We use cookies.

To make your experience the best it can be, we use cookies and similar technologies on our site. We need your permission to allow these technologies, which will maximise browsing experience. For more information on how we use cookies and how to change your cookie settings, please see our cookies and privacy policy.



Please complete this short form to get in touch with a member of our team and we will get back to you as soon as we can.



Sign up to our newsletter by completing the form below.

Header image for the current page Why cybersecurity must become everyone’s responsibility in a digitised NHS

Why cybersecurity must become everyone’s responsibility in a digitised NHS

Share this page

Cybersecurity is rightly claiming a place on board agendas across the country as NHS organisations look to safeguard patient care. As we increasingly rely on digital systems and technology to deliver services to patients, organisations are being faced with more complex risks from sophisticated hacking and cyberwarfare.

Any breach of security has the potential to impact how we care for patients by disrupting access to vital information. That information might be practical, operational information such as theatre booking software, right through to clinical systems that tell us which treatments are safe for our patients. When IT infrastructure is compromised, patient care is disrupted and delayed. But in building stronger defences, we must strike the right balance to ensure security itself does not become a barrier to care.

Building stronger defences

The widespread impact of the WannaCry ransomware attack five years ago prompted a significant leap forward in cybersecurity across the NHS, with major investment in new hardware and operating systems as well as security defences. At NHS Arden & GEM CSU, we have become adept at running regular audits for NHS organisations to assess the strength of their networks and infrastructure and ensure software patches and upgrades are applied more immediately. When attacks do happen, organisations are more able to monitor and learn from them to continuously improve. Accreditations such as Cyber Essentials and Cyber Essentials Plus have provided a robust framework for cybersecurity readiness, which is often baked into procurement processes for new digital systems, helping to embed cybersecurity into NHS infrastructure.

This work reduces the NHS’s vulnerability to breaches but is just the tip of the cybersecurity iceberg. Over one million people work for the NHS in the UK, many of whom will be involved in buying products and using systems that affect the security of our networks, which in turn impact patient safety. To minimise the risk of disruption or delay that can be caused by an attack on IT infrastructure, we must combine more robust systems with training and support for all NHS staff.

Partnership working

In the same way we have seen with areas such as data protection and core technology, cybersecurity needs to become entrenched. Digital influences are everywhere. From the computer that sits in a consulting room, to the instruments, fridges and hospital beds we use, Bluetooth and wi-fi capabilities are often built in and will need to ‘talk to’ a hospital or other NHS network. Until recently, many of these purchases have happened independently, and IT security standards have only been considered as departments seek to connect their devices. But every connected device is a potential backdoor into the wider infrastructure we rely on to deliver patient care.

By strengthening relationships with operational and clinical leads, and building a better understanding of what is needed to safeguard security standards, cybersecurity and IT teams can help their organisations gain the full benefit from the systems they are investing in. Whether it’s a small scale purchase or a major project, working in partnership will enable organisations to adopt a ‘security first’ approach to digital that will pay dividends in the future.

Striking the right balance

Most cyberattacks begin as so-called phishing attacks where individuals are tricked into giving away login or financial information, through sophisticated scams purporting to represent legitimate advice or information requests. Once a user has been tricked into releasing their email log-in details, this can quickly escalate, as email is often used to verify access to other systems.

One answer is to make logging in more complex, with multi-factor authentication and complex password rules – an approach already being used in some areas. But we have to balance this need for security with enabling NHS staff to work efficiently in highly pressurised environments. If we make security too time consuming, people are more likely to find a work around which could prove riskier than a simpler security policy. Awareness and education are crucial.

Leadership teams have an important role to play here, from ensuring cybersecurity is regularly on the board agenda, to modelling behaviour that demonstrates commitment to improving their own cybersecurity skills and actively encouraging better engagement with training and support.

At a time when the NHS has never been busier, there are multiple priorities competing for attention, but cyber breaches can cause havoc in terms of care delivery. Increasing digitisation in the NHS needs to be matched with security know-how that sees organisations embedding a robust, practical cybersecurity approach. With board level support, managers and clinical leaders can drive forward the required action to deliver a security-first approach that will protect the infrastructure underpinning patient care.

Top tips to minimise the risk of cyberattacks:

1. Choose longer, memorable passphrases and use them once only. Statistics show a three word passphrase is harder to crack than a shorter, random password – and it’s easier to remember. But don’t reuse a password or phrase on more than one account.

2. Restart your computer regularly. Essential security patches can only be properly deployed if your computer restarts, ideally every night, but at least weekly.

3. Act quickly if you think your computer or email account has been compromised. Tell your IT team immediately as there’s often a chance they can minimise or even eliminate the damage.

This article was originally written for National Health Executive. You can read it here in the July/August edition.

Picture of Tej Gudka

Author: Tej Gudka |

As Head of Cybersecurity at NHS Arden & GEM CSU, Tej leads a team of IT Security Managers responsible for over 60,000 IT assets. Tej holds a number of cybersecurity qualifications including ISC2 CISSP, ISC2 SSCP and the CIPR (Cyber Incident Planning and Response) certification. He also led Arden & GEM to achieve Cyber Essentials PLUS certification in 2021.

In addition to IT leadership roles within an NHS Acute Trust, Tej also has experience of working within IT infrastructure, service management and security across a variety of sectors including education, legal, professional services and manufacturing which has given him a holistic understanding of the challenges facing a digitised public sector.