According to a Freedom of Information Request submitted by Redscan – a penetration testing firm, approximately 25% (24 out of 108) of NHS trusts who responded to the request have zero qualified security personnel.
However, some trusts have stated that they are in the process of training security staff. According to Redscan, trusts have spent an average of £5,356 on security training in the past 12 months, while a large number of trusts have spent nothing.
It is understood that NHS trusts operate on a limited budget; however, NHS Digital provides free tools, as well as information governance training, which 95% of employees are advised to complete. While training is not mandatory, 25% of trusts said that less than 80% of their staff had completed the training recommended by NHS Digital.
It should also be noted that the lack of security professionals could be a part of a broader issue. As you may already know, there is a serious shortage or cyber-security professionals – an issue that spans across all industry verticals.
Regardless of reasons, I think we can all agree that the above statistics are a bad omen, especially having seen how much disruption a cyber-attack can bring to the NHS. Lest we forget that less than two years ago the NHS was hit by the WannaCry ransomware attack, which affected dozens of hospitals across the country – costing an estimated £73m. And it is likely that we will see more of the same, if not more sophisticated attack vectors, on the horizon.
According to new figures released by the ICO, there was a 20% increase in data breaches in the third quarter of 2017, which were mainly caused by either data being sent to the wrong recipients, or the loss or theft of paperwork. If it’s any consolation, the NHS has decided to ban fax machines from 2020.
What can NHS Trusts Do About the Shortage of Security Professionals?
The answer to this question lies in automation. Of course, technology alone is not enough to mitigate data breaches; however, adopting the right tools can free up resources, making it easier for them to keep their data secure with the least number of trained staff.
It’s likely that all NHS trusts use some form of automated security tools, whether they be anti-virus tools, firewalls, or Intrusion Detection and Prevention Systems (IDPS). However, there are a number of additional security solutions which can streamline the process of protecting sensitive patient data. For example, there are tools that can automatically discover, classify and encrypt Protected Health Information (PHI).
There are solutions which can detect and manage duplicate sets of data, and there are Data Loss Prevention (DLP) solutions which can automatically prevent unencrypted PHI from leaving their network. Given that employees are the weakest link when it comes to cyber-security, trusts will need to implement some form of user and entity behavior analytics solution which can automatically detect and respond to suspicious user behavior.
These solutions can monitor changes made to privileged accounts and PHI, detect and manage inactive user accounts, and automatically respond to events that match a pre-defined threshold condition. This can be particularly useful for preventing the spread of ransomware or responding to anomalous login failure. DCAP solutions can also automate the process of reminding users to reset their passwords. Ultimately, educating employees about security best practices is the most crucial step, but failing that, automation can step in to play a key role.