Lack of cyber security expertise within the NHS

A new survey of NHS trusts has revealed a large disparity in cyber security skills and spending across the NHS, with most trusts lacking sufficient in-house cyber security expertise.

The three-month Freedom of Information campaign, undertaken by Redscan, surveyed more than 150 NHS trusts in the UK and reveals a wide imbalance in employee cyber security training and spending between trusts, with a worrying number of NHS trusts likely to be failing to meet training targets on information governance.

The investigation shows that NHS trusts employ just one qualified security professional on average per 2,582 employees, although 24 out of 108 responding trusts having no employees with security qualifications.

With NHS trusts spending an average of £5,356 on data security training, the findings also reveal a significant proportion of NHS organisations conducted such training in-house at no cost or only used free NHS Digital training tools. The variation in spend, which ranged from £238 to £78,000, was also exemplified by the fact that only 12 per cent of trusts had met the NHS Digital mandatory information governance (IG) training requirements that 95 per cent of all staff must pass IG training every 12 months. A quarter of trusts had trained less than 80 per cent of their staff.

Mark Nicholls, Redscan director of Cyber Security, said: “These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances. Individual trusts lack in-house cyber security talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.

“The cyber security skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from.”

Please register to comment on this article