NHS trusts aren't spending enough on cyber-security, putting patients at risk. That was the conclusion of a Sky News investigation which claimed that seven NHS trusts in England and Wales spent nothing on cyber-security in 2015.
Earlier this month, the Northern Lincolnshire and Goole NHS Foundation Trust was forced to cancel operations at three hospitals for several days following a massive malware infection.
Sky News sent freedom of information requests to NHS trusts in England and Wales and received 97 replies.
The FOI research found that the average spend on cyber-security was £23,040, with six trusts spending as much as £100,000. Nearly half of those that replied – 45 trusts – weren't able to identify how much they spent on cyber-security.
Meanwhile, the number of breaches is on the rise, from 3,133 in 2014 to 4,177 last year and that cyber-incidents are rising even faster, from eight in 2014 to 60 last year.
A survey carried out by Vanson Bourne for Sophos earlier this year found a gap in encryption practices within the NHS. Out of 250 CIOs, CTOs and IT managers questioned, 84 percent said that encryption was a necessity but it was well-established within just 10 percent of organisations.
Jonathan Lee, UK healthcare sector manager at Sophos, said: “The Sky News findings are shocking, but not entirely surprising. NHS organisations face significant IT security issues and IT decision makers still have big challenges to address gaps in their security…. Budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”
Jeannie Warner, security manager at WhiteHat Security, commented: "Digital health records offer potentially rich pickings for cyber-criminals. They're a primary source for harvesting a wealth of information like medical history, birth dates, address information or insurance records.”
She added: "In some respects, the stark contrast in security standards comes down to the fact that cyber-security is not at the top of the list of many NHS Trusts' agendas. If regulators could force all entities that transfer, process and store personal information to have minimum security requirements, such as having a secure connection, everyone would be better off.”
The NHS established its own Computer Emergency Readiness Team, CareCERT, in October 2015. In September 2016, it launched three new services: CareCERT Assure, CareCERT React and CareCERT Knowledge.