Nearly 25 per cent of NHS trusts across England and Wales have failed to recruit specialist cyber security professionals or give existing staff sufficient cyber security training since the WannaCry ransomware attack, a report from cyber security firm Redscan has found.
The WannaCry cyberattack, which affected up to 70,000 NHS devices over four days in May 2017, was attributed by the UK and other governments to North Korean hackers. The ransomware exploited a vulnerability in older, unpatched versions of Windows, encrypting data as it demanded to be paid in the cryptocurrency Bitcoin for its release. Approximately 20,000 patient appointments and operations had to be cancelled, and the Department of Health and Social Care has estimated that the attack cost the NHS around £100m.
The Redscan report found that, on average, NHS trusts have just one member of staff with a recognised cyber security qualification per 2,582 employees. Almost a quarter of trusts (24 out of 108 surveyed) have no recognised cyber security specialist at all.
The report was based on Freedom of Information requests relating to NHS personnel between August 2017 and August 2018. Redscan’s director, Mark Nicholls, argues that it shows that “trusts are lacking in-house cyber security talent”.
However, Dan Taylor, associate director at the Data Security Centre at NHS Digital, said the figures are misleading as they “don’t take into account that most staff training is completed across the entire financial year”. He added: “All NHS organisations have until 31 March 2019 to meet the deadline of training 95 per cent of their staff by the end of the financial year. We expect all NHS organisations to meet this target. Trusts are responsible for their own cyber security and as individual organisations make their own choices about budget spend. NHS Digital is here to provide support, advise and expertise about cyber security to access as needed.”
The Redscan report shows that NHS trusts spent an average of £5,356 on cyber security training in the period covered. Nicholls described the lowest amount spent by a trust – £238 – as “alarming”, although other trusts had spent up to £78,000 on cyber security training.
Nicholls suggested that the NHS might be priced out of hiring accomplished cyber security professionals by having to compete with the private sector on salaries. “The cyber security skills gap continues to grow,” he explained, observing that it was “even tougher for the NHS, which must compete with the private sector’s bumper wages.”
In April, the Department for Health and Social Care announced £150m in cyber security spending spending to implement recommendations made after the WannaCry attack, but experts expressed concern that there was little support for cyber security training in the health service.