The UK’s NHS health system is desperately short of information security professionals, research from infosec consultancy Redscan shows.
The firm found that NHS trusts typically have just one member of staff with cybersecurity credentials per 2,628 employees. A quarter of all trusts surveyed – which includes some of the largest trusts, employing as many as 16,000 people – had no infosec professionals on their payroll whatsoever.
The firm also looked at spending on cybersecurity training during the last twelve calendar months between trusts, and found the expenditure varied wildly, from as little as £238 to as much as £78,000.
In several cases, Redscan found examples of trusts that spent nothing on specialist infosec or GDPR training.
Redscan obtained the data by sending Freedom of Information Act (FIOA) requests to the UK’s 159 trusts. Responses were received between August 20 and November 27, 2018.
The findings aren’t surprising. The NHS is grappling with a budget crisis as the consequence of almost nine years of austerity, as well as a population that’s rapidly aging. It makes sense that front-line medical priorities would take precedent over technology.
But as we’ve seen in recent years, security incidents can have a disastrous impact on the healthcare sector. The most example is the Wannacry virus, which exploited an SMB vulnerability to install ransomware on computers. Believed to be run by the North Korean government, Wannacry affected 200,000 computers across 150 countries.
The NHS was the most notable victim of this ransomware program. Wannacry affected office computers and medical devices – like MRI scanners – and radically disrupted hospital operations, with procedures and appointments cancelled.
Given the impact of Wannacry, it’s concerning the NHS isn’t investing more into infosec. That said, the shortage of cybersecurity professionals in the UK, coupled with the NHS’s budget shortfall, it’s certainly understandable.