The NHS’s IT governing body is refusing to invest in cybersecurity protection as it does not represent value for money. According to the Health Service Journal, NHS Digital is set to ignore the recommendations laid out in a government-sanctioned report authored by its own CIO due to the costs being too high.
Commenting on the news are the following security professionals:
Javvad Malik, Security Advocate at AlienVault:
It would be wrong to say that the NHS has outright refused to implement the suggestions of the ICO in terms of improving security. Rather, that to implement each control as specified would be cost-prohibitive, and that the NHS will implement security controls in a manner that is in line with its budget and priorities.
It is also worthwhile bearing in mind that organisations that invest more in security don’t necessarily achieve better outcomes, as presented in the recent AT&T Business Cybersecurity Insight report vol.8″
Sam Curry, Chief Security Officer at Cybereason:
Second, it’s possible that they have made the right call, accepting some measures and rejecting others.
Finally, they may have the wrong incentives. Put plainly, they may not care enough. That’s not an indictment; it may just be a fact. Are they incented to really care about pursuing privacy and security beyond a binary yes/no answer? How much do they care? Is it a first principle? The solution emerges then: make a formal, reasoned statement about the degree of care and the importance of privacy and security. If nothing else, GDPR paints a clear set of signposts at least until Brexit. Then convene an internal panel of players on IT risk and an external advisory group of cyber experts to guide next steps and make this an ongoing process of risk and value trade offs.”