NHS trusts are struggling to meet minimum security awareness training levels for staff (Pic: Sturti/GettyImages)
Nearly a quarter of NHS trusts in England and Wales have no employees with security qualifications, according to an FOI request covering 108 trusts.
And on average, trusts employ one cyber-security professional for every 2,582 employees.
Despite employing as many as 16,000 full and part-time staff and being heavily reliant on networked information systems, the trusts in question devoted very little resource to cyber-security, according to the results of the research published by Redscan.
However, some of the trusts were in the process of training staff in cyber-security which Redscan said might be an indication of the difficulty they were having in hiring trained professionals.
The amount of money spent on security training by trusts varied widely from £238 to £78,000, but there was very little correlation between the size of the trust and the amount spent. Average spending was £5,356 but many opted for free in-house training using materials from NHS Digital.
The most common training topic was GDPR followed by the Practitioner Certificate in Data Protection from the British Computer Society, Senior Information Risk Owner and ISO 27001 Practitioner.
There is also a significant backlog in training staff on information governance. NHS Digital mandates that 95 percent of staff must pass information governance training every 12 months but Redscan found that on 12 percent of trusts had achieved that. However, three-quarters of the respondents had achieved 80 percent or better. Some trusts are struggling to get half of their staff trained.
"These findings shine a light on the cyber-security failings of the NHS which is struggling to implement a cohesive security strategy under difficult circumstances," said Mark Nicholls, director of cyber-security at Redscan.
"Individual trusts lack in-house cyber-security talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others," he said.
He noted that hiring cyber-security professionals in the current environment is difficult for most organisations, but said: "It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from."
NHS trusts across the country are still counting the costs of the WannaCry attack in 2017. According to the most recent estimate from the Department of Health and Social Care, the attack cost £92 million in lost services and remediation costs. The government estimates that trusts spent up to £72 million of that just to secure systems and recover lost data in the two months immediately after the attack.
David Emm, principal security researcher at Kaspersky Lab, said that health data is very attractive to cyber-criminals. "It is absolutely vital for the NHS that money is being invested into robust cyber-security solutions. Healthcare providers must also work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data."
Meanwhile, the NHS suffers from creaking technology. The health secretary Matt Hancock has banned the NHS from buying any more fax machines after it was revealed that trusts were using more than 8,000 of the ancient machines.
Despite banning them, he gave trusts until April 2020 to stop using existing devices because despite his much publicised ‘tech vision’, some trusts lack the technology to securely transmit sensitive documents such as patient records.