NHS Trusts have on average one member of staff with professional security credentials per 2,628 employees, according to series of Freedom of Information requests submitted by managed security services provider Redscan.
The requests showed that some large Trusts, with up to 16,000 employees, have no formally qualified security professionals, and expenditure on cybersecurity training over the last 12 months ranged from less than £250 to nearly £80,000 per trust, with no apparent link between the size of the Trust and money spent.
Mark Nicholls, Redscan director of cybersecurity, said: “These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances. Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.
“WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92m. The Government has subsequently increased funding for cybersecurity in the NHS by £150m, while introducing a number of new security policies. There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure, is struggling to recruit the skills it needs and must continue to refine its cybersecurity strategy across the UK.”
Some key findings were:
- On average, NHS trusts employ one qualified security professional per 2,582 employees. Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel. Several NHS organisations that employ no qualified cybersecurity professionals reported having staff members in the process of obtaining relevant security qualifications.
- Trusts spent an average of £5,356 on data security training, although it’s worth noting that a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools. GDPR-related training was the most common course type procured for staff. Other training programmes cited included: BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner. Spending on training varied significantly between trusts, from £238 to £78,000, while the size of the trust was not always a determining factor.
- NHS Digital’s mandatory information governance training requirements state that 95% of all staff must pass IG training every 12 months. The FOI responses revealed that, currently, only 12% of trusts had met the >95% training target and the majority of trusts had trained between 80% and 95% of their staff. A quarter of trusts had trained less than 80% of their staff (some reporting that less than 50% had been trained). NHS Digital also revealed that 139 Trusts had now undertaken a Data Security Onsite Assessment, compared to 60 in July 2018.