ransomware & Anti-Virus Protection – Defence against emerging malware threats.
- Patch Management – Automatic updates to prevent vulnerabilities from being exploited.
- Access to Cyber Security Experts – 24/7 support for rapid incident response.
Denis explains the impact:
“The solution gave us a comfort blanket of sorts. We know our endpoints and devices are being monitored for any suspicious activity, and we now have visibility on software versions and security patches across our estate. It also provides access to security subject matter experts when something goes wrong.”
Tangible Benefits: Enhancing Security and Efficiency
One of the major security gaps in many organisations is delayed patch management, which leaves systems exposed to cyber threats. A 2023 report by Ponemon Institute found that 57% of breaches could have been prevented with timely patching (Ponemon Institute, 2023).
With CommSec’s Business Secure solution, security updates are now automatically pushed to endpoints and servers, ensuring that vulnerabilities are swiftly addressed without manual intervention. Denis highlights:
“Now that the controls are in place, we can easily identify and take care of any device that needs to be updated.”
Additionally, KARE benefits from monthly cyber security reports, reducing the IT team’s workload and providing management with clear insights into risk trends, remediation efforts, and security improvements.
Looking Ahead: Towards Cyber Essentials and ISO 27001 Certification
As KARE continues to enhance its cyber security framework, the organisation is considering formal certification to Cyber Essentials—a recognised standard for improving security controls in organisations handling sensitive data.
Denis outlines the next steps:
“With the help of CommSec, aligning with the Cyber Essentials framework is attainable for any organisation. We are now considering taking it a step further by formally certifying and improving our security controls as a stepping stone to ISO 27001 accreditation.”
Conclusion
KARE’s cyber security journey reflects the growing need for non-profit and healthcare organisations to proactively defend against cyber threats. By investing in continuous monitoring, automated patching, and expert support, KARE has strengthened its security posture, ensuring the protection of sensitive data and critical services.
For more information about how CommSec’s Business Secure solution can enhance your organisation’s security, visit the Business Secure product page.