The NHS is continuing to strengthen its cybersecurity posture, as organisations across the health system respond to an increasingly complex and persistent threat landscape.
“Cyber is often seen as part of an IT budget, but it’s really a people, process, and technology challenge,” Rosie Underwood, HealthCare Client Group Director at Daintta, told Building Better Healthcare.
We need to treat it as its own discipline.
Daintta is a cybersecurity consultancy that partners with NHS organisations nationally and regionally to strengthen their data and cyber capabilities and close compliance gaps.
It’s been nearly a decade since the 2017 WannaCry cyberattack, the most significant cyber incident to impact the NHS.
The WannaCry cyberattack was a global ransomware attack that severely disrupted the NHS by locking staff out of systems, forcing a return to paper processes, cancelling appointments, and impacting services such as ambulance handovers, diagnostics, and patient records access.
Sector leaders say progress has been substantial since 2017, but challenges remain, particularly around funding, legacy infrastructure, and clearly demonstrating how cyber risks translate into impacts on patient care.
What did WannaCry set in motion?
The 2017 WannaCry ransomware attack marked a turning point for healthcare cybersecurity.
While not targeted specifically at the NHS, it caused widespread disruption across services, with some organisations forced to shut down systems entirely.
The incident exposed vulnerabilities across digital infrastructure and accelerated investment in cyber capabilities across the NHS.
“Cybersecurity just wasn’t as well known or funded before that point,” said Underwood.
“Following WannaCry, there was a clear increase in both funding and resources.”
Since then, NHS organisations have significantly improved their operational capabilities, including better system visibility and coordinated national responses to incidents.
“We still work in a lot of legacy systems. So there is still the challenge around not being able to update systems because they're running clinical programmes that haven't been updated, and they rely on that,” said Underwood.
National frameworks that underpin NHS cybersecurity
Cyber resilience across the NHS is underpinned by national frameworks and strategies, including the government’s Health and Care Cyber Security Strategy, which sets out a roadmap to 2030.
All NHS organisations are required to complete the Data Security and Protection Toolkit (DSPT) annually, aligned with the National Cyber Security Centre’s Cyber Assessment Framework.
These national frameworks and the toolkit ensure a consistent baseline for cyber maturity across the system.
At the same time, responsibility for implementation sits at multiple levels.
The NHS is not a single entity but a network of more than 200 organisations, each with its own systems, risks, and operational complexity.
“There are national, regional, and local approaches,” Underwood explained. “Understanding risk and maturity across that landscape is key to improving resilience.”
Ensuring consistency across this fragmented structure remains a challenge, with each organisation operating at different levels of cyber maturity, resource availability, and infrastructure complexity.
A shift beyond IT
One of the most significant shifts in recent years has been the move to position cybersecurity as more than just an IT issue.
This includes investment not only in infrastructure and threat detection tools, but also in governance frameworks, incident response planning, and workforce training, particularly around risks such as phishing.
Underwood said efforts are also underway to embed cybersecurity awareness across all levels of NHS organisations, from boardrooms to frontline staff.
Linking cyber risk to patient outcomes
Despite progress, a key challenge remains: articulating cyber risk in terms of patient impact.
“It’s difficult to translate a technical cyber issue into a clinical risk,” Underwood noted.
“But that’s where the real understanding comes: if people see how a cyber attack affects patient care, it becomes much more tangible.”
During WannaCry, for example, system outages disrupted clinical services, and in some cases even affected physical infrastructure such as automated access systems for emergency vehicles.
Strengthening this connection between cyber resilience and patient safety is seen as critical to securing long-term investment and engagement.
Preparing for inevitable attacks
Sector experts emphasise that cyber incidents are no longer a question of “if” but “when”.
As a result, NHS organisations are increasingly focused on preparedness and response.
This includes regular simulation exercises, incident management planning, and business continuity strategies to minimise disruption.
The National Cyber Security Centre’s “Exercise in a Box” programme is one such initiative, enabling organisations to test their response to simulated cyber incidents.
“The most important thing is planning and training,” said Underwood. “When an attack happens, people need to know exactly what to do.”
Balancing pressures in a constrained system
Financial and operational pressures continue to shape decision-making around cybersecurity.
With limited budgets and increasing demand for clinical services, NHS leaders often face difficult trade-offs between investing in medical equipment and cybersecurity measures.
Legacy systems also present ongoing challenges, particularly where critical clinical technologies cannot be easily updated or replaced.
“The NHS is in a very challenging position,” Underwood said. “You’re balancing immediate patient needs with long-term resilience.”
The cybersecurity tools of the future
As digital transformation accelerates, new technologies such as AI are expected to introduce both opportunities and risks.
Cybersecurity providers are increasingly investing in research and “horizon scanning” or identifying and analysing emerging trends, risks, and opportunities to inform future decision-making.
This systematic approach will help anticipate future threats and support healthcare organisations in adapting to them.
While the NHS has made significant strides since 2017, the evolving threat landscape means cybersecurity will remain a central concern for the health sector in the years ahead.
“The landscape is constantly changing,” Underwood added. “Staying ahead means continually adapting: across people, processes, and technology.”