NHS Trusts still not ready for WannaCry-like cyber-attacks
In 2019, based on information obtained via a series of
Freedom of Information requests sent to 159 NHS trusts, security firm Redscan
found that the NHS was grappling with an alarming rise in the exodus of IT
leaders and chief information officers at a time when it needed a lot of
resources, tools, manpower, and funds to respond effectively to emerging cyber
threats and to prevent breaches of patient data.
Information obtained by Redscan revealed that the lack of
trained cyber security professionals at the NHS was so acute that, based on
responses from 159 NHS trusts, there was only one such specialist per 2,628
employees and nearly one in four such trusts did not have any cyber security
specialists at all.
“The cybersecurity skills gap continues to grow and
it’s incredibly hard for organisations across all sectors to find enough people
with the right knowledge and experience. It’s even tougher for the NHS, which
must compete with the private sector’s bumper wages. Not to mention the fact
that trusts outside of traditional tech hubs like London and Cambridge have a
smaller talent pool from which to choose from,” said Mark Nicholls,
director of cyber security at Redscan.
“Individual trusts are lacking in-house cybersecurity
talent and many are falling short of training targets; meanwhile investment in
security and data protection training is patchy at best. The extent of
discrepancies is alarming, as some NHS organisations are far better resourced,
funded and trained than others,” he added.
While the situation did not look great for NHS at the time,
the healthcare body had already set up NHSX, a working group that would oversee
the use and storage of data by NHS organisations and create policies and best
practices for NHS technology, digital and data.
NHS trusts hiring more security professionals and testing
their networks than ever before
Two years down the line, the efforts seem to have borne
fruit. A recent study conducted by Redscan, using the same Freedom of
Information route, found that the NHS trusts are now much better off when it
comes to having qualified IT security professionals in their ranks and
conducting penetration tests to test the security of their IT systems.
Data obtained by Redscan reveals that NHS trusts now have
nearly twice as many employees (47%) with professional IT security
qualifications compared to 2018, even though the current figure stands at 2.8%.
The percentage of NHS trusts with no qualified IT security professionals in
their ranks has also come down from 23% in 2018 to 15%, reflecting the
seriousness with which NHS trusts have strived to onboard qualified security
professionals in the past 24 months.
“In 2018, our FOI revealed a large disparity in cyber
security skills and training spend across the NHS. Fast-forward two years, and
our latest report provides a valuable snapshot of how the situation has
changed. It suggests that while disparities in training spend and penetration
testing still exist, trusts are more likely to have qualified security
professionals on staff and are also reporting fewer breaches compared to 2019,”
says Nicholls, now CTO of Redscan.
“With more and more healthcare organisations being targeted
by attackers, every NHS trust needs to ensure it is prepared for the challenges
ahead. To deliver an effective service, organisations must continuously improve
their defences to protect the patient data and infrastructure they rely on to
save lives.”
The aggressive hiring of qualified IT security professionals
has also delivered immediate results. According to Redscan, the number of
breaches reported by NHS trusts to the ICO on average went down from 2.5 in
2019 to two in 2020, and 83% of NHS trusts also commissioned at least one
penetration test from an external third party in 2020. It goes without saying
that pen-testing goes a long way in identifying security holes in an
organisations’s IT network, something that may not be noticed otherwise.
Even though the latest figures signify impressive progress
on part of NHS trusts, the fact that only 64 out of 215 NHS trusts responded to
FOI requests, possibly due to the pressures of COVID-19, gives us a reason to
believe that a larger sample size would have delivered more accurate results.
Healthcare organisations must do more to control access to
sensitive data
Even though NHS trusts have demonstrated visible improvement
in hiring IT security professionals in their ranks and carrying out regular
penetration tests, all is not well with the healthcare industry.
According to
Varonis’ ‘2021 Data Risk Report: healthcare, Pharma & Biotech’ report,
healthcare organisations in the US, UK, France and Germany need to do more to
regulate wholesale access to patient data and prevent the loss of sensitive data
to hackers or malicious insiders.
The report revealed that the average healthcare worker has
access to 31,000 sensitive files on their first day of work, that 20% of all
files are open for any employee to access, and that 77% of healthcare
organisations in these countries have 500 or more accounts whose passwords are
never renewed.
“Healthcare organisations must manage vast quantities of
information but often struggle with issues around open access—information left
open to far too many people. When attackers strike, they can move through an IT
network just like an authorised employee unless measures have been taken in
advance to restrict access,” Matt Lock, technical director at Varonis, told
Healthcare IT News.
“With ransomware, organisations typically have a tiny window
to spot and stop an attack from laying waste to invaluable patient data.
Attackers will follow the money, and unfortunately, healthcare has a target on
its back. Overexposure will impact the security landscape for many years to
come and the healthcare industry has the most to lose.”
Keeping you secure no matter the circumstances – P2
From our close relationship with a variety of vendors/applications, you can be confident that we have the contacts and expertise to support you and achieve the best performance and results possible. We specialise in professional service sectors – so our experience in understanding clients better, and our ability to deliver technology that achieves the best results, is top quality. Contact us now to find out what we can do for you.
News Source: https://www.teiss.co.uk
