Support 100 years of independent journalism.

  1. Spotlight
12 December 2018

Some NHS trusts are spending as little as £238 on cyber security training

A report has noted an “alarming” contrast between the budgets of different organisations. 

By Rohan Banerjee

Nearly 25 per cent of NHS trusts across England and Wales have failed to recruit specialist cyber security professionals or give existing staff sufficient cyber security training since the WannaCry ransomware attack, a report from cyber security firm Redscan has found.

The WannaCry cyberattack, which affected up to 70,000 NHS devices over four days in May 2017, was attributed by the UK and other governments to North Korean hackers. The ransomware exploited a vulnerability in older, unpatched versions of Windows, encrypting data as it demanded to be paid in the cryptocurrency Bitcoin for its release. Approximately 20,000 patient appointments and operations had to be cancelled, and the Department of Health and Social Care has estimated that the attack cost the NHS around £100m.

The Redscan report found that, on average, NHS trusts have just one member of staff with a recognised cyber security qualification per 2,582 employees. Almost a quarter of trusts (24 out of 108 surveyed) have no recognised cyber security specialist at all.

The report was based on Freedom of Information requests relating to NHS personnel between August 2017 and August 2018. Redscan’s director, Mark Nicholls, argues that it shows that “trusts are lacking in-house cyber security talent”.

However, Dan Taylor, associate director at the Data Security Centre at NHS Digital, said the figures are misleading as they “don’t take into account that most staff training is completed across the entire financial year”. He added: “All NHS organisations have until 31 March 2019 to meet the deadline of training 95 per cent of their staff by the end of the financial year. We expect all NHS organisations to meet this target. Trusts are responsible for their own cyber security and as individual organisations make their own choices about budget spend. NHS Digital is here to provide support, advise and expertise about cyber security to access as needed.”

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The Redscan report shows that NHS trusts spent an average of £5,356 on cyber security training in the period covered. Nicholls described the lowest amount spent by a trust – £238 – as “alarming”, although other trusts had spent up to £78,000 on cyber security training.

Nicholls suggested that the NHS might be priced out of hiring accomplished cyber security professionals by having to compete with the private sector on salaries. “The cyber security skills gap continues to grow,” he explained, observing that it was “even tougher for the NHS, which must compete with the private sector’s bumper wages.”

 In April, the Department for Health and Social Care announced £150m in cyber security spending spending to implement recommendations made after the WannaCry attack, but experts expressed concern that there was little support for cyber security training in the health service.

Topics in this article: