NHS trusts reporting fewer breaches, employing more security pros

Redscan, the award-winning provider of managed security services, specialising in Managed Detection and Response, Penetration Testing and Red Teaming, today published an analysis of Freedom of Information (FOI) requests made to NHS trusts in 2020.* Following a previous investigation made by Redscan in 2018, the latest findings provide insight into NHS trusts’ preparedness to tackle the latest cyber security threats.

Key findings include:

  • On average, NHS trusts reported two breaches to the Information Commissioner’s Office (ICO) in 2020, down from 2.5 in 2019
  • On average, trusts now have nearly twice as many employees (47%) with professional IT security qualifications (2.8 per trust in 2020, compared to 1.9 in 2018)
  • One in four trusts had no qualified IT security professionals in 2018 (23%), a figure which has now fallen to one in seven (15%)
  • A majority (83%) of NHS trusts commissioned at least one penetration test from an external third party in 2020

On average, NHS trusts reported fewer data breaches in 2020 (2) than they did in 2019 (2.5). While this appears to be a positive trend, more than two-thirds of trusts reported the same number or even more breaches in 2020 than in 2019. Just over 30% of trusts reported fewer breaches.

A shortage of skilled cyber security professionals is a problem for organisations across all sectors, including healthcare, but the NHS appears to have closed the skills gap in recent years. In 2018, Redscan found that, on average, trusts had just one member of staff with professional security credentials per 2,750 employees. In 2020, this ratio improved significantly with an increase to one qualified security professional per 1,996 employees. Over the same period, the number of trusts with no qualified security personnel decreased from 23% to 15%.

As was the case in 2018, there remains little consistency in terms of money spent on IT security training across NHS trusts. For example, while one trust spent £78k on security training in 2020, more than half of respondents (58%) spent nothing, and only required employees to complete mandatory annual NHS digital information governance training.

Mark Nicholls, CTO of Redscan, commented: “In 2018, our FOI revealed a large disparity in cyber security skills and training spend across the NHS. Fast-forward two years, and our latest report provides a valuable snapshot of how the situation has changed. It suggests that while disparities in training spend and penetration testing still exist, trusts are more likely to have qualified security professionals on staff and are also reporting fewer breaches compared to 2019.”

“With more and more healthcare organisations being targeted by attackers, every NHS trust needs to ensure it is prepared for the challenges ahead. To deliver an effective service, organisations must continuously improve their defences to protect the patient data and infrastructure they rely on to save lives.”


Join our audience of healthcare industry professionals

Join our audience of healthcare industry professionals