Study reveals gaps in NHS IT security

Cyber security risk

A significant gap exists between the perceived and actual strength of IT security measures built into NHS networks, according to a new survey.

In the study of 250 NHS-employed CIOs, CTOs and IT Managers carried out by Vanson Bourne for Sophos, three quarters – 76 per cent – believe that they have suitable protection against cybercrime and data loss and 72 per cent claim data loss is their biggest concern in terms of IT security.

Worryingly however, while 84 per cent of respondents state that encryption is becoming a necessity, the study reveals that encryption levels are still low across the NHS. Findings from the survey suggest that:

  • Only 49 per cent have file share encryption
  • Only 59 per cent have email encryption
  • Only 34 per cent have encryption of data stored in the cloud


Number one victim

These figures are all the more concerning given the Information Commissioners Office (ICO) has stated that the NHS was the UK’s number one victim of data breaches last year, led by data leakage and loss of hardware, such as USB keys.

The report comes at a time when further security issues are likely to come to the fore with the adoption of mobile healthcare. Many NHS organisations are embracing mobile healthcare and 42 per cent of respondents cited greater use of mobile devices in the community as one of the initiatives driving changes in IT security. Sophos says this could include a community midwife using a tablet to record patient data instead of needing to carry around multiple patient files.


Consolidation for improved protection

The survey also highlighted how NHS decision makers are cottoning on to the importance of consolidation for improved protection. A total of 42 per cent stated that they are considering consolidating their IT security providers, with over half stating the main motivation for this as cost savings.

“This study highlights that NHS organisations still face significant IT security issues and that IT decision makers have work to do to address gaps in their security,” said Jonathan Lee, UK healthcare sector manager, Sophos UK and Ireland. “Failure to take the necessary precautions to keep cyber criminals out, to safeguard data and ultimately to protect patients and staff will continue to cause significant problems for NHS organisations.”

Related reading