Large disparity in NHS cyber skills and training spend

NHS trusts lack sufficient in-house cyber security expertise and there is a wide imbalance in employee cyber security training and spending between trusts, Freedom of Information (FoI) requests have revealed.

Many trusts are also likely to fail to meet training targets on information governance, according to the findings of a three-month FoI campaign by security firm Redscan that surveyed more than 150 NHS trusts.

The findings come after the government pledged to spend an additional £150m on cyber security in the wake of the WannaCry attack in 2017 and a review of lessons learned from the WannaCry attack published in February 2018 called for both local NHS organisations and national bodies to improve their cyber security skills and resilience.

The FoI request revealed that NHS trusts lack in-house security talent, with an average of just one member of staff with professional security credentials per 2,628 employees.

Some large trusts (with up to 16,000 employees) have no formally qualified security professionals at all, the data shows.

Several NHS organisations that employ no qualified cyber security professionals reported having staff members in the process of obtaining relevant security qualifications, which is perhaps an indication of the difficulties of hiring trained professionals.

The data shows that cyber security and data protection training is patchy, with expenditure on cyber security training over the past 12 months ranging from less than £250 to nearly £80,000 per trust, with no apparent link between the size of trust and money spent.

On average, NHS trusts spent £5,356 on data security training, although a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools.

A significant proportion of trusts have spent nothing on specialist cyber security or GDPR (General Data Protection Regulation) training for staff, requiring only that all their employees complete free information governance (IG) training provided by NHS Digital.

However, GDPR-related training was the most common course type procured for staff. Other training programmes cited included BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner.

Overall, the data shows that trusts are falling short of training targets. NHS Digital’s mandatory IG training requirements state that 95% of all staff must pass IG training every 12 months, but currently, only 12% of trusts have met that target. A quarter of trusts have trained less than 80% of their staff, while some reported that less than half had been trained.

“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” said Mark Nicholls, director of cyber security ar Redscan.

“Individual trusts are lacking in-house cyber security talent and many are falling short of training targets. Meanwhile, investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”

Nicholls noted that WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92m.

“The government has subsequently increased funding for cyber security in the NHS by £150m, while introducing a number of new security policies,” he said. “There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure, is struggling to recruit the skills it needs and must continue to refine its cyber security strategy across the UK.”

Commenting on the lack of in-house cyber security skills, Nicholls said the skills gap continues to grow. “It is incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience,” he said. “It is even tougher for the NHS, which must compete with the private sector’s bumper wages – not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose.

“It is true that NHS trusts outsource key security functions to NHS Digital and other third-party specialists, but I would still expect to see more security professionals employed in-house. No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security.”

A separate FoI request was sent to NHS Digital, which declined to provide data on how many trusts had met its IG targets, or how many IT staff and board members had completed dedicated training.

However, NHS Digital did reveal that 139 trusts had now undertaken a Data Security Onsite Assessment, up from just 60 in July 2018, showing that NHS trusts are taking these assessments more seriously and that measures are being implemented at trust level.

“These numbers are definitely more promising, and I’m sure there has been a marked improvement in security training over the last five years, especially since WannaCry,” said Nicholls.

“However, it is important to note that gaps still exist. People remain the weakest link in the cyber security chain. Despite IG training raising awareness of security risks and common pitfalls, you can never fully mitigate the risks of employees making mistakes or falling for social engineering scams.

“In order to effectively identify and respond to the latest threats, organisations need to develop a better understanding of hackers’ tactics, techniques and procedures. Only dedicated professionals that closely assess and monitor the threat landscape day to day and properly understand how an organisation’s infrastructure is architected can begin to work out how to mitigate evolving risks.”