Quarter of NHS Trusts Have No Security Pros

Quarter of NHS Trusts Have No Security Pros

New research has revealed a dearth of qualified cybersecurity staff in the NHS and low levels of spending on in-house training for employees.

RedScan received Freedom of Information (FOI) responses from 159 trusts between August and November.

It found that nearly a quarter of trusts have no qualified security professionals working in-house despite some of them employing as many as 16,000 staff.

Although some of this security work is outsourced by the health service, RedScan director of cybersecurity, Mark Nicholls, claimed that security specialists should still number more than the average of one per 2628 employees revealed by the research.

“There’s no magic number. Every organization has a responsibility to assess its cybersecurity risk and make a judgement call about the number of trained professionals it needs. Factors to consider include the size of the network, number of employees, systems in use, plus the type and quantity of data stored,” he told Infosecurity.

“When you consider how big a target the NHS is, how diverse and interconnected its networks are and how many people rely on healthcare services day-to-day, it’s pretty clear that trusts lack the specialist skills required. The fact that several trusts with more than 10,000 employees had no security professionals whatsoever is a great concern.”        

What’s more, trusts spent an average of only £5356 on data security training over the past 12 months, with GDPR understandably the most common course type undertaken. However, this average figure hides a wide disparity in spending, with some trusts forking out just £238 and some as much as £78,000.

Trusts are also failing to meet minimum standards on information governance (IG) training, with NHS Digital requiring 95% of all staff to pass such training every 12 months, according to RedScan. Unfortunately, just 12% of trusts that sent back FOI answers had met this target, with the majority having trained 80-95% of staff.

However, a quarter had trained less than 80%, with some claiming less than half had been sent on IG courses.

The healthcare sector accounted for 43% of all data breach incidents reported to the ICO between January 2014 and December 2016, although this figure may be relatively high because of mandatory reporting requirements in the sector.

It added another 619 incidents in Q2 2018/19 alone, including 420 labelled as “disclosure of data” and 190 security-related.

Source: Information Security Magazine