Key takeaways
Cyber threats pose direct risks to patient safety
Recent ransomware attacks highlight severe operational and clinical impacts.
New Bill and NHS charter drive compliance
Mandatory security standards and best-practice principles reshape obligations.
Proactive measures essential for resilience
Multi-factor authentication, monitoring, and robust backups are critical.
With the recent introduction of the Cyber Security and Resilience Bill in Parliament, now is a particularly crucial time to reflect on escalating cybersecurity risks and bolster the NHS’ resilience to such attacks.
As healthcare systems become increasingly digitised, the importance of robust cybersecurity measures has never been more critical. A series of statutory, regulatory and operational initiatives are being introduced to bolster the sector’s cyber resilience, and healthcare providers must take proactive steps to stay informed and implement such ongoing changes.
Compliance with the recently introduced Cyber Security and Resilience Bill and NHS England and the Department of Health and Social Care’s charter of best practice are set to become integral requirements for healthcare providers to adhere to.
Escalating threats and high-profile incidents
The healthcare sector has long been a target for cyberattacks due to the volume and sensitivity of the data it holds, such as the global WannaCry ransomware attack in 2017. Whilst this attack was not specifically targeted at the NHS, it nonetheless affected 81 NHS Trusts in England and is estimated to have cost the NHS around £92 million through services lost and IT costs.
The June 2024 ransomware attack on Synnovis, a pathology services provider for London hospitals, led to the cancellation of over 10,000 outpatient appointments and 1,710 elective procedures. As part of the attack, data such as patient names and NHS numbers were published and it took 16 weeks for services to return to near-normal levels. The consequences of the attack have now been confirmed to include the death of a patient, with delays in blood test results being a contributing factor to their death. This marks one of the first confirmed cases in the UK where a cyberattack has directly impacted patient safety to such a devastating extent.
In a recent update, Synnovis confirmed it was now in the process of notifying those affected. The delay in bringing the investigation was attributed to the ‘exceptional scale and complexity’ of the attack.
Following Synnovis, as recently as November and December of 2024 it was confirmed that four hospitals in Merseyside were also targeted by cyberattacks.
Strengthening NHS systems
The Information Commissioner’s Office (ICO) has taken a firm stance, initially issuing a provisional £6.09 million fine against Advanced Computer Software Group Ltd following a 2022 ransomware attack that exposed sensitive data of nearly 900 service users. The breach was linked to the absence of two-factor authentication on a user account, highlighting the consequences of inadequate cyber hygiene.
NHS England and the Department of Health and Social Care issued an open letter to supplier CEOs on 15 May 2025 asking them to sign their charter of cyber security best practice, emphasising the changing landscape of cybersecurity and outlining eight principles aimed at fortifying NHS supply chains. These include the implementation of multi-factor authentication, 24/7 cyber monitoring, and strong backup systems to ensure service continuity. Looking forward, the charter is intended to be an integral part of the process of strengthening NHS systems.
The letter can be found at: Cyber security charter - letter to supplier CEOs - NHS England Digital
While not mandatory, adherence to these standards is likely to become a benchmark for best practice, exceeding existing statutory and contractual obligations, such as the Data Security and Protection Toolkit, which remains a cornerstone of cyber governance.
The Data Security and Protection Toolkit is designed to ensure compliance with data security and information governance requirements mandated by the Department of Health and Social Care and is an example of an Information Standard, published under section 250 of the Health and Social Care Act 2012 (as amended by the Health and Care Act 2022 and the Data (Use and Access) Act 2025). Information Standards apply whenever public and private providers use, process or share health and adult social care information, in order to increase efficiency of data sharing between health and social care providers.
By way of monitoring compliance, NHS bodies are required to comply with an Information Standard Notice (which sets out the legal basis for an Information Standard) as a condition of the provider license. Failure to evidence compliance with mandatory Information Standards within the timeframe specified in a Notice may result in enforcement action for private providers.
Complementing these initiatives, is a dedicated threat operations team which proactively detects cyber security threats to safeguard UK health and social care systems, employing a ‘threat hunting function’ to identify malicious activity that may evade traditional detection methods.
Moving forward, NHS England have recently announced plans to procure a cyber operations external attack surface management system, intended to protect IT systems that are internet-facing against cyber threats and to reduce cyber security risks facing the NHS. The system is intended for use by NHS organisations nationally and will be designed to address vulnerabilities and security weaknesses in the sector. Whilst the timescales for rollout of the system have not yet been confirmed, such changes demonstrate an increasing focus on strengthening systems against cyber security risks.
Regulatory reform
The UK Government is taking further legislative steps to strengthen resistance to potential cyber attacks. The Cyber Security and Resilience Bill, introduced in Parliament this month, intends to strengthen UK cyber security across a variety of sectors, with a specific focus on the NHS. Those subject to the terms of the Bill will be required to meet robust security requirements, including improving staff awareness of such threats and reporting any significant incidents to the National Cyber Security Centre within 24 hours.
A link to the Bill and our Article on the Bill can be found below:
Introducing the Cyber Security and Resilience Bill | Hill Dickinson
Looking ahead
Cybersecurity in healthcare is no longer a technical issue and is instead an essential part of maintaining patient safety and security. Whilst the NHS and its partners navigate an increasingly complex landscape of potential threats, a combination of regulatory reform, supplier engagement, and internal capability-building evidence the sector’s growing resistance against such attacks, the full impact of which are yet to be seen.
This article was co-authored by Brooke Foster.
