Sophos (LSE:SOPH) recently released the results of its survey assessing IT security levels within NHS organizations. The study, which included 250 NHS-employed CIOs, CTOs and IT Managers, revealed a gap between perceived beliefs of IT security levels and the actual IT security structures that are currently in place, with 76% of respondents believing that the NHS is well-protected against cyber-crime. Despite this, as little as 10% felt that encryption was well-established within the NHS.
Steve Durbin, Managing Director of Information Security Forum Limited, told InfoSecurity:
“The percentage [76%] refers to cybercrime, something that we all know and recognise as being a growing concern for all organizations, irrespective of size, particularly those that create, store and share valuable information – such as personally identifiable information – on mobile devices or the cloud; so, for me this 76% figure is somewhat at odds with the other findings in the survey that encryption is not a well-established practice for email, file sharing or cloud data storage.”
Steve added:
“Encryption, whilst not being a total solution, is certainly one of the basic steps I think we would all expect to be implemented around ensuring the security of sensitive data.”
As an organization of unprecedented size, the NHS handles exceptionally high levels of sensitive, personal information. According to the Information Commissioners Office, it was the UK’s main victim of data breaches in 2015, with data leakage and loss of hardware two of the most prevalent factors in these breaches.
Like many organizations across the UK, the NHS is going through a transitional period of balancing numerous budget cuts with a willingness to provide the highest standard of care possible to its patients. In response to this, the NHS aims to implement major operational changes that will see mobile devices used in the community. Whilst this would certainly help to provide a quicker, more streamlined level of care; for example, a community midwife could record patient data on a tablet, removing the need to carry around multiple patient files, it also carries its own risks in terms of cybersecurity.
Steve added:
“With the move to adopt changes to working practices, including the increase of mobile devices and mobile working, there also comes a need to ensure that not only are sound processes and policies in place around the security of the information being stored on such devices, but that the people who are using these devices are also sufficiently aware of their responsibilities and handle the information in an appropriate manner.”