Research suggests cyber security improvements in the NHS despite the pressures of the COVID-19 pandemic.
London, 31st March 2021
Redscan, the award-winning provider of managed security services, specialising in Managed Detection and Response, Penetration Testing and Red Teaming, today published an analysis of Freedom of Information (FOI) requests made to NHS trusts in 2020.* Following a previous investigation made by Redscan in 2018, the latest findings provide insight into NHS trusts’ preparedness to tackle the latest cyber security threats.
Key findings include:
- On average, NHS trusts reported two breaches to the Information Commissioner’s Office (ICO) in 2020, down from 2.5 in 2019
- On average, trusts now have nearly twice as many employees (47%) with professional IT security qualifications (2.8 per trust in 2020, compared to 1.9 in 2018)
- One in four trusts had no qualified IT security professionals in 2018 (23%), a figure which has now fallen to one in seven (15%)
- A majority (83%) of NHS trusts commissioned at least one penetration test from an external third party in 2020
On average, NHS trusts reported fewer data breaches in 2020 (2) than they did in 2019 (2.5). While this appears to be a positive trend, more than two-thirds of trusts reported the same number or even more breaches in 2020 than in 2019. Just over 30% of trusts reported fewer breaches.
A shortage of skilled cyber security professionals is a problem for organisations across all sectors, including healthcare, but the NHS appears to have closed the skills gap in recent years. In 2018, Redscan found that, on average, trusts had just one member of staff with professional security credentials per 2,750 employees. In 2020, this ratio improved significantly with an increase to one qualified security professional per 1,996 employees. Over the same period, the number of trusts with no qualified security personnel decreased from 23% to 15%.
As was the case in 2018, there remains little consistency in terms of money spent on IT security training across NHS trusts. For example, while one trust spent £78k on security training in 2020, more than half of respondents (58%) spent nothing, and only required employees to complete mandatory annual NHS digital information governance training.
Mark Nicholls, CTO of Redscan, commented: “In 2018, our FOI revealed a large disparity in cyber security skills and training spend across the NHS. Fast-forward two years, and our latest report provides a valuable snapshot of how the situation has changed. It suggests that while disparities in training spend and penetration testing still exist, trusts are more likely to have qualified security professionals on staff and are also reporting fewer breaches compared to 2019.
“With more and more healthcare organisations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead. To deliver an effective service, organisations must continuously improve their defences to protect the patient data and infrastructure they rely on to save lives.”
*Notes for editors
Responses from 64/225 NHS trusts were received between 8 October 2020 and 4 February 2021. Redscan opted to submit its FOI requests on 5 October 2020 when COVID-19 cases were far lower than current levels, requesting data from the last 12 months in relation to security spending, penetration testing, plus employee training and qualifications. The number of data breaches reported to the ICO is data that covers only part of last calendar year (January 2020-October 2020), and is compared to the same period in 2019. Due to the pressures of COVID-19, many trusts were slower to respond to the FOI or unable to do so. As such, this release is intended to offer an update and point of comparison to results gathered in 2018.
Kroll is the world’s premier provider of services and digital products related to governance, risk and transparency. We work with clients across diverse sectors in the areas of valuation, expert services, investigations, cyber security, corporate finance, restructuring, legal and business solutions, data analytics and regulatory compliance. Our firm has nearly 5,000 professionals in 30 countries and territories around the world. For more information, visit www.kroll.com.