One-quarter of NHS trusts have no qualified IT security pros

IT security remains an afterthought within the NHS despite WannaCry outbreak in 2017

One quarter of NHS trusts have no qualified IT security professionals on their payroll, with almost nine out of ten failing to reach NHS Digital's supposedly mandatory targets for information governance training.

They're the findings from a series of Freedom of Information requests filed by security company Redscan, which indicate continued under-investment in IT security across the health service.

"On average, NHS trusts employ just one qualified security professional per 2,582 employees. Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel," claimed the report.

The research also found that expenditure on cybersecurity training during 2017 ranged from less than £250 to nearly £80,000 per trust, with no apparent link between the size of trust and money spent.

A number of mid-sized trusts - ranging from 3,000 to 4,000 employees - spent anywhere between £500 and £33,000 in the 12-month period.

Nearly a quarter of trusts have no employees with security qualifications, despite some employing as many as 16,000 full and part-time personnel

What's more, a "significant proportion" of trusts spent nothing on specialist cybersecurity or GDPR training for staff, requiring only that all their employees complete free Information Governance (IG) training provided by NHS Digital.

The data comes just 18 months after the Wannacry ransomware outbreak, which affected around one-quarter of all NHS trusts in England and Wales.

The figures indicate that almost nine out of ten trusts haven't yet met their target of having 95 per cent of staff trained by NHS Digital in cybersecurity by the end of March next year.

Some trusts that were quizzed claimed they had staff members in the process of obtaining relevant security qualifications, which Redscan suggested is probably an indication of the difficulties of hiring trained IT security professionals in the current climate.

"These findings shine a light on the cybersecurity failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances," said Redscan director of cybersecurity, Mark Nicholls.

"Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile, investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others."