Health News

NHS spends as little as £238 per trust on cyber security and training

NHS spends as little as £238 per trust on cyber security and training despite WannaCry attack which cost the health service £92million and cancelled 20,000 appointments

  • NHS cyber security is ‘patchy at best’ said experts investigating its systems  
  • IT security spending by NHS trusts varied from £0 to £78,000 last year
  • The damning revelation comes after the Government said security must improve
  • e-mail



The NHS’s lack of cyber security is ‘alarming’, experts have warned after they discovered huge gaps in spending and training across the health service.

Too few experts could put the NHS at risk of another cyber attack like last year’s £92million WannaCry disaster in which 20,000 hospital appointments were cancelled.

Spending on cyber security varies wildly between hospital trusts around the country, with some spending as little as £238 and others £78,000.

On average the health service employs just one qualified cyber security expert for every 2,582 employees, and a quarter of trusts don’t have any at all.

The WannaCry cyber attack crippled computers at 81 hospital trusts and hundreds of GP surgeries in May last year, demanding £230 from every employee who was locked out of their computer with this warning screen

The damning figures have been revealed in a Freedom of Information investigation by cyber security experts, Redscan.

The company ran a three-month campaign requesting information from 150 NHS trusts across the UK and were alarmed by the failings they found.

‘These findings shine a light on the cyber security failings of the NHS,’ said Redscan director of cyber security, Mark Nicholls.

  • Apple Watch saved life of 46-year-old father whose heart was… Four heroin addicts have been struck down with BOTULISM… Patients could Skype doctors as far away as India in a… Scientists develop new brain scan to detect Alzheimer’s…

Share this article

He said the health service is struggling to set up a successful internet security network under ‘difficult circumstances’.

Hospital trusts have spent an average of £5,356 on data security in the past 12 months, with the amount spent ranging from £0 to £78,000.

The figures are damning because they concern the year following the devastating WannaCry hack in May 2017.

WannaCry caused 20,000 hospital appointments to be cancelled and, it was revealed in October, cost the NHS £92million in lost productivity and IT support.

The hack, believed to have been done by North Korean cyber criminals, locked NHS staff out of their computers and demanded payment in Bitcoin to let them back in.

After a review, the Government said all NHS trusts must upgrade their IT systems in a move which could cost up to £1billion.

Redscan’s data revealed some hospitals provided training in-house and didn’t need to spend extra money, while others only used free training tools.

But the data reveals there is no standard across the NHS, with some parts of the organisation investing significantly more than others in cyber security.

Of 62 trusts which spent extra money on cyber security and revealed how much, 28 of them spent between £1,000 and £5,000.

One spent £78,000 on security improvements, seven others spent between £20,000 and £50,000, and 20 spent between £5,000 and £20,000.

Six of those in the Freedom of Information data spent less than £1,000.

Mr Nicholls added: ‘Individual trusts lack in-house cyber security talent and many are falling short of training targets; while investment in security and data protection training is patchy at best.

‘The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others.

‘It’s incredibly hard for organisations across all sectors to find enough people with the right knowledge and experience.

‘It’s even tougher for the NHS, which must compete with the private sector’s bumper wages.’ 


More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May.

Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.

NHS officials said 47 trusts had been affected – but the National Audit Office (NAO) found that the impact was far greater, and in fact 81 were hit by the attack.

When the attack came on May 12 it ripped through the out-of-date defences used by the NHS.

More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May

The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account.

Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. Doctors and nurses were locked out, meaning they had to rely on pen and paper, and crucial equipment such as MRI machines were also disabled by the attack.

The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals had to divert ambulances away at the peak of the crisis.

Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 – that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.

NAO said the cyber-attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus before the attack, with ‘critical alerts’ sent out in March and April.

Foreign Office minister Lord Ahmad confirmed the attack was carried out by the notorious North Korean cyber espionage group Lazarus. 

Computer systems in 150 countries were caught up in the attack, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid. 

The Department of Health said that from next January hospitals will be subject to unannounced inspections of IT security.  

Source: Read Full Article