NHS spends as little as £238 per trust on cyber security and training despite WannaCry attack which cost the health service £92million and cancelled 20,000 appointments
- NHS cyber security is ‘patchy at best’ said experts investigating its systems
- IT security spending by NHS trusts varied from £0 to £78,000 last year
- The damning revelation comes after the Government said security must improve
The NHS’s lack of cyber security is ‘alarming’, experts have warned after they discovered huge gaps in spending and training across the health service.
Too few experts could put the NHS at risk of another cyber attack like last year’s £92million WannaCry disaster in which 20,000 hospital appointments were cancelled.
Spending on cyber security varies wildly between hospital trusts around the country, with some spending as little as £238 and others £78,000.
On average the health service employs just one qualified cyber security expert for every 2,582 employees, and a quarter of trusts don’t have any at all.
The WannaCry cyber attack crippled computers at 81 hospital trusts and hundreds of GP surgeries in May last year, demanding £230 from every employee who was locked out of their computer with this warning screen
The damning figures have been revealed in a Freedom of Information investigation by cyber security experts, Redscan.
The company ran a three-month campaign requesting information from 150 NHS trusts across the UK and were alarmed by the failings they found.
‘These findings shine a light on the cyber security failings of the NHS,’ said Redscan director of cyber security, Mark Nicholls.
He said the health service is struggling to set up a successful internet security network under ‘difficult circumstances’.
Hospital trusts have spent an average of £5,356 on data security in the past 12 months, with the amount spent ranging from £0 to £78,000.
The figures are damning because they concern the year following the devastating WannaCry hack in May 2017.
WannaCry caused 20,000 hospital appointments to be cancelled and, it was revealed in October, cost the NHS £92million in lost productivity and IT support.
The hack, believed to have been done by North Korean cyber criminals, locked NHS staff out of their computers and demanded payment in Bitcoin to let them back in.
After a review, the Government said all NHS trusts must upgrade their IT systems in a move which could cost up to £1billion.
Redscan’s data revealed some hospitals provided training in-house and didn’t need to spend extra money, while others only used free training tools.
But the data reveals there is no standard across the NHS, with some parts of the organisation investing significantly more than others in cyber security.
Of 62 trusts which spent extra money on cyber security and revealed how much, 28 of them spent between £1,000 and £5,000.
One spent £78,000 on security improvements, seven others spent between £20,000 and £50,000, and 20 spent between £5,000 and £20,000.
Six of those in the Freedom of Information data spent less than £1,000.
Mr Nicholls added: ‘Individual trusts lack in-house cyber security talent and many are falling short of training targets; while investment in security and data protection training is patchy at best.
‘The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.
‘It’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience.
‘It’s even tougher for the NHS, which must compete with the private sector’s bumper wages.’