NHS Digital admits to having just 18 tech security experts

NHS Digital has only 18 to 20 “deeply technically skilled people” in the area of cyber security, it has admitted.

The IT arm of Britain’s national health service made the admission that it has no more than a score of elite IT security techies to MPs, who were probing its “alarming” response to 2017’s WannaCry attack.

In particular, despite 22 recommendations in February 2018 to boost NHS IT security, implementation plans remain unagreed, and each of the 22 has no costing or rollout date.

A further challenge faced by the NHS – “maintaining cyber security…[by] having a sufficiently skilled workforce,” is made harder due to both economics and supply and demand.

“There is a national shortage of this type of expertise,” MPs on the Public Accounts Committee (PAC) said, referring to Cyber Security.

“And they [NHS Digital] are competing in a market where there are three jobs for every expert, and private sector organisations can pay more for cyber security experts.”

Ross Rustici, a director at Cybereason said: “The failures of the NHS to implement the cybersecurity recommendations are not a new struggle nor are they limited to the NHS.

“Government entities at the national and local level have a complex set of challenges often under conditions of shrinking budgets.”

However, he pointed out that it is “far easier and cheaper to keep a network healthy, than it is to recover and strengthen a network after it has been severely compromised.”

Seeming to realise this, but still lacking the resources, NHS Digital says it wants to find “trusted” suppliers from outside the NHS who can support its trusts during a cyber attack.

With WannaCry, which caused the cancellation of 20,000 hospital appointments and operations, vendor patches, firewall management and network segmentation could have headed it off, or reduced its impact.

But recommendations in the PAC’s report also extend to external suppliers too; who must in future all be accredited and contractually bound to maintain and protect NHS systems and devices.

“Some major IT suppliers cannot just patch one system in isolation, but need to patch across their entire estate, which can take time,” the MPs wrote.

“The NHS needs to be proactive in ensuring its suppliers are patching, or at least understand where it might be vulnerable and take action accordingly.”

Meg Hillier MP, the PAC’s chair said it was “alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

She added: “I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.

“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”

A spokesman for NHS Digital said: "[We] currently [have] around 18-20 permanent staff in our cyber security team. This function is supported by supplier contracts and services to provide additional expertise and specialist services. During periods of high demand, we are able to supplement the team with contracted specialists."