Poor Cyber Security Training At NHS Places Data At Risk


Freedom of information requests reveals shocking state of cyber security awareness within the NHS


A Freedom of Information (FoI) request has suggested staff at NHS Trusts across the country have had a significant lack of training to safeguard against cyber-attacks, and has indicated some very worrying business practices within the NHS concerning customer data.

The FoI request, submitted by Accelion, found that 71 percent of NHS Trusts admit the use of smartphones or tablets in the workplace. Indeed, it also found that 80 percent of NHS Trusts supply their staff with a smartphone or tablet in some capacity.

Training Problems

Yet 71 percent of these NHS Trusts confessed to having a limited or no training programme in place for how to safeguard organisational information when using these devices. This is despite the fact that many breaches are associated with these types of devices.

NHS - Shutterstock: © RTimagesAnd in a shocking development, it seems that staff at almost two thirds of NHS Trusts regularly access organisational information, including patient records, from their own personal smartphone or tablet.

There also seems to be a chronic lack of awareness about appropriate policies, as nearly half (41 percent) of NHS Trusts said they rely on the security of their server, encryption, or the goodwill of staff to adhere to an Information Security Policy to ensure patient data is kept secure.

And matters only look to get worse, as 92 percent of NHS Trusts questioned plan to incorporate smartphones, tablets or the use of applications to allow employees to access shared content by 2018, as part of the NHS’ paperless initiative.

“With a reported 93 percent of data breaches caused by human error, the integration of smartphones into the UK health service must be properly managed,” said Yorgen Edholm, CEO & President at Accellion. “Data breaches are continuing at an alarming rate, yet a cybersecurity mindset is still not ingrained at every level of the NHS Trusts.”

Edholm warned that the problem will only get worse as the wear your own device (WYOD) gains traction.

“With the emergence of WYOD it will become increasingly challenging for NHS Trusts to protect patient information,” said Edholm. “With the increasing use of wearable devices, employees are going to be the weakest link in the security ecosystem.”

Depressingly, it seems that only 53 percent of NHS Trusts provide a secure, enterprise-grade application for the sharing of patient data.

Poor Record

But this is hardly surprising, given that the NHS has a poor reputation when it comes to working with technology.

In September for example, a study published in journal BMC Medicine found that a number of mobile device-based health apps don’t properly secure customer data and have poor privacy standards. That was despite many of these apps being certified as clinically safe and trustworthy by the UK NHS Health Apps Library.

But perhaps the most famous example was the costly £12.7 billion NHS Programme for IT (NpfIT). The idea behind NPfIT was to move the NHS in England towards a single, centrally-mandated electronic care record for patients. It also planned to connect 30,000 general practitioners (GPs) to 300 hospitals. But by 2011, the then Coalition government had enough of the spiralling IT costs inherited from the previous Labour government and pulled the plug on the NpfIT project.

In November the NHS said it intends to create a new role of chief information and technology officer (CITO) to lead the development of new projects.

Do you know all about public sector IT? Take our quiz!