Skip to main content

NHS could face major cybersecurity threats due to lack of investment

(Image credit: Image Credit: Maksim Kabakou / Shutterstock)

Redscan has asked NHS trusts about the cybersecurity readiness of its employees and the results show lack of trained staff, lack of investment and a potential problem in hiring trained professionals.

According to a number of Freedom of Information (FoI) requests that Redscan submitted to the NHS trusts, it was found that these employ one cybersecurity professionals on more than 2,500 employees. Almost a quarter of trusts (24 out of 108) have no cybersecurity qualifications, whatsoever.

However, some have staff in the process of obtaining relevant security qualifications. Redscan believes this could be an indicator of difficulties finding and hiring trained professionals.

The FoI request also tackles investment. In the last 12 months trusts have spent, on cybersecurity and GDPR-related training, an average of £5,356. Some spent £250, others nearly £80,000. There seems to be no link between the trust’s size and its expenditure on cybersecurity training.

Many trusts spent nothing, using only NHS Digital’s Information Governance (IG) training, which is free of charge. Speaking of training, just 12 per cent of trusts have met their target of having more than 95 per cent of their staff passing IG every 12 months.

The majority of trusts trained between 80 and 95 per cent of their staff.

“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” explained Redscan director of cybersecurity, Mark Nicholls.

“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”

WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92m. The Government has subsequently increased funding for cybersecurity in the NHS by £150m, while introducing a number of new security policies. There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure, is struggling to recruit the skills it needs and must continue to refine its cybersecurity strategy across the UK.”

Image Credit: Maksim Kabakou / Shutterstock