NHS Cyber Security ‘Far Weaker Than Thought’

NHS NPfIT health medicine doctor

Remote and mobile working practices putting the NHS at great risk, Sophos survey finds

A new study has discovered that the NHS is lacking thorough security protection against a growing number of online threats.

An investigation by Sophos found that there is a significant gap between the perceived strength of IT security measures in NHS networks and the actual level of security in place.

This discrepancy is particularly worrying as the NHS was named as the UK’s number one victim of data breaches last year by the Information Commissioners Office (ICO), as data leakage and loss of hardware, such as USB keys, put the organisation at risk of attack.


NHS - Shutterstock: © RTimagesOverall, only 76 percent of 250 senior NHS-employed CIOs, CTOs and IT Managers surveyed in the study believed that there was suitable protection against cybercrime and data loss in place at their organisation.

72 percent named data loss as their biggest concern in terms of IT security, with the need for encryption growing as more and more devices are connected to networks and more data is generated.

And although 84 percent of respondents said that encryption is becoming a necessity, only 10 percent said that encryption is well established within their organisation.

Just over half (59 percent) said their organisation had email encryption in place, 49 percent had file share encryption operational, and only 34 percent had encryption of data stored in the cloud.

This is despite mobile devices becoming increasingly common for many NHS professionals, raising the number of possible entry point for criminals looking to breach data protection protocols. 42 percent of the survey respondents said that the ubiquity of mobile devices in the community as one of the initiatives driving changes in their IT security planning.

Significant issues

The NHS logo on a sign“This study highlights that NHS organisations still face significant IT security issues and that IT decision makers have work to do to address gaps in their security,” said Jonathan Lee, UK healthcare sector manager, Sophos UK and Ireland.

“Failure to take the necessary precautions to keep cyber criminals out, to safeguard data and ultimately to protect patients and staff will continue to cause significant problems for NHS organisations. However, budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”

The study is the latest news to cast doubt over cybersecurity practices within the NHS. Last month, a Freedom of Information (FoI) request suggested staff at NHS Trusts across the country were severely lacking in their security training despite the increasing use of mobile devices in the workplace.

The FoI request, submitted by Accelion, found that 71 percent of NHS Trusts admit the use of smartphones or tablets in the workplace, but that a similar proportion had either a limited or no training programme in place for how to safeguard organisational information when using these devices, despite many breaches stemming from this area.

In November the NHS said it intends to create a new role of chief information and technology officer (CITO) to lead the development of new projects, following major criticism of past programs, including the infamous £12.7 billion NHS Programme for IT (NpfIT).

Do you know all about public sector IT? Take our quiz!