Second report puts NHS IT security in the spotlight

Sophos study reveals gap between the perceived strength of IT security measures in the NHS and the actual level of protection

A second report in just one week has revealed a gap between the perceived strength of IT security measures in the NHS and the actual level of protection built into healthcare networks.

Last week, BBH revealed the findings of Arxan Technologies’ 5th Annual State of Application Security Report.

The study was based on the analysis of popular mobile health apps from the US, UK, Germany, and Japan, as well as a study examining security perspectives of consumers and app security professionals.

This study highlights that NHS organisations still face significant IT security issues and that IT decision makers have work to do to address gaps in their security

And the results revealed a wide disparity between consumer confidence in the level of security incorporated into mobile health apps and the degree to which organisations address known application vulnerabilities.

While the majority of app users and app executives believe their apps to be secure, nearly all the apps Arxan assessed, including popular banking and payment apps and regulatory body-approved health apps, proved to be vulnerable to at least two of the top 10 serious security risks.

Now, a second report by Sophos reveals a similar gap between perception and reality across NHS systems.

Carried out by Vanson Bourne, the study quizzed 250 NHS-employed chief information officers, chief technology officers, and IT managers. Three quarters - 76% - believe they have suitable protection against cybercrime and data loss, and 72% claim data loss is their biggest concern in terms of IT security.

However, while 84% of respondents state that encryption is becoming a necessity, the Sophos study reveals that encryption levels are worryingly low across the NHS:

  • Only 10% state that encryption is well established within their organisation
  • Only 59% have email encryption
  • Only 49% have file share encryption
  • Only 34% have encryption of data stored in the cloud

According to the Information Commissioners Office (ICO), the NHS was the UK’s number one victim of data breaches last year. Data leakage and loss of hardware, such as USB keys, were two of the most-prevalent factors in these breaches.

Failure to take the necessary precautions to keep cyber criminals out, to safeguard data, and ultimately to protect patients and staff, will continue to cause significant problems for NHS organisations

“This study highlights that NHS organisations still face significant IT security issues and that IT decision makers have work to do to address gaps in their security,” said Jonathan Lee, UK healthcare sector manager for Sophos UK and Ireland.

“Failure to take the necessary precautions to keep cyber criminals out, to safeguard data, and ultimately to protect patients and staff, will continue to cause significant problems for NHS organisations.

However, budget cuts and changes to working practices, such as the increase in mobile working, all present significant challenges within the sector.”

Commenting on specific findings, Lee added: “It’s no surprise that only 10% of NHS organisations stated that encryption was well established within their organisation. Most have encrypted laptops and USB sticks because they have been mandated to do so, but, currently, that is often where it stops.”

The findings come at a times when the NHS is undergoing a period of significant change - balancing budget cuts while innovating to drive improvements to patient care. As a result, many NHS organisations are driving major operational change, including embracing mobile healthcare.

In the Sophos survey, 42% of respondents cite greater use of mobile devices in the community as one of the initiatives driving changes in IT security. This might be, for example, a community midwife using a tablet to record patient data instead of needing to carry around multiple patient files.

Most NHS organisations have encrypted laptops and USB sticks because they have been mandated to do so, but, currently, that is often where it stops

Health workers are increasingly on the move and using mobile working practices to stay connected. The impact of the widespread use of mobile devices out in the community on the security of an entire NHS organisation’s network should not be underestimated. With this step change in working practices comes new requirements and IT managers need to ensure their organisation’s IT security is joined up to adequately protect users, devices and data at all points.

The survey also showed that decisionmakers in the NHS are beginning to understand the importance of consolidation for improved protection. 42% state that they are considering consolidating their IT security providers, with over half (55%) stating the main motivation for this as cost savings. This is no surprise, considering 96% of organisations say they have experienced operational changes in the past year, with the most-common change being budget cuts (60%). Survey respondents expect the average cut to IT budgets to be 6%, so budget will remain core to any investment decisions being made.

Organisations need a comprehensive security system that encrypts sensitive data, protects all classes of endpoints and communicates with network security systems

Of those not considering consolidating their suppliers, 54% said they have many different requirements and their belief is that a sole provider cannot deliver on all requirements. Many in the industry would argue that this is an outdated perception that can lead to gaps within network security.

Lee commented: “There is an important shift taking place in IT security. Organisations need a comprehensive security system that encrypts sensitive data, protects all classes of endpoints and communicates with network security systems.”

Companies