According to Alex Teh, Vigil's commercial director, the current structure of the NHS, which consists of health trusts and similar bodies, means that IT security management is centralised, with each trust managing the IT needs of NHS staff in an area that often serves as many as a million people.
Under the planned reorganisation of the NHS, he says, each GP practice will be operating its own IT systems, meaning that a previous single trust might have more than 100 GP practices, all of whom operate and maintain their own IT systems.
"We've been working closely with a number of trusts and their main concern is that, when the management of the IT systems are devolved down to the GP practices, each practice will be responsible for its own IT security", he told Infosecurity.
"Most GP practices have little or no expertise in this area. It's really the equivalent situation that many small companies face, but since the GPs are handling patient data, it becomes a potentially serious problem", he explained.
In theory, says Teh, it is possible for each GP practice to receive advice on security matters from their computer reseller or systems integrator, but this situation is fraught with potential dangers, as unlike the current trust IT departments, the advice and support may not be as unbiased.
The solution to this issue, he adds, is to have local acute (or similar) major hospitals becoming centres of excellence for IT security and governance issues, and for these hospitals to service the needs of local GP practices.
This approach, he went on to say, is the only logical approach if there is not to be a serious IT governance problem when the management is devolved away from the trusts and down to the individual GP practices.
"You are talking here about the devolution of security skills and education", he said, adding that the problem with each GP practice being responsible for its own IT systems is that the security skills are then spread far too thinly, if at all.
The problem facing the NHS on the security front, however, is that the planned devolution has a lot more to do than simply with governance and security, meaning that there is a danger that the security of patient data may not be high on the NHS priorities list.