NHS Cyber Security ‘Far Weaker Than Thought’

A new study has discovered that the NHS is lacking thorough security protection against a growing number of online threats.

An investigation by Sophos found that there is a significant gap between the perceived strength of IT security measures in NHS networks and the actual level of security in place.

This discrepancy is particularly worrying as the NHS was named as the UK’s number one victim of data breaches last year by the Information Commissioners Office (ICO), as data leakage and loss of hardware, such as USB keys, put the organisation at risk of attack.

Secured

Overall, only 76 percent of 250 senior NHS-employed CIOs, CTOs and IT Managers surveyed in the study believed that there was suitable protection against cybercrime and data loss in place at their organisation.

72 percent named data loss as their biggest concern in terms of IT security, with the need for encryption growing as more and more devices are connected to networks and more data is generated.

And although 84 percent of respondents said that encryption is becoming a necessity, only 10 percent said that encryption is well established within their organisation.

Just over half (59 percent) said their organisation had email encryption in place, 49 percent had file share encryption operational, and only 34 percent had encryption of data stored in the cloud.

This is despite mobile devices becoming increasingly common for many NHS professionals, raising the number of possible entry point for criminals looking to breach data protection protocols. 42 percent of the survey respondents said that the ubiquity of mobile devices in the community as one of the initiatives driving changes in their IT security planning.

Significant issues

“This study highlights that NHS organisations still face significant IT security issues and that IT decision makers have work to do to address gaps in their security,” said Jonathan Lee, UK healthcare sector manager, Sophos UK and Ireland.

“Failure to take the necessary precautions to keep cyber criminals out, to safeguard data and ultimately to protect patients and staff will continue to cause significant problems for NHS organisations. However, budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”

The study is the latest news to cast doubt over cybersecurity practices within the NHS. Last month, a Freedom of Information (FoI) request suggested staff at NHS Trusts across the country were severely lacking in their security training despite the increasing use of mobile devices in the workplace.

The FoI request, submitted by Accelion, found that 71 percent of NHS Trusts admit the use of smartphones or tablets in the workplace, but that a similar proportion had either a limited or no training programme in place for how to safeguard organisational information when using these devices, despite many breaches stemming from this area.

In November the NHS said it intends to create a new role of chief information and technology officer (CITO) to lead the development of new projects, following major criticism of past programs, including the infamous £12.7 billion NHS Programme for IT (NpfIT).

Do you know all about public sector IT? Take our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

View Comments

  • It’s not all about encryption: to adapt to the digitisation of healthcare data, security must become “software-defined” and decoupled from the infrastructure, a practice that can be put in place by viewing security as an independent entity from the network infrastructure.

    With such critical patient data at stake, the NHS must follow a ‘No Trust’ security model, assuming that all networks are essentially untrusted and that no user, device or application can ever be fully trusted, meaning that consistent access policies can be created across users regardless of which network or device is being used. By adding crypto-segmentation to build secure walls between the identified groups of users and the applications they access, healthcare organisations can ensure that any breach is limited in scope.

    There are no excuses for leaving gaps in the security architecture. With so many devices being used and so much data to protect, it’s time for a change to be made.

    Paul German, VP EMEA, Certes Networks

Recent Posts

Canadian Crypto Expert Denies He Is Satoshi Nakamoto

After HBO documentary names Canadian crypto expert Peter Todd as Bitcoin inventor – but he…

11 mins ago

Google Confronts Break-Up Threat From US DoJ

US Department of Justice mulls asking judge to force Google to sell parts of its…

5 hours ago

US Supreme Court Rejects X’s Trump Appeal

US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…

1 day ago

US Judge Orders Google To Allow Android App Store Competition

US federal judge orders Google to undertake wide range of measures allowing third-party app stores…

1 day ago

Ukraine Hackers Disrupt Russian Broadcaster On Putin’s Birthday

Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…

1 day ago