A Redscan investigation has revealed the extent of the problems facing organisations in the healthcare industry as they struggle to defend against increasingly sophisticated cyber threats.
With attacks that target critical national infrastructure continuing to escalate, Redscan’s survey of NHS trusts reveals that:
• NHS trusts lack sufficient in-house cyber security expertise
• There is a wide imbalance in employee cyber security training and spending between trusts
• Many trusts are likely to be failing to meet training targets on information governance
Redscan’s report is based upon the findings of a three-month Freedom of Information (FOI) campaign, which surveyed more than 150 NHS trusts in the UK. Its publication follows a government pledge to spend, made in the wake of the 2017 WannaCry outbreak, an additional £150 million on cybersecurity over the next three years.
Key findings of Redscan NHS investigation
‘Trusts lack in-house cybersecurity talent’
On average, NHS trusts employ just one qualified security professional per 2,582 employees. Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel.
Several NHS organisations that employ no qualified cybersecurity professionals reported having staff members in the process of obtaining relevant security qualifications – perhaps an indication of the difficulties of hiring trained professionals.
‘Security and data protection training is patchy at best’
NHS trusts spent an average of £5,356 on data security training, although a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools. GDPR-related training was the most common course type procured for staff. Other training programmes cited included BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner.
Spending on training varied significantly between trusts, from £238 to £78,000. However, the size of each trust was not always a determining factor. For example, of mid-sized trusts with 3000-4000 employees, training expenditure ranged from £500 to £33,000.
Trusts ‘falling short of training targets’
NHS Digital’s mandatory information governance (IG) training requirements state that 95% of all staff must pass IG training every 12 months. FOI responses revealed that, currently, only 12% of trusts had met the >95% training target. A quarter of trusts had trained less than 80% of their staff (some reporting that less than 50% had been trained).
“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” explained Redscan Director of Cyber Security, Mark Nicholls.
“Individual trusts lack in-house cybersecurity talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”
“The cybersecurity skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from.”
Responses from 159 trusts were received between 20th August 2018 and 27nd November 2018.
While the majority provided responses to all questions posed, some trusts cited that they did not hold some or all of the information requested, could not retrieve it in a reasonable timeframe (under FOI guidelines), or were unable to release data due to data privacy concerns.
NHS Digital’s Information Governance Toolkit guidelines state that at least 95% of all staff, including new starters, locums, temporary, students and staff contracted to work in the organisation must complete annual IG training.
In relation to the FOI data, it is important to note that employees are trained at different intervals throughout the year, and trusts do not have to maintain their 95% target for the full year. However, it may still be cause for concern that trusts are falling so far short of training targets at certain points in the year.