A new study has discovered that the NHS is lacking thorough security protection against a growing number of online threats.
An investigation by Sophos found that there is a significant gap between the perceived strength of IT security measures in NHS networks and the actual level of security in place.
This discrepancy is particularly worrying as the NHS was named as the UK’s number one victim of data breaches last year by the Information Commissioners Office (ICO), as data leakage and loss of hardware, such as USB keys, put the organisation at risk of attack.
72 percent named data loss as their biggest concern in terms of IT security, with the need for encryption growing as more and more devices are connected to networks and more data is generated.
And although 84 percent of respondents said that encryption is becoming a necessity, only 10 percent said that encryption is well established within their organisation.
Just over half (59 percent) said their organisation had email encryption in place, 49 percent had file share encryption operational, and only 34 percent had encryption of data stored in the cloud.
This is despite mobile devices becoming increasingly common for many NHS professionals, raising the number of possible entry point for criminals looking to breach data protection protocols. 42 percent of the survey respondents said that the ubiquity of mobile devices in the community as one of the initiatives driving changes in their IT security planning.
“Failure to take the necessary precautions to keep cyber criminals out, to safeguard data and ultimately to protect patients and staff will continue to cause significant problems for NHS organisations. However, budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”
The study is the latest news to cast doubt over cybersecurity practices within the NHS. Last month, a Freedom of Information (FoI) request suggested staff at NHS Trusts across the country were severely lacking in their security training despite the increasing use of mobile devices in the workplace.
The FoI request, submitted by Accelion, found that 71 percent of NHS Trusts admit the use of smartphones or tablets in the workplace, but that a similar proportion had either a limited or no training programme in place for how to safeguard organisational information when using these devices, despite many breaches stemming from this area.
In November the NHS said it intends to create a new role of chief information and technology officer (CITO) to lead the development of new projects, following major criticism of past programs, including the infamous £12.7 billion NHS Programme for IT (NpfIT).
Do you know all about public sector IT? Take our quiz!
After HBO documentary names Canadian crypto expert Peter Todd as Bitcoin inventor – but he…
Supreme Court clears X to resume access in Brazil, after high profile clash between top…
US Department of Justice mulls asking judge to force Google to sell parts of its…
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…
Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…
View Comments
It’s not all about encryption: to adapt to the digitisation of healthcare data, security must become “software-defined” and decoupled from the infrastructure, a practice that can be put in place by viewing security as an independent entity from the network infrastructure.
With such critical patient data at stake, the NHS must follow a ‘No Trust’ security model, assuming that all networks are essentially untrusted and that no user, device or application can ever be fully trusted, meaning that consistent access policies can be created across users regardless of which network or device is being used. By adding crypto-segmentation to build secure walls between the identified groups of users and the applications they access, healthcare organisations can ensure that any breach is limited in scope.
There are no excuses for leaving gaps in the security architecture. With so many devices being used and so much data to protect, it’s time for a change to be made.
Paul German, VP EMEA, Certes Networks