A report from Redscan has found the NHS desperately needs more in-house cybersecurity expertise to protect against increasing attacks.
Potential ways to compromise the NHS systems are increasing as systems become connected for things such as remote health monitoring, accessing records, and even surgery.
The vulnerability of the NHS was highlighted last year when a ransomware spread to critical systems and held them hostage. At least 6,900 NHS appointments were cancelled as a result of the attack.
On average, Redscan found NHS trusts employ just one qualified security professional per 2,582 employees. Even more concerning, nearly a quarter of trusts reported having no employees with cybersecurity training.
Mark Nicholls, Redscan Director of Cyber Security, said:
“These findings shine a light on the cybersecurity failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances.
Individual trusts lack in-house cybersecurity talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded, and trained than others.”
Perhaps a result of the WannaCry attack, several trusts without qualified cybersecurity personnel report now being in the process of training some.
The decision to provide training for existing staff rather than hire professionals indicates the global shortage of cybersecurity talent.
“The cybersecurity skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience,” comments Nicholls. “It’s even tougher for the NHS, which must compete with the private sector’s bumper wages.”
In a report from the Joint Committee on National Security Strategy, Rob Crook, Managing Director of Cyber and Intelligence at Raytheon UK, reported the vacancy rate in the firm’s cybersecurity unit is 20–30 percent. This, he noted, is more than double that of the engineering side of the company’s business.
Steve Unger, Chief Technology Officer at Ofcom, was of the view “there are not enough people in the UK to do what is required for the country as a whole”.
NHS trusts are falling short of their own training targets for protecting data. NHS Digital requires 95 percent of all staff to pass information governance (IG) training every 12 months.
Redscan found only 12 percent of trusts had met the >95 percent target while a quarter had trained less than 80 percent of their staff. Most concerningly, some reported that fewer than 50 percent had been trained.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.