The WannaCry ransomware attack back in May last year was a global event and one that affected many organisations. However, in the UK, one organisation that was badly hit was the NHS - with the health service having to declare a major incident and implement its emergency arrangements to maintain health and patient care.
Since then, unsurprisingly, the spotlight has been thrown on the NHS’s investment in cyber security and data protection. For example, a recent National Audit Office report pointed to a shocking lack of insight and control from the Department of Health, as well as an unwillingness or inability from NHS Trusts to respond to central guidance and support.
This week, to further the debate, new data has been revealed which highlights the disparity to which NHS Trusts across the UK are putting money into their cyber security and data protection skills.
Redscan, a specialist in penetration testing, threat detection and incident response, has helpfully submitted a number of freedom of information (FOI) requests to NHS Trusts in the UK to provide some greater clarity on the level of investment. The responses are from 159 trusts and were received between 20th August 2019 and 27th November 2018. The results provide for interesting reading and can be broken down into the three following areas.
Cyber security qualifications
One of the questions put forward to the Trusts in the FOIs was, how many members of staff held professional data security and/or cyber security qualifications?
Redscan found that on average, NHS Trusts employe just one security professional per 2,582 employees, whilst nearly a quarter of trusts have no employees with security qualifications at all (24 out of 108 trusts). This is despite some trusts employing as many as 16,000 full and part-time personnel.
It’s worth noting, however, that several NHS organisations that employ no qualified cyber security professionals reported having staff members in the process of obtaining relevant security qualifications - perhaps an indication of the challenges public sector organisations face in hiring trained professionals that demand a high salary.
Trusts were also asked how much money they had spent on data security during the last 12 months, including any GDPR-related training. The EU General Data Protection (GDPR) legislation came into force on 25th May this year, with the aim of giving individuals more control over how organisations use and process their data. Public and private sector organisations have been investing significant sums in order to become GDPR-compliant.
The FOIs revealed that trusts spent an average of £5,356 on data security training over the last 12 months. However, it’s also worth noting that a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools.
GDPR-related training was the most common course type procured for staff. Other training programmes cited included: BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner.
What’s most interesting, however, is that the spend on training varied significantly between trusts, with sums ranging from £238 to £78,000. Even more noteworthy is that the size of each trust was not always a determining factor for how much was spent. For example, of mid-sized trusts with 3,000 - 4,000 employees, training expenditure ranged from £5,000 to £33,000.
NHS Digital training targets
NHS Digital is body responsible for technology planning across the NHS. The organisation’s mandatory information governance training requirements state that 95% of all staff must pass information governance (IG) training every 12 months.
The FOIs put to trusts asked to provide data on the total number of full-time and part-time employees to have completed security training over the past 12 months. They revealed that, currently, only 12% of them had met the 95% target, with the majority of trusts having trained between 80% and 95% of their staff.
A quarter of trusts had trained less than 80% of their staff, with some reporting that less than 50% had been trained.
Redscan sent a separate FOI to NHS Digital, which declined to provide data on how many trusts had met its IG targets, or how many IT staff and board members had completed dedicated training. However, it did reveal that 139 trusts had now undertaken a Data Security Onsite Assessment.
Commenting on the findings, Redscan director of cybersecurity, Mark Nicholls said:
“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances.
“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”