Exciting news: British Assessment Bureau will rebrand as Amtivo in Autumn 2026! Find out more here >>

Amtivo

How The Healthcare Industry Could Combat Cyber Risks

Request a Quote

  • Accredited certifications
  • Helpful resources
  • No hidden fees
  • Trusted certification experts
Request a Quote

The healthcare sector continues to be a prime target for cyber attacks, and it’s easy to see why.

The fundamental issue is that healthcare is hugely data-intensive, which results in an ‘attack surface’ that is both vast and constantly growing as medical monitoring expands.

Additionally, existing vulnerabilities such as outdated equipment and a lack of experienced cyber security staff exacerbate risks.

With patient demand consistently high and systems under pressure, any disruption can have serious consequences. For ransomware groups, that makes healthcare a high-leverage target. In the worst-case scenario, a network outage could put lives at risk. This is a pressure point that attackers believe increases the chances of a quick payout, before backups can be restored.

The targeting of healthcare has a long history. In October 2016, Northern Lincolnshire and Goole NHS Foundation Trust was hit by ransomware – an early NHS case – forcing the cancellation of 2,800 appointments.

 

The Scale of Cyber Attacks

The scale of cyber attacks on the NHS has continued to intensify.

One of the most well-known attacks is the WannaCry ransomware attack in 2017, which caused major disruption to hospitals around the world. While not aimed specifically at healthcare, WannaCry showed that large-scale, damaging attacks were possible.

The Synnovis ransomware attack in June 2024 led to the postponement of over 10,000 outpatient appointments and more than 1,700 elective procedures at London hospitals and resulted in at least two cases of long-term or permanent patient harm.

Other cyber attacks have followed, including an incident in May 2025 when cyber criminals targeted University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust. The attack exploited a software vulnerability and led to the theft of NHS data, raising concerns about potential unauthorised access to sensitive patient records.

With ransomware in particular a persistent threat to the NHS, senior cyber security leaders from the UK government and NHS have urged technology suppliers’ chief executives to publicly commit to strong security practices by signing a new cyber security charter – a key step in improving security for the healthcare industry.

 

Cyber Criminals Targeting Healthcare

The WannaCry attack in particular arrived at a time when the sector was already struggling to control widespread data breaches involving large volumes of Personal Health Information (PHI). This type of data remains attractive to cyber criminals for several reasons:

  • Medical identities and records are the most financially valuable type of personally identifiable information (PII), selling for high prices on dark web markets where they are used to launch sophisticated identity theft.
  • An especially high value is attached to the PHI of celebrities and politicians.
  • The threat to release data stolen during a ransomware attack is now routinely used to drive up the price of extortion ransoms.

The extensive data generated by healthcare continues to expand the ‘attack surface,’ making it a persistent target. According to the UK government’s Cyber Security Breaches Survey 2025, over 40% of health and care organisations reported experiencing a cyber security breach or attack in the past year, with larger organisations facing even higher rates. PHI files can be exposed by human error, equipment misconfiguration, a software vulnerability in medical equipment and IT systems, or theft by insiders.

Healthcare organisations also make extensive use of third party and agency workers, which makes oversight harder and increases the chances of credential sharing and errors. Then there are established weaknesses such as migrating from insecure legacy equipment, a lack of experienced cyber security staff, under-investment in security, and dependence on equipment that has not been thoroughly tested for security issues.

In 2024 and 2025, NHS Digital issued regular cyber alerts on new vulnerabilities affecting NHS systems – including critical updates for widely used software and medical devices – to help trusts and suppliers respond to the evolving threat landscape.

The UK government is also responding with the planned Cyber Security and Resilience Bill, expected to be introduced to Parliament in 2025.

The Bill is intended to raise baseline cyber resilience across critical services, including health. It is expected to strengthen and expand the UK’s NIS framework, introduce clearer and more consistent incident‑reporting duties, and give regulators sharper enforcement powers and penalties.

For the NHS and its suppliers, expect NCSC CAF‑aligned minimum standards, tougher supplier assurance, and stricter logging, MFA, vulnerability management, and patching – protecting patient data and continuity of care.

Some NHS suppliers are required to demonstrate Cyber Essentials Plus compliance.

Discover more about Cyber Essentials Plus.

 

New Medical Devices and Cyber Security

Healthcare is experiencing a major expansion in medical data collection as a bewildering array of new types of monitoring devices – such as wearable heart rate monitors, glucose sensors, or smart inhalers – are handed out to patients. Many of these first-generation devices have proven immature in security terms, often in ways that take specialised testing to uncover.

Everyone agrees that these sorts of checks should be carried out during development and that patients and healthcare providers should not become unwitting beta testers. The influence of such medical devices will undoubtedly spur a demand by patients to access their own electronic health records (EHRs), something many healthcare providers are not yet able to offer in a secure way.

The increasing use of digital health records in the NHS has expanded the attack surface, with legacy technology and isolated data systems cited by 64% of NHS staff as a barrier to safe, efficient care.

 

Resilience Against Cyber Crime

In theory, access control offers a solution, particularly as part of an approach that considers a broader Information Security Management System (ISMS). While undoubtedly true, healthcare organisations should first analyse their current weaknesses.

The Health-ISAC 2025 Health Sector Cyber Threat Landscape report warns that compromised credentials – often the result of phishing or poor account hygiene – remain a leading cause of healthcare breaches, allowing attackers to bypass access controls and move laterally within networks.

Read the latest news about cyber security trends.

 

Getting the Basics Right

It’s often the simple things that get lost. For example:

  • Mandating email security standards such as Domain-based Message Authentication (DMARC) makes it much harder for attacks to spoof email addresses to impersonate genuine contacts.
  • Email accounts should be protected not only with rigorous password policies but also by using multi-factor authentication by default for all accounts.
  • Access control on data needs to consider the possibility of internal misuse – another blind spot many healthcare organisations assume is a secondary concern.
  • Third-party agencies must be included in any overhaul of data governance with assurance to ensure standards are being met.

 

A Comprehensive Approach

Despite these, organisations only get so far. A comprehensive approach to cyber security in the healthcare industry must also take account of human behaviour, using technical controls as baselines backed up with a long-term commitment to user training to resist common attacks.

Many breaches start with relatively simple social engineering and phishing attacks that often go undetected until it is too late. Defending against such attacks requires more than user training and awareness, but without that as a starting point, it is unlikely to succeed.

 

Clear Roles and Processes

Large-scale cyber security reforms are often slow to happen because they represent a change in culture, which humans resist. Designing a new culture is never straightforward.

Organisational complexity doesn’t help – sometimes even knowing whose job it is to implement certain policies, let alone checking that they have been implemented correctly, can turn into a barrier.

As healthcare regulation and governance standards evolve, the sector has begun to recognise the scale of the institutional challenge.

Healthcare was built to support patients with physical health needs. Today, that responsibility extends to protecting the confidentiality of their digital information and defending against the growing threat of cyber crime.

 

Help Protect Your Organisation From Cyber Crime

British Assessment Bureau offers a variety of services to help organisations prepare and protect themselves from the consequences of cyber crime.

From training staff on how to spot and avoid cyber security risks to formal cyber security certification, such as Cyber Essentials, Cyber Essentials Plus and ISO 27001.

Contact our expert team today to find out more, or get a quote for your business.

British Assessment Bureau provides Cyber Essentials and Cyber Essentials Plus services via our sister company, Ascentor, part of the Amtivo group.

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.