Every time a patient interacts with a clinician, the NHS gathers information about them. Trusts should be able to use this patient data to gain valuable insights into diagnostics, treatments and service planning. And yet the biggest obstacle to the successful execution of a hospital’s customer-centric strategy is data and privacy.
NHS legacy IT systems are particularly vulnerable to attacks and loss of data. A white paper by researchers from Imperial College London's Institute of Global Health Innovation, concluded that the NHS is vulnerable to hackers due to a combination of:
- out-dated computer systems;
- lack of investment;
- a deficit of skills and awareness in cyber security.
The NHS is under attack
One of the most high-profile NHS breaches was the ‘WannaCry’ ransomware attack in 2017, which affected around 70,000 devices and cost nearly £100m. And yet despite pledging to implement the lessons learned from the incident, a report published by Computer Weekly shows that over two-thirds (67%) of UK healthcare organisations experienced some kind of cyber security incident in 2019. And the most recent figures published by the Information Commissioner’s Office (ICO) show that in Q1 2020-21, the healthcare sector suffered 214 reported data incidents - more than any other sector.
Quite understandably, the public has lost faith in the ability of the NHS to keep their personal, sensitive and confidential safe - 71% of patients doubt the NHS can guarantee the security of their electronic health record.
Robust cyber security is essential to any data-centric organisation. But the problem is that the threat isn't always outside the perimeter.
Of the breaches reported to the ICO in Q1 2020-21, only 14% were due to cyber security incidents - like brute force attacks, malware, phishing and ransomware - the rest were due to human error. Overall, the 3 most common breaches in healthcare are due to:
- data posted or faxed to incorrect recipients;
- loss / theft of paperwork;
- data sent by email to incorrect recipients.
Given the reality of cyber skills in healthcare, it would seem the NHS is fighting a losing battle.
The harsh reality about cyber skills in the NHS Research obtained through freedom of information requests shows that since WannaCry, nearly a quarter (24%) of NHS trusts across England and Wales have no recognised cyber security specialist at all. And on average, trusts spend just £5,356 on cyber security training - ranging from £238 to £78k.
Compare this to the private sector where 84% have their own head of cyber security and/or a dedicated team, with an average spend of £1.06m.
Just imagine if trusts were given access to this level of resource...
Research from the Aberdeen Group shows that security-related risks are reduced by 70% when organisations invest in cybersecurity training and awareness. That's the case that needs to be presented to the board.
How to build a case based on risk
To secure the funding for training in digital skills, there are three key components you need to consider:
You need to shift the mindset of your leadership team so that training is seen as essential to reducing risk and increasing patient safety. To do this, work through a range of different scenarios - including best- and worst-case scenarios - to highlight the consequences of investing/not investing in developing internal talent. When the outcomes are very tangible, like having to cancel 20,000 patient appointments and operations (as with WannaCry), it’s hard to argue that the current average investment of £5,356 is sufficient.
Many organisations are guilty of failing to create a digital strategy that links to the corporate strategy. The harsh reality is that most people don’t care about technology, only what it can do. Therefore, you need to show how digital is the enabler for the overarching strategy because it delivers a connected service across the health and care system with the right technology, skills and information. When you can show people how an investment in digital skills helps them achieve their objectives, you secure key stakeholder buy-in that will help you to make your case.
As with every investment, you need to prove a return on that investment. With something like training, it’s not as clear cut as perhaps investing in a new treatment, where you can cite the number of patients treated, or success rates. One of the best ways to demonstrate the return on training is through professional standards, like the Federation of Informatics Professionals Practitioner (FEDIP). It is the highest standard that informatics professionals can attain, therefore demonstrating they understand and work to the highest ethical and technical standards.
How BCS can help
At BCS, we are developing new pathways and opportunities for healthcare IT professionals. As a member, we provide you with access to a global community of informatics professionals who are leading the way in future healthcare. In addition, you also gain free access to the College of Healthcare Information Management Executives (CHIME) and all of its learning materials.
Besides networking opportunities and knowledge sharing, we also provide training and certifications within the skills and capability framework SFIAplus. It’s through this framework that we enable healthcare IT professionals to rise through the ranks to CHCIO, or beyond to FEDIP Leading Practitioner. Unlike a normal qualification where the relationship ends at the point of achievement, when training with BCS, your professional registration only marks the starting point.
To find out more about all the benefits BCS membership provides, please visit bcs.org/health
Future skills in healthcare
When developing digital skills, risk is just one of four key considerations. To discover how to overcome the challenges of leadership, culture and funding, download our latest report.