FOI reveals NHS Trusts spend as little as £250 on cyber security

'Alarming' spend and expertise discrepancies exposed as DHSC threatens enforcement action

The NHS is struggling to retain critical cyber security expertise and expenditure is being allocated erratically, with some Trusts spending as little as 250 in the last year, it has emerged.

Despite the Department for Health and Social Care (DHSC) having committed an additional 150 million on NHS cyber security a year after the WannaCry attack, research by Redscan has exposed a prominent gap in both funding and staffing.

Advertisement - Article continues below

The average spend on data security training across 159 Trusts surveyed was 5,356 in the last 12 months, but this ranged widely from between 238 and 78,000 with no correlation to the size of Trust, or its location.

For a mid-sized Trust of between 3,000 and 4,000 employees, for example, training spend ranged from 500 to 33,000. But the research also notes a significant amount of training was conducted in-house using NHS Digital resources.

GDPR training was the most common programme taken up, with other prominent courses including BCS Practioner Certificate in Data Protection, and Senior Information Risk Owner.

However, it was found that NHS Trusts have only employed an average of one qualified security professional per 2,582 staff.

Alarmingly, almost a quarter of Trusts, 24 out of 108, retain no staff with security qualifications despite some employing around 16,000 full-time and part-time workers. A handful of Trusts also reported having employees in the process of obtaining security qualifications.

Advertisement - Article continues below
Advertisement - Article continues below

"These findings shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances," said Redscan's director of cyber security Mark Nicholls.

"Individual trusts lack in-house cybersecurity talent and many are falling short of training targets; while investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others."

The findings, released following a Freedom of Information (FOI) campaign which saw responses from 159 NHS Trusts, have been released a year-and-a-half after the devastating WannaCry attack that DHSC estimated to cost 92 million.

Several parliamentary reports have since savaged the NHS' record on cyber security resilience, with among the latest in April showing zero Trusts passed the government's cyber security assessments.

A separate FOI request Redscan sent to NHS Digital revealed signs of improvement, as 139 Trusts had now undertaken a Data Security Onsite Assessment, compared to just 60 Trusts last year.

Advertisement - Article continues below

Beyond announcing an additional 150 million over the next three years, the DHSC also committed to upgrading all Windows XP devices to Windows 10 by 2020 in a deal struck with Microsoft earlier this year.

"Cyber security is a priority for this government and funding is provided to NHS Trusts based on their specific needs and capabilities," a DHSC spokesperson told IT Pro.

"Over 60m was invested last year for critical infrastructure, and there will be a further 150m over the next three to improve resilience across the health and care system.

"Where Trusts do not take sufficient action to secure their networks and systems, we will use strong enforcement powers to ensure they improve."

Redscan's Nicholls added that as the skills gap continues to grow, it'll become harder for organisations across all sectors to find the people with the right knowledge and expertise.

"It's even tougher for the NHS, which must compete with the private sector's bumper wages," he continued, "not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from."

Advertisement - Article continues below

Kaspersky's principal security researcher David Emm told IT Pro that given how very attractive health data is to criminals, it is vital the NHS invests money in robust protections.

"Healthcare providers must also work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data," he said.

"Not just for the sake of tick-box' compliance, or to avoid hefty fines and embarrassing, often irreparable reputational damage, but to enable them and their patients to reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure."

IT Pro also approached NHS Digital, NHS England and NHS Improvement for comment.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020