weerapat1003 - Fotolia

NHS IT managers think security better than it is, survey finds

NHS IT managers think security measures in the NHS are stronger than they actually are, according to a study

A survey by IT security supplier Sophos has found that the majority of NHS organisations think they are protected against cyber crime even though very few have encryption embedded in organisation.

The study, which surveyed 250 NHS CIOs and IT managers, found the perceived strength of security measures in the NHS fell short of the actual level of security.

75% of NHS organisations believe they are “protected against cyber-crime”, and 84% said encryption is becoming a necessity. However, just 10% said that “encryption is well established within their organisation”.

The NHS was the UK’s biggest victim of data breaches last year, mainly due to data leakage and hardware loss, according to the Information Commissioner’s Office (ICO).

With an increase in mobile and remote working, the way that NHS staff access data is changing, and security needs and requirements are evolving accordingly.

“Most have encrypted laptops and USB sticks because they have been mandated, but, currently, that is often where it stops,” said Jonathan Lee, Sophos’ healthcare sector manager.

Read more about IT security in the NHS

More than half of those surveyed said they had email encryption, but only 34% had encryption on data stored in the cloud; 54% said there is “increased awareness of data security thanks to high-profile breaches”.

The survey also found that 42% considering a consolidation of IT security providers in the context of an average 6% cut in IT budgets across the NHS.

Last year, the Health and Social Care Information Centre launched a cyber security service for health and social care, called CareCERT.

The service provides incident response expertise as well as cyber security best practice and guidance to organisations. 

Enforcing compliance

Last year, the ICO gained the right to force audits on NHS authorities to ensure compliance with the Data Protection Act.

The ICO can serve notice on public authorities – including NHS organisations – in conjunction with section 41A of the Data Protection Act 1998.

Read more on Healthcare and NHS IT