New research from Digital Health Intelligence has revealed that only 55 percent of NHS Acute Trusts and 47 percent of mental health trusts have plans in place to comply with the upcoming General Data Protection Regulation (GDPR), thereby revealing that around half of such institutions are yet to create implementation plans for GDPR.
Information obtained by Digital Health Intelligence via a Freedom of Information request has revealed that 46 NHS Trusts have so far spent a combined £1,076,549 in order to implement GDPR, with the Luton and Dunstable Hospital Foundation Trust and the Lincolnshire Partnership NHS Foundation Trust spending in excess of £100,000 each.
Other NHS Trusts that also set aside significant sums for GDPR implementation included South Central Ambulance Service NHS Trust, St George’s University Hospitals NHS Foundation Trust, Sheffield Teaching Hospitals NHS Foundation Trust, and the Dorset HealthCare University. Most of their investments were geared towards training staff to effectively manage and secure sharing of confidential patient records and data.
Such NHS Trusts also spend a lot of money in the recent past on information security management systems, data flow mapping licences, software training, and configuration consultancy. However, there are also some NHS hospitals such as Royal Derby hospital, Goodmayes Hospital, and Alder Hey Children's NHS Foundation Trust who spent as little as £500 each on securing email systems or staff training.
Impending financial crisis
Digital Health Intelligence added that even though the NHS has received generous funding over the years, with its expenses rising from £78.8 billion in 2006/07 to £120.51 billion in 2016/17 and £126.26 billion in 2018/19, it is still facing a financial crisis.
"Years of mismanagement, bloated administration and rising costs for social care, mean resources are at breaking point. It is against this backdrop that the NHS faces a new challenge which threatens to add further strain to its resources; the General Data Protection Regulation (GDPR).
"In addition, the complexities and legal landmines facing NHS chiefs as they implement changes to adhere to this regulation are immense," the firm added.
It recommended that in order to avert a crisis in the near future, the NHS needs to establish a national programme for managing and funding the GDPR and should ask for additional funds from the Treasury to strengthen its cyber security. At the same time, the government should provide dedicated legal advice to enable all trusts to gain free consultancy on implementation.
“GDPR aside, the NHS will remain a high-value target for attackers due to the highly sensitive nature and the number of the patient healthcare records it holds. It must quickly get their house in order – not only to meet the GDPR but also to guard against the next ransomware attack. The WannaCry ransomware attack hit the NHS less than one year ago and its effects were devastating," says Matt Lock, Director of Sales Engineers at Varonis.
"The challenges are real. Like many large healthcare systems, the NHS must deal with legacy infrastructure that was not designed to handle the volume of data and operating systems in use today. They’ve got to address and replace outdated and unsupported systems as a first step, and this costs money.
"Spending £1m seems like a large investment, but after this funding is distributed across hundreds of facilities throughout the UK, the amount is likely to be far than adequate given the challenges facing the NHS. Organisations must stand accountable, address these issues and move forward quickly, perhaps faster than they may be accustomed to. Today’s technology and threats demand nothing less," he adds.