1 in 4 NHS trusts spent nothing on specialist cyber security training in past year

A concerning chuck of National Health Service trusts in England and Wales lack sufficient in-house cyber security expertise, new research has revealed.

According to a survey of 226 NHS trusts, 43 confirmed they had not allocated any funding for cyber security between August 2017 and August 2018.

Three respondents spent more than £40,000 on cyber defences, while one trust paid £78,000 for additional security. There’s a significant portion of the picture missing though, with 67 trusts failing to respond to the survey’s Freedom of Information request.

Rather than invest in cyber security training, trusts have instead relied on free training given by NHS Digital, which runs IT for Britain’s health service.

On average, NHS trusts employ just one qualified security professional per 2,582 employees. Nearly a quarter of trusts have no employees with security qualifications, despite some employing as many as 16,000 full and part-time personnel.

A spokesperson from Redscan - the London-based managed cyber security services provider that carried out the research - said the findings highlight how the NHS is struggling to implement a cohesive security strategy under difficult circumstances. 

“Individual trusts lack in-house cyber security talent and many are falling short of training targets, while investment in security and data protection training is patchy at best,” they said.

“The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.”