A woeful lack of in-house cyber security specialists coupled with the huge cost of hiring experienced professionals is severely impacting the ability of NHS trusts across the UK to respond effectively to emerging cyber threats.
Responses to a series of Freedom of Information requests made by security firm Redscan has revealed the impact of limited budgets and the lack of trained cyber security professionals on the cyber-resilience of NHS trusts across the UK, with a large number of them unable to invest in cyber security training for employees or in hiring experienced professionals.
1 in every 4 NHS trusts lacking cyber security specialists
The lack of trained cyber security professionals at the NHS is so acute that, based on responses from 159 NHS trusts, there is only one such specialist per 2,628 employees and nearly one in four such trusts do not have any cyber security specialists at all.
"The cybersecurity skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from," said Mark Nicholls, director of cyber security at Redscan.
"It’s true that NHS trusts outsource key security functions to NHS Digital and other third-party specialists, but I would still expect to see more security professionals employed in-house. No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security.
"Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others," he added.
Freedom of Information requested filed by Redscan also revealed that NHS trusts spent an average of £5,356 on data security training, but individually, they spent between £238 to £78,000 with mid-sized trusts spending between £500 and £33,000 o employee training.
NHS trusts also provided free-of-cost in-house training to their employees by using free NHS Digital tools and also provided training on mandated courses such as BCS Practitioner Certificate in Data Protection, Senior Information Risk Owner and ISO27001 Practitioner.
"Some trusts are outspending others by a factor of twenty. I worry that this clear divide will have a significant bearing on which trusts are better prepared to prevent, detect and respond to cybersecurity incidents. In any case, the NHS must make efforts to redress this severe imbalance," Nicholls warned.
'NHS stuck between a rock and a hard place'
According to Christopher Littlejohns, EMEA manager at Synopsys, the NHS’s top priority is, or should be, spending money on treating patients. Allocating money to cybersecurity is always going to be a challenge for politicians and senior NHS executives, hence the amount allocated is trivially small, even at £150M, for such a huge organisation with so much private data and health critical systems.
"Another aspect is the constrained grading and salary bands within such an organisation. This inevitably means that they cannot offer particularly attractive salaries for people with the right experience, hence they reassign people from within the organisation; but this is challenging due to the paucity of skills.
"Talking to an NHS IT person a few months ago, I was made aware of a security related position being discussed. The nominal salary being considered was about one half to one third that could be commanded in the private sector. The typical way that a government organisation will deal with this is to engage with external consultancies, but the budgets are so small they would not be able to achieve meaningful results. The NHS is stuck between a rock and a hard place; not enough internal security related skills, and not enough budget to fix the problem," he added.