FOI finds 1 in 4 NHS trusts have no staff with cyber qualifications

  • 19 December 2018
FOI finds 1 in 4 NHS trusts have no staff with cyber qualifications

Nearly a quarter of NHS trusts that responded to an FOI request have no employees with data security qualifications, with trusts employing just one qualified security professional per 2,582 employees on average.

NHS organisations were approached by cyber security firm Redscan with a Freedom of Information (FOI) request which quizzed them on their cyber security training and expenditure.

Trusts were asked how many members of staff held professional data security or cyber security qualifications, as well as the number of employees to had completed security training over the last 12 months.

Twenty-four of the 108 trusts that responded reported they had no employees with security qualifications, despite some employing as many as 16,000 full and part-time personnel.

It also found that only 12% of trusts had met the NHS Digital’s mandatory information governance (IG) training requirements, which state that 95% of all staff must pass IG training every 12 months.

A quarter had trained less than 80% of their staff, while some trusts reported that less than 50% of employees had been trained.

Redscan pointed out that NHS employees tend to be trained at different intervals throughout the year, and trusts do not have to maintain their 95% target for the full year. However, it added that the fact trusts were falling short of training targets at certain points in the year could still be “cause for concern”.

Mark Nicholls, Redscan director of cyber security, said the findings “shine a light on the cyber security failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances.”

“Individual trusts are lacking in-house cyber security talent and many are falling short of training targets,” Nicholls added.

“The cyber security skills gap continues to grow and it’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience. It’s even tougher for the NHS, which must compete with the private sector’s bumper wages.”

Redscan’s FOI also asked trusts how much money they had spent on data security training during the last 12 months, including any GDPR-related training.

Trusts spent an average of £5,356 on data security training, although Redscan pointed out that a “significant proportion” of organisations provided in-house training at no cost, or only used free NHS Digital training tools.

Spending on training varied significantly between trusts – ranging from £238 to £78,000 – with the size of each trust not always proving a determining factor. For example, of mid-sized trusts with 3000-4000 employees, training expenditure ranged from £500 to £33,000.

Nicholls said: “Investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”

“WannaCry severely disrupted critical healthcare services across the country in 2017, costing the NHS an estimated £92m. The Government has subsequently increased funding for cyber security in the NHS by £150m, while introducing a number of new security policies.

“There are certainly green shoots of progress, but this doesn’t mask the fact that the NHS is under tremendous financial pressure, is struggling to recruit the skills it needs and must continue to refine its cyber security strategy across the UK.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Patient groups oppose NHSE plans for unified clinical registry platform

Patient groups oppose NHSE plans for unified clinical registry platform

Patient groups for people with blood disorders have raised concerns about NHS England plans to combine clinical registries in a single platform.
Harnessing AI and cybersecurity to transform healthcare in the UK

Harnessing AI and cybersecurity to transform healthcare in the UK

The UK healthcare sector is in a transformative era, driven by advancements in artificial intelligence (AI). AI has the potential to revolutionise healthcare by improving…
Junior doctors break strike to assist at sites hit by cyber attack

Junior doctors break strike to assist at sites hit by cyber attack

Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts continue to experience major disruption following the cyber attack on Synnovis.