The NHS is doing great work closing its security skills gap, with the average trust now employing twice as many in-house security practitioners – defined in this instance as someone with a professional IT security qualification – than it did two years ago, 2.8 in 2020 compared with 1.9 in 2018. The number of trusts with no qualified security professionals has fallen to just one in four.
That is according to a new analysis of a series of Freedom of Information (FoI) requests put into the NHS last year by threat detection and response and red teaming specialist Redscan, which also found that over 80% of NHS trusts had conducted at least one external average penetration test in 2020. The average trust reported just two incidents to the Information Commissioner’s Office in 2020, down from 2.5 in 2019.
However, there remained little consistency in how much NHS trusts were spending on IT security training. While at the high end, one faith spent £78,000 in 2020, more than half spent nothing, and only required employees to complete the NHS digital information governance training, a mandatory annual task.
“In 2018, our FoI revealed a large disparity in cyber security skills and training spend across the NHS,” said Redscan CTO Mark Nicholls. “Fast-forward two years, and our latest report provide a valuable snapshot of how the situation has changed. It suggests that while disparities in training spend and penetration testing still exist, trusts are more likely to have qualified security professionals on staff and report fewer breaches than in 2019.
“With more and more healthcare organizations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead. To deliver an effective service, organizations must continuously improve their defenses to protect the patient data and infrastructure they rely on to save lives.”
The data in Redscan’s report is drawn from 64 responses to 225 NHS trusts between October 2020 and February 2021, and so cannot be read as a complete picture of the health service’s security posture – not least because many trusts were unable to respond due to pressure from their work on Covid-19.
Redscan said its previous series of FoI requests had revealed a vast disparity in skills and training across the NHS. However, its latest snapshot painted an altogether brighter picture – even though the differences still exist to some extent.
The firm added that with healthcare organizations being attacked more frequently by organized, targeted cybercriminal gangs – which are generally more likely to succeed in breaching their victims’ defenses than those that attack indiscriminately – the NHS still needed to do more to ensure it is adequately prepared, in particular adopting policies of continuous improvement to protect patient data and critical infrastructure.