In 2019, based on information obtained via a series of Freedom of Information requests sent to 159 NHS trusts, security firm Redscan found that the NHS was grappling with an alarming rise in the exodus of IT leaders and chief information officers at a time when it needed a lot of resources, tools, manpower, and funds to respond effectively to emerging cyber threats and to prevent breaches of patient data.
Information obtained by Redscan revealed that the lack of trained cyber security professionals at the NHS was so acute that, based on responses from 159 NHS trusts, there was only one such specialist per 2,628 employees and nearly one in four such trusts did not have any cyber security specialists at all.
“The cybersecurity skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages. Not to mention the fact that trusts outside of traditional tech hubs like London and Cambridge have a smaller talent pool from which to choose from,” said Mark Nicholls, director of cyber security at Redscan.
“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others,” he added.
While the situation did not look great for NHS at the time, the healthcare body had already set up NHSX, a working group that would oversee the use and storage of data by NHS organisations and create policies and best practices for NHS technology, digital and data.
NHS trusts hiring more security professionals and testing their networks than ever before
Two years down the line, the efforts seem to have borne fruit. A recent study conducted by Redscan, using the same Freedom of Information route, found that the NHS trusts are now much better off when it comes to having qualified IT security professionals in their ranks and conducting penetration tests to test the security of their IT systems.
Data obtained by Redscan reveals that NHS trusts now have nearly twice as many employees (47%) with professional IT security qualifications compared to 2018, even though the current figure stands at 2.8%. The percentage of NHS trusts with no qualified IT security professionals in their ranks has also come down from 23% in 2018 to 15%, reflecting the seriousness with which NHS trusts have strived to onboard qualified security professionals in the past 24 months.
“In 2018, our FOI revealed a large disparity in cyber security skills and training spend across the NHS. Fast-forward two years, and our latest report provides a valuable snapshot of how the situation has changed. It suggests that while disparities in training spend and penetration testing still exist, trusts are more likely to have qualified security professionals on staff and are also reporting fewer breaches compared to 2019,” says Nicholls, now CTO of Redscan.
“With more and more healthcare organisations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead. To deliver an effective service, organisations must continuously improve their defences to protect the patient data and infrastructure they rely on to save lives.”
The aggressive hiring of qualified IT security professionals has also delivered immediate results. According to Redscan, the number of breaches reported by NHS trusts to the ICO on average went down from 2.5 in 2019 to two in 2020, and 83% of NHS trusts also commissioned at least one penetration test from an external third party in 2020. It goes without saying that pen-testing goes a long way in identifying security holes in an organisations’s IT network, something that may not be noticed otherwise.
Even though the latest figures signify impressive progress on part of NHS trusts, the fact that only 64 out of 215 NHS trusts responded to FOI requests, possibly due to the pressures of COVID-19, gives us a reason to believe that a larger sample size would have delivered more accurate results.
Healthcare organisations must do more to control access to sensitive data
Even though NHS trusts have demonstrated visible improvement in hiring IT security professionals in their ranks and carrying out regular penetration tests, all is not well with the healthcare industry. According to Varonis’ ‘2021 Data Risk Report: healthcare, Pharma & Biotech’ report, healthcare organisations in the US, UK, France and Germany need to do more to regulate wholesale access to patient data and prevent the loss of sensitive data to hackers or malicious insiders.
The report revealed that the average healthcare worker has access to 31,000 sensitive files on their first day of work, that 20% of all files are open for any employee to access, and that 77% of healthcare organisations in these countries have 500 or more accounts whose passwords are never renewed.
“Healthcare organisations must manage vast quantities of information but often struggle with issues around open access—information left open to far too many people. When attackers strike, they can move through an IT network just like an authorised employee unless measures have been taken in advance to restrict access,” Matt Lock, technical director at Varonis, told Healthcare IT News.
“With ransomware, organisations typically have a tiny window to spot and stop an attack from laying waste to invaluable patient data. Attackers will follow the money, and unfortunately, healthcare has a target on its back. Overexposure will impact the security landscape for many years to come and the healthcare industry has the most to lose.”