FOI reveals NHS Trusts spend as little as £250 on cyber security

The NHS is struggling to retain critical cyber security expertise and expenditure is being allocated erratically, with some Trusts spending as little as 250 in the last year, it has emerged.

Despite the Department for Health and Social Care (DHSC) having committed an additional 150 million on NHS cyber security a year after the WannaCry attack, research by Redscan has exposed a prominent gap in both funding and staffing.

The average spend on data security training across 159 Trusts surveyed was 5,356 in the last 12 months, but this ranged widely from between 238 and 78,000 with no correlation to the size of Trust, or its location.

For a mid-sized Trust of between 3,000 and 4,000 employees, for example, training spend ranged from 500 to 33,000. But the research also notes a significant amount of training was conducted in-house using NHS Digital resources.

GDPR training was the most common programme taken up, with other prominent courses including BCS Practioner Certificate in Data Protection, and Senior Information Risk Owner.

However, it was found that NHS Trusts have only employed an average of one qualified security professional per 2,582 staff.

Alarmingly, almost a quarter of Trusts, 24 out of 108, retain no staff with security qualifications despite some employing around 16,000 full-time and part-time workers. A handful of Trusts also reported having employees in the process of obtaining security qualifications.

"These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances," said Redscan's director of cyber security Mark Nicholls.

"Individual trusts lack in-house cybersecurity talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others."

The findings, released following a Freedom of Information (FOI) campaign which saw responses from 159 NHS Trusts, have been released a year-and-a-half after the devastating WannaCry attack that DHSC estimated to cost 92 million.

Several parliamentary reports have since savaged the NHS' record on cyber security resilience, with among the latest in April showing zero Trusts passed the government's cyber security assessments.

A separate FOI request Redscan sent to NHS Digital revealed signs of improvement, as 139 Trusts had now undertaken a Data Security Onsite Assessment, compared to just 60 Trusts last year.

Beyond announcing an additional 150 million over the next three years, the DHSC also committed to upgrading all Windows XP devices to Windows 10 by 2020 in a deal struck with Microsoft earlier this year.

"Cyber security is a priority for this government and funding is provided to NHS Trusts based on their specific needs and capabilities," a DHSC spokesperson told IT Pro.

"Over 60m was invested last year for critical infrastructure, and there will be a further 150m over the next three to improve resilience across the health and care system.

"Where Trusts do not take sufficient action to secure their networks and systems, we will use strong enforcement powers to ensure they improve."

Redscan's Nicholls added that as the skills gap continues to grow, it'll become harder for organisations across all sectors to find the people with the right knowledge and expertise.

"It's even tougher for the NHS, which must compete with the private sector's bumper wages," he continued, "not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from."

Kaspersky's principal security researcher David Emm told IT Pro that given how very attractive health data is to criminals, it is vital the NHS invests money in robust protections.

"Healthcare providers must also work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data," he said.

"Not just for the sake of tick-box' compliance, or to avoid hefty fines and embarrassing, often irreparable reputational damage, but to enable them and their patients to reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure."

IT Pro also approached NHS Digital, NHS England and NHS Improvement for comment.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.