Redscan has announced the results of a series of Freedom of Information (FoI) requests submitted to NHS Trusts across the UK. The penetration testing, threat detection and incident response specialist has found that, on average, NHS Trusts have just one member of staff on the payroll with professional security credentials per 2,628 employees. Some large NHS Trusts (with up to 16,000 employees) employ no formally qualified security professionals whatsoever.
Expenditure on cyber security training over the last 12 months ranged from less than £250 to nearly £80,000 per NHS Trust, with no apparent link between the size of the Trust and the money spent. A significant proportion of Trusts have spent nothing on specialist cyber security or General Data Protection Regulation (GDPR) training for staff, requiring only that all employees complete free information governance training provided by NHS Digital.
“These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances,” explained Redscan’s director of cyber security Mark Nicholls. “Individual Trusts are lacking in-house cyber security talent and many are falling short of training targets. Meanwhile, investment in security and data protection training is patchy at best. The extent of the discrepancies is alarming, as some NHS set-ups are far better resourced, funded and trained than others.”
Nicholls added: “WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92 million. The Government has subsequently increased funding for cyber security in the NHS by £150 million, while also introducing a number of new security policies. There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure and struggling to recruit the skills needed. The NHS must continue to refine its cyber security strategy across the UK.”
Breakdown of the key findings
Cyber security qualifications
Trusts were asked how many members of staff held professional data security and/or cyber security qualifications. On average, NHS Trusts employ one qualified security professional per 2,582 employees. Nearly a quarter of Trusts have no employees with security qualifications (24 out of 108 Trusts), despite some employing as many as 16,000 full and part-time personnel.
Several NHS organisations that employee no qualified cyber security professionals reported having staff members in the process of obtaining relevant security qualifications. This is perhaps an indication of the difficulties found in hiring trained professionals at present.
Nicholls explained: “The cyber security skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wage packets. Not to mention the fact that NHS Trusts outside of traditional ‘tech hubs’ like London and Cambridge have a smaller talent pool from which to choose.”
In addition, Nicholls observed: “It’s true that NHS Trusts outsource key security functions to NHS Digital and other third party specialists, but I would still expect to see more security professionals employed in-house. No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security.”
Money being spent
NHS Trusts were asked how much money they had spent on data security training during the last 12 months, including any GDPR-related training. Trusts spent an average of £5,356 on data security training, although it’s worth noting that a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools.
GDPR-related training was the most common course type procured for staff. Other training programmes cited included the BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO 27001 Practitioner instruction.
Spending on training varied significantly between Trusts, ranging from £238 to £78,000. However, the size of each Trust wasn’t always a determining factor. For example, of those mid-sized NHS Trusts with 3,000-4,000 employees, training expenditure ranged from £500 to £33,000.
On this matter, Mark Nicholls said: “The figures suggest that some Trusts may be lacking the budget required to adequately train their staff on cyber security and data protection. While this will not surprise anyone, the extent of the disparity between Trusts might. Some Trusts are outspending others by a factor of 20. I worry that this clear divide will have a significant bearing on which Trusts are better prepared to prevent, detect and respond to cyber security incidents. In any case, the NHS must make determined efforts to redress this severe imbalance.”
NHS Digital training targets
Trusts were asked to provide data on the total number of full-time and part-time employees to have completed security training over the last 12 months: NHS Digital’s mandatory information governance training requirements state that 95% of all staff must pass informance governance training every 12 months.
The FoI responses revealed that, currently, only 12% of Trusts had met the >95% training target and the majority of Trusts had trained between 80% and 95% of their staff. A quarter of Trusts had trained less than 80% of their staff (with some reporting that less than 50% had been trained).
A separate FoI request was also sent to NHS Digital, which declined to provide data on how many Trusts had met the information governance targets, or how many IT staff and Board members had completed dedicated training. NHS Digital did, however, reveal that 139 Trusts had now undertaken a Data Security On-Site Assessment. This is a marked improvement on the figure released in July 2018 (60), showing that NHS Trusts are taking these assessments more seriously and that measures are being implemented at Trust level.
“These numbers are definitely more promising, and I’m sure there has been a marked improvement in security training over the last five years, and especially so since WannaCry,” outlined Nicholls. “However, it’s important to note that gaps still exist. People remain the weakest link in the cyber security chain. Despite information governance training raising awareness of security risks and common pitfalls, you can never fully mitigate the risks of employees making mistakes or falling for social engineering scams.”
In conclusion, Nicholls told Risk Xtra: “In order to effectively identify and respond to the latest threats, organisations need to develop a better understanding of hackers’ tactics, techniques and procedures. Only dedicated professionals who closely assess and monitor the threat landscape day-to-day and properly understand how an organisation’s infrastructure is architected can begin to work out how to mitigate evolving risks.”
Reaction from the industry
Commenting on the hacking fears, Dr Guy Bunker (senior vice-president of products at Clearswift) told Risk Xtra: “This isn’t a surprise. There is a general lack of skilled people for cyber security. Cyber security has now become a very large topic. Understanding what sort of person is required is a challenge. There’s potentially the need for multiple personnel. For example, there’s a need for employee education, awareness and training and the skills required for this are very different from those needed to run security solutions, which are very different again from those needed to analyse security events.”
Bunker continued: “Understanding the needs of the organisation has to happen in order to best understand where the investment must be made. It might be that an external training company can be used for employee education and awareness, while consultants could be used to understand where there are security weaknesses and how best to mitigate them. This will then leave a core team responsible for the management of security solutions.”
In conclusion, Bunker explained: “While it’s not a ‘quick fix’, organisations need to talk about their existing shortage of skilled personnel and encourage people into the industry. This can also be done by sponsoring individuals through their degrees and/or further education. For organisations like the NHS, this will be less of an issue as they already have an infrastructure in place to deal with interns and placement students, the difference being that this needs to be focused on cyber-security rather than the more traditional ‘health’-related jobs.”
Background to the study
Responses from 159 NHS Trusts were received between 20 August and 27 November this year. While the majority provided responses to all questions posed, some Trusts cited that they did not hold some or all of the information requested by Redscan, couldn’t retrieve it in a reasonable timeframe (under FoI guidelines) or were simply unable to release this data due to data privacy concerns. For example, 108 NHS Trusts shared the number of qualified security professionals employed by themselves.
NHS Digital’s Information Governance Toolkit guidelines state that: ‘At least 95% of all staff, including new starters, locums, temporary employees, students and staff contracted to work in the organisation have completed their annual information governance training.’
In relation to the FoI data, it’s important to note that employees are trained at different intervals throughout the year, and Trusts do not have to maintain their 95% target for the full year. However, it may still be cause for concern that Trusts are falling so far short of training targets at certain points in the year.
In its efforts to clarify this data, Redscan also sent a FoI request to NHS Digital, which responded by saying: ‘We cannot provide the information listed as it is explicitly instructed to not release any details of the DSP Toolkit in its Direction (legal basis) for collecting the information.’