As the NHS becomes more digitally interconnected, so does its exposure to cyber threats. Cyber-attacks are growing in volume and complexity, meaning healthcare organisations face unique risks – where a system failure isn’t just an IT issue, but one that can impact lives.
Despite this, the approach to cyber security across the health service and its supplier network remains fragmented. Current compliance regimes can sometimes feel like tick-box exercises, lacking the cohesion and collaboration needed to build real resilience.
To explore what needs to change, we spoke with Diane Abela Hardy, CISO at Accurx – the communication platform for the NHS. She shared her views on the current landscape, barriers to progress and how a shift from siloed security practices to a more unified and transparent approach between NHS and suppliers could build a stronger and safer NHS.
The problem: rising cyber threats and the growing risk to healthcare
Diane began by outlining the challenges currently facing the UK cyber landscape: “In a general sense, we’re seeing an increase in cyber-attacks and it’s been particularly obvious over the past few months.” She pointed to recent attacks on retail chains as a broader indication that the UK is being increasingly targeted but positively noted that UK investment in cyber security is also rising in response.
In the context of healthcare, she stated that the stakes are even higher: “There has been an increase in attacks on healthcare infrastructure and what I’ve noticed when looking at these attacks is that they don’t always target the healthcare organisation directly. They’ll sometimes also target the supplier or third-party organisation and when an attack on any part of the healthcare ecosystem happens, unfortunately this impacts care.”
Diane highlighted that this is one of the reasons the impact of cyber-attacks is magnified in healthcare: “Because it’s not just impacting a business’ services as you see in other industries, it’s impacting people’s lives” and the attacks themselves are “becoming more complex and lucrative, especially now with AI being used by malicious parties to power these attacks”.
The opportunity: A more joined-up ecosystem
While Diane acknowledged that NHS England (NHSE) has laid the groundwork for improved cyber resilience, she emphasised that a more integrated approach is still needed: “I think that NHSE has already set the scene when it comes to the expectations on suppliers and a lot has already been done in terms of creating a strong mandate”, however she noted the importance of having “better alignment and partnership between NHS organisations and their suppliers”.
Expanding on what NHSE is already doing, she added: “There’s a lot happening at the NHS in terms of enhancing security posture, for example, there’s the NHSE Security Operation Centre, which is constantly monitoring healthcare organisations and building security services. Similarly, the latest NHSE Cyber Security Charter has set the direction to build a mandate with suppliers to make them part of the ecosystem, which is a very good first step”.
However, Diane added that operational execution is still lacking cohesion: “From an operational standpoint, things are still too disjointed. Whilst NHSE has made the governing requirements known and these are being implemented by NHS organisations, suppliers are still being treated as a separate entity and being asked to implement controls in silo”.
The solution, Diane argued, lies in building partnerships, not silos: “A partnership between NHS organisations and critical suppliers would create strength in numbers. Collectively, we’re stronger than the sum of our parts”.
Giving an example of what this might look like, Diane explained: “If the NHSE security centre is seeing a certain threat that’s attacking healthcare organisations, that information could be shared with suppliers so that we can share it with our own security operations teams for their awareness and action. This is already being done with the sharing of vulnerabilities with suppliers, extending the approach to threat intelligence could create an even more joined-up approach where we act as one ecosystem working against the attackers together”.
Overcoming key barriers to integration
To close the gap between the vision for a centralised ecosystem between NHS organisations and suppliers and execution, Diane believes that the biggest challenges lie in the way the system is currently structured: “The journey has already started to bring us together and to create this partnership and this ecosystem, but right now it still feels very much like a top-down approach,” Diane said, before emphasising, “the way that things are set up is the main barrier”.
On how to overcome this roadblock, she explained, “There needs to be a push for partnership between suppliers and NHS organisations – an alignment of security postures and behaviours, underpinned with regular and transparent communication about the threats we are facing together”.
She pointed to the NHS Cybersecurity Charter as a step in the right direction, noting how it outlines the intention to “combine this ecosystem of suppliers and the NHS organisations”.
However, she also noted that progress will take time: “This is not a small feat and not all suppliers have that level of security or time available, so not everyone will want to get on board. This is why it needs to be driven centrally”.
Building trust through transparency
One of the key enablers of a more resilient and collaborative security ecosystem is transparency – particularly in how suppliers communicate their approach to risk and compliance. Diane explained: “At Accurx we have always been very transparent about our security and privacy practices, sharing these in detail with NHS organisations that onboard our tooling, and even making documentation about our privacy practices public”.
Diane shared that doing so sets a good precedent of what good security and practices look like to other suppliers in the market but also enables two-way informed discussions with NHS organisations so that they may grow and improve together. She cited a recent example of how Accurx transparently shared their approach to securing their new ambient scribe feature, Accurx Scribe, which “allows clinicians to scribe their consultation with their patient through the use of AI”.
When building their own internal framework for safe and secure AI, Accurx considered the AI guidelines and frameworks available, with Diane highlighting: “Right now, there’s no governing framework on how to implement AI within healthcare. We’ve been very transparent about our approach, sharing materials with all NHS organisations but also making them available publicly, via Frequently Asked Question documents on our website and a published version of our Data Protection Impact Assessment.”
Accurx also recently hosted a webinar with NHS clinicians, to go through in detail the approach that the company took to roll out safe and secure Scribe technology. In Diane’s view, this kind of transparent behaviour should be encouraged across all suppliers, sharing that the NHS could bring the market together to consult and work on updating or introducing new standards that could improve security and privacy across suppliers in the NHS.
The future: Streamlined and standardised security requirements and better collaboration
Diane highlighted the burden that disjointed compliance placed on suppliers: “We’re seeing the same requirements being enforced via different mechanisms, which results in numerous audits against overlapping controls”. This then involves “showcasing the same thing over and over again, requiring more resources and energy that could be put into the actual implementation of security control”.
Her takeaway was clear: “Five audits put together don’t make you five times stronger”. For Diane, regulation and compliance should instead be done in a way that “adds value”.
To strengthen collaboration, she advocated for structured, ongoing forums: “I think there needs to be space for it. There needs to be forums for collaboration, with regular points of contact so we can have important conversations”. She noted how the NHS AI forum has already “brought together people from different NHS organisations and suppliers to talk about AI and how we can make it safe. I wonder whether there’s space for something similar for cyber security”.
She finished by stating,”Accurx is in a great position where we can actually work with and advise the NHS on how to put this into place in a way that ensures safe and modern patient care”.
Diane painted a clear picture during our discussion, outlining how the NHS is making progress in cyber security, but structural fragmentation and inefficient compliance practices are holding it back. For her and for Accurx, the path forward lies in partnership, transparency, shared responsibility and ongoing collaboration between NHSE, NHS organisations and their suppliers.
We’d like to thank Diane for taking the time to speak to us and sharing her insights into this topic.
