The NHS is doing great work closing its security skills gap, with the average trust now employing twice as many in-house security practitioners – defined in this instance as someone with a professional IT security qualification – than it did two years ago, 2.8 in 2020 compared with 1.9 in 2018, and the number of trusts with no qualified security professionals has fallen to just one in four.
That is according to new analysis of a series of Freedom of Information (FoI) requests put in to the NHS last year by threat detection and response and red teaming specialist Redscan, which also found that over 80% of NHS trusts had conducted at least one external average penetration test in 2020, and the average trust reported just two incidents to the Information Commissioner’s Office in 2020, down from 2.5 in 2019.
However, there remained little consistency in how much NHS trusts were spending on IT security training. While at the high end, one trust spent £78,000 in 2020, more than half spent nothing, and only required employees to complete the NHS digital information governance training, a mandatory annual task.
“In 2018, our FoI revealed a large disparity in cyber security skills and training spend across the NHS,” said Redscan CTO Mark Nicholls. “Fast-forward two years, and our latest report provides a valuable snapshot of how the situation has changed. It suggests that while disparities in training spend and penetration testing still exist, trusts are more likely to have qualified security professionals on staff and are also reporting fewer breaches compared to 2019.
“With more and more healthcare organisations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead. To deliver an effective service, organisations must continuously improve their defences to protect the patient data and infrastructure they rely on to save lives.”
The data in Redscan’s report is drawn from 64 responses to 225 NHS trusts between October 2020 and February 2021, and so cannot be read as a complete picture of the health service’s security posture – not least because many trusts were unable to respond due to pressure from their work on Covid-19.
Redscan said its previous series of FoI requests had revealed a huge disparity in skills and training across the NHS, but its latest snapshot painted an altogether brighter picture – even though the disparities still exist to some extent.
The firm added that with healthcare organisations being attacked more frequently by organised, targeted cyber criminal gangs – which are generally more likely to succeed in breaching their victims’ defences than those that attack indiscriminately – the NHS still needed to do more to ensure it is adequately prepared, in particular adopting policies of continuous improvement to protect patient data and critical infrastructure.