Fresh evidence has emerged of the lack of investment in staff training in cybersecurity and the serious problems facing hospitals in the ongoing struggle to defend themselves against increasingly sophisticated attacks.
The findings of a survey from Redscan, a provider of managed security services, show that many U.K. hospitals lack sufficient in-house cybersecurity expertise, there is a wide imbalance in employee cybersecurity training and spending, and many facilities seem to be failing to meet training targets on information governance.
The report is based upon the findings of a three-month Freedom of Information (FOI) campaign, which surveyed 159 National Health Service (NHS) trusts, or hospital groups, between 20 August 2018 and 27 November 2018. Its publication follows a U.K. government pledge, made in the wake of the WannaCry ransomware attack that hit the NHS in May 2017, to spend an additional 150 million pounds (166 million euros) on cybersecurity over the next three years.
The following are the key findings of the investigation:
- NHS hospitals employ an average of one qualified security professional per 2,582 employees. Nearly a quarter of them have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full- and part-time staff. Several hospitals said staff members are in the process of obtaining relevant security qualifications, however.
- Security and data protection training is patchy at best. NHS trusts spent an average of 5,356 pounds (5,930 euros) on data security training, although a significant proportion conducted such training in-house at no cost or only used free NHS Digital training tools. Training on the General Data Protection Regulation 2016/679 was the most common course offered.
- Spending on training varied significantly between trusts, from 238 pounds to 78,000 pounds, and the size of each trust was not always a determining factor. For example, of midsized trusts with 3,000 to 4,000 employees, training expenditure ranged from 500 pounds to 33,000 pounds.
Trusts are falling short of training targets, according to the report authors. NHS Digital's mandatory information governance training requirements state that 95% of all staff must pass this training every 12 months. FOI responses revealed that only 12% of trusts had met the training target of more than 95%. A quarter of trusts had trained less than 80% of their staff, and some reported that less than 50% had been trained.
"These findings shine a light on the cybersecurity failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances," noted Mark Nicholls, Redscan's director of cybersecurity. "The extent of discrepancies is alarming, as some NHS organizations are far better resourced, funded, and trained than others."
The cybersecurity skills gap continues to grow, and it is incredibly hard for organizations across all sectors to find enough people with the right knowledge and experience, and it is even tougher for the NHS, which must compete with the private sector's wages, he added.
Working on a tight budget
Good cybersecurity can be achieved on a tight budget by focusing on foundational controls, including patching and password policies, rather than expensive tools, pointed out Gavin Millard, vice president of intelligence at cybersecurity firm Tenable, in a statement responding to the report.
"As demonstrated by the WannaCry outbreak last year, NHS frontline services can be significantly impacted by cybersecurity issues," he said. "It's unlikely the NHS will ever have the same level of investment into security as other verticals, but basic cyberhygiene practices still need to be followed to ensure patient records remain private and services continue to be available."
To understand this issue, it is essential to understand the context, and the NHS' top priority is, or should be, spending money on treating patients, according to Christopher Littlejohns, manager for Europe, the Middle East, and Africa at technology firm Synopsys.
"Allocating money to cybersecurity is always going to be a challenge for politicians and senior NHS executives, hence the amount allocated is trivially small, even at 150 million pounds, for such a huge organization with so much private data and health critical systems," he wrote in a statement.
Another aspect is the constrained grading and salary bands, Littlejohns noted. This means that hospitals cannot offer attractive salaries for people with the right experience, so they reassign people from within the organization, but this is challenging due to the paucity of skills. In one case, the salary being offered for a security-related position was about one-half to one-third that could be commanded in the private sector.
"The typical way that a government organization will deal with this is to engage with external consultancies, but the budgets are so small they would not be able to achieve meaningful results," he explained. "The NHS is stuck between a rock and a hard place; not enough internal security related skills, and not enough budget to fix the problem."