The NHS is in crisis — no news in that statement. But a crisis in cybersecurity at the NHS, while probably not surprising, is news.
According to a series of freedom of information requests (FOIAs) from cybersecurity outfit Redscan, that most venerable of organisation, the NHS, employs an average of just one member of staff with professional security credentials per 2,628 employees, as it still struggles to grapple with the after-effects of the WannaCry attack.
But the requests also revealed a stark contrast between trusts. While some large trusts (with up to 16,000 employees) have no formally qualified security professionals whatsoever and have spent just £250 pounds on cybersecurity training in the last 12-months, others have ploughed in £80,000. “A significant proportion of trusts have spent nothing on specialist cybersecurity or GDPR training for staff, requiring only that all their employees complete free Information Governance training provided by NHS Digital,” says Redscan.
The requests also found that “WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92 million.”
Health Secretary pledges to overhaul NHS IT system
It is not all bad. Redscan says that post WannaCry, the government has subsequently increased funding for cybersecurity in the NHS by £150 million, while introducing a number of new security policies.
It said “There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure, is struggling to recruit the skills it needs and must continue to refine its cybersecurity strategy across the UK.”
Redscan, which specialises in penetration testing, threat detection and incident response, received respondes from 159 trusts between 20th August 2018 and 22nd November 2018.
It’s director of cybersecurity, Mark Nicholls said: “These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances.
“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”
Can artificial intelligence save the National Health Service?
He added: “Some trusts are outspending others by a factor of twenty. I worry that this clear divide will have a significant bearing on which trusts are better prepared to prevent, detect and respond to cybersecurity incidents. In any case, the NHS must make efforts to redress this severe imbalance.”
Redscan report in more detail
The requests also found
- Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel. Several NHS organisations that employee no qualified cybersecurity professionals reported having staff members in the process of obtaining relevant security qualifications – perhaps an indication of the difficulties hiring trained professionals.
- Trusts spent an average of £5,356 on data security training, although it’s worth noting that a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools. GDPR-related training was the most common course type procured for staff. Other training programmes cited included: BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner.
- Spending on training varied significantly between trusts, from £238 to £78,000. However, the size of each trust was not always a determining factor. For example, of mid-sized trusts with 3000-4000 employees, training expenditure ranged from £500 to £33,000.
- Despite a NHS Digital’s mandatory information governance training requirements stating that 95% of all staff must pass IG training every 12 months, tge responses revealed that, currently, only 12% of trusts had met the 95% training target and the majority of trusts had trained between 80% and 95% of their staff. A quarter of trusts had trained less than 80% of their staff (some reporting that less than 50% had been trained).
- A separate FOI request was also sent to NHS Digital, which declined to provide data on how many trusts had met its Information Governance targets, or how many IT staff and board members had completed dedicated training. NHS Digital did however reveal that 139 Trusts had now undertaken a Data Security Onsite Assessment (3). This is a marked improvement on the figure released in July 2018 (60), showing that NHS trusts are taking these assessments more seriously and that measures are being implemented at trust level.
NHS Trust uses AI to streamline referrals, improve patient care and boost employee satisfaction
On the other hand, there is some good news on the state of cybersecurity at the NHS. While, NHS Digital, which declined to provide data on how many trusts had met its Information Governance targets, or how many IT staff and board members had completed dedicated training, it did reveal some good news. 139 Trusts had now undertaken a Data Security Onsite Assessment (3). This is a marked improvement on the figure released in July 2018 (60), showing that NHS trusts are taking these assessments more seriously and that measures are being implemented at trust level.
Nicholls: “The cybersecurity skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from.
“The figures suggest that some trusts may be lacking the budget required to adequately train their staff on cybersecurity and data protection. While this will not surprise anyone, the extent of the disparity between trusts might.”
Send it by fax
Recently, it was announced that fax machines are to be banned across the NHS.
According to Tony Pepper, CEO of Egress Software, this is another example of the poor level of cybersecurity at the NHS.
He explained: “Fax machines provide a large surface area for human error and consequently data breaches when used to transfer sensitive data, as they can’t offer assurance over how the data is picked up and used at the receiving end, or a safety net to allow for user error when dialling. When used to transfer confidential information, there is a significant risk of a data breach.”