NHS majorly lacking in cybersecurity knowledge

null

The NHS has put itself at risk of suffering more major cyberattacks due to a lack of proper skills and training.

An FOI request has uncovered large disparities among NHS trusts across the country when it comes to cybersecurity protection in the health service, which could leave the service open to attacks.

The request, submitted by security firm Redscan, found that on average, NHS trusts employ only one qualified security professional per 2,582 employees, with nearly a quarter (24 out of 108 trusts) having no employees with security qualifications despite some employing as many as 16,000 full and part-time personnel.

This was in spite of trusts spending an average of £5,356 on data security training, although this did not include free in-house NHS Digital tools. Despite NHS Digital demanding that 95 percent of all staff must pass free Information Governance training every 12 months, currently only 12 percent of trusts had met this.

NHS cybersecurity

The NHS' lack of cybersecurity protection was highlighted last year after the WannaCry attack cost the service an estimated £92m. 

This led the Government to increase cybersecurity funding by £150m and also introduce a number of new security policies, however without the skills needed to utilise these properly, this may be only papering over the cracks.

“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” explained Redscan director of cybersecurity, Mark Nicholls. 

“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”