Healthcare cybersecurity: from basics to best practices

With the healthcare sector increasingly reliant on technology to deliver services, and the NHS in the UK along with other major public organisations having seen a number of cyberattacks in recent years, experts are placing the emphasis on getting the basics right as a critical step in protecting against, or minimising, future attacks and keeping patients safe. 

Nasser Arif, Cyber Security Manager at London North West University Healthcare NHS Trust, chaired the panel at HETT North and opened the session by emphasizing the importance of finding “the right balance” between optimal use of technology, patient access and protection against cyberattack. 

MFA, passwords, patching: getting the basics right

Catherine O’Keeffe, Deputy Director of Cyber Operations (Delivery) and Head of the Cyber Profession within the Cyber Operations Team at NHS England, underlined the importance of multi-factor authentication (MFA), robust password management and patching (software changes to resolve a security vulnerability). ‘MFA will stop 90% of cyberattacks,’ she said, ‘and if you get the patching right, you will take away some of the critical vulnerabilities.’ 

She said password management should also extend to clients and suppliers, where passwords may often not have been regularly updated. ‘Back to basics is absolutely where you should be. Get all the basics right and not only are you decreasing the risk, you are increasing resilience, and the ability to recover from cyberattack.’ 

Education and awareness

Daniel Hallen, Director of Data & Digital (CIO) at East Lancashire Hospitals, pointed to the importance of education and awareness among all tiers of healthcare staff. Critical cybersecurity issues, he argued, are rooted in user behaviour, such as posting details of themselves on social media via smartphones or adopting their at-home approaches at the workplace. ‘We have to educate people at all levels about security,’ he said. The expert placed an emphasis on senior leaders within an organisation with visible an “googleable” profile, who also need to protect themselves in a personal capacity. 

To educate healthcare staff against the threat of cyberattacks, Hallen highlighted impactful awareness and communication strategies, including phishing exercises; reinforcing cybersecurity messages; simulations and cyber training; testing security plans; and campaigns such as Cyber Security Month in October. This education approach, the experts said, must also apply when devices were being used by patients from their own homes. 

Cybersecurity as a team effort

According to Mohammad Waqas, CTO Healthcare at cybersecurity company Armis, identifying vulnerabilities, understanding associated risks, and developing appropriate responses is essential. Healthcare professionals need to be aware of the different entry points and identify the most critical elements of patient care service delivery, he said, adding that ‘systems are never going to be 100% secure.’ However, even when a cyber-incident leads to inevitable downtime, it is crucial to maintain continuity when services are compromised. 

Waqas further pointed to the benefits of cross-organizational collaboration to work through issues and pool resources in a financially constrained environment. The discussion also highlighted the importance of interdisciplinary teamwork, emphasizing the value of integrating perspectives from both clinical teams and cybersecurity experts. ‘Once there is that understanding,’ said Waqas, ‘people can work together to secure the environment.’ 

Protective technologies

While the importance of collaboration and partnerships in managing staff awareness and cyber risks was emphasized, the experts also addressed the necessity of implementing protective technologies such as Microsoft Defender and similar security tools. 

These solutions provide much-needed visibility into IT infrastructure, allowing for earlier intervention to prevent threats from escalating, said O’Keeffe, who pointed out the Cyber Associates Network as an invaluable resource for problem sharing and solving. That collaboration also extends to suppliers, partners and vendors and can lead to greater accountability while leveraging their specialized expertise to enhance cybersecurity measures. 

Offering an external perspective, Daniel O’Shaughnessy, Head of Programme Delivery for Digital Care Hub, observed that organisations often cite limited resources as a barrier to addressing cybersecurity issues. ‘It is often siloed solutions but the same threat actors are targeting the same groups in the same way, so there are economies of scale here to share across the system of when and where it is happening.’ 

While concerns regarding Artificial Intelligence (AI) were discussed, panellists characterized it as an "emerging technology" that should be approached similarly to other innovations like smartphones or social media, noting that AI is also being deployed defensively in cybersecurity applications. 

Profiles: 

Nasser Arif is Cyber Security Manager with London North West University Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and a cyber security professional with an interest in transformation, wellbeing and the human element of cyber security. 

Catherine O'Keeffe is the Deputy Director of Cyber Operations (Delivery) & Head of the Cyber Profession within the Cyber Operations Team at NHS England and has a wealth of experience in clinical practice, IT, Information Governance and Cyber Security, having worked in the NHS for over 35 years. 

Daniel Hallen is the Director of Data & Digital (CIO) at East Lancashire Hospitals, and with a background in digital programme leadership and transformation, has worked in the NHS, local government, and the private sector. 

Mohammad Waqas is CTO Healthcare at Armis with an interest in cyber security and IT/Digital Leadership. 

Daniel O’Shaughnessy is the Head of Programme Delivery for Digital Care Hub's Better Security, Better Care Programme – a nationwide programme that supports the Adult Social Care sector with data protection and cyber security. 

07.07.2025

• digitisation (81)
• IT (887)
• security (455)