For a recent HTN Now webinar, we were joined by digital leaders from across the health sector for a deep dive into cyber security in healthcare, exploring strategic challenges, preparedness, recovery, and how best to embed resilience into clinical, technical, and governance frameworks.
Making up our panel were Nasser Arif, cyber security manager at London North West University Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust; Lee Rickles, CIO at Humber Teaching NHS Foundation Trust; and Andy Wilcox, Imprivata’s senior product marketing manager.
Nasser talked about his role in looking after day-to-day cyber security operations at both London North West and Hillingdon Hospitals, leading on incident response, compliance, and training. “I also speak about cyber security often at different events, which is a passion of mine – my main focus is showing people it’s much more than just IT,” he said.
“I head up our product marketing function at Imprivata,” Andy explained. “We’re an access management company focusing very much on digital identity, efficiency, and security within the healthcare space. I’ve been working on the vendor side in healthcare for over 20 years now, and before that with an internet service provider, so security has always been very much embedded in what I’m doing.”
Lee acknowledged that he was coming to the discussion wearing two hats: one as CIO for Humber Teaching, and one as director for Interweave. “My role is really more strategic, in terms of how we can manage risk, how we can get that message out across the organisation, business continuity, patient safety, resilience, and so on,” he noted. “That works both at a pan-regional level with the Shared Care Record and sharing of information at scale, and the simpler side of things where if we lost technology tomorrow, how would we communicate with patients, access records, and so on.”
Cyber security, the 10 Year Plan, and the shift to community
Moving on to the topic of the 10 Year Plan and its ambitions to shift care out to the community, our panel looked at the implications for cyber security and what the main considerations moving forward might be in this space. Andy tackled this first, highlighting the move from the traditional four walls of the hospital to patient homes, regional centres, and even virtual environments. “That’s adding a lot of complexity to the equation; these areas are all less controllable, less manageable, and all increase security risk,” he said. “I think we need to consider how we move forward with cyber security as an inherent part of the workflow we’re trying to deliver for patient care, and not just an afterthought.”
“I agree with Andy that we’re moving beyond the idea of the safe perimeter of the hospital to one where we have massive, interconnected systems,” Nasser shared. “With that, there are probably a lot of gaps in visibility that will appear – traditional NHS cyber teams have tended to have a very good grasp of what they’re in control of within the environment, but as soon as you have a device in someone’s house, you’re losing that visibility.” It’s important that this rapid shift is not done whilst ignoring security, he noted, leaving it to be implemented afterwards once new systems are already in place. The mindset, he continued, should be “secure from day one”, and bringing along suppliers who share in that ideal.
Lee mentioned that from a neighbourhood point of view, the NHS will be working with many organisations with differing levels of cyber maturity. “When we’re looking at risk, the person could potentially be the biggest one,” he considered, “especially if we’re looking at phishing, ability to access, and sometimes limits to understanding about dangers.” Designing neighbourhoods with security in mind, and working with staff and patients on understanding of cyber risks is key, he continued, “and we’re moving into a world where there is shared risk, shared ownership, and shared management, which is not a natural thing for health and social care historically”.
The changing threat landscape
There is a potential shift coming over the next few years to organisations not wanting to connect due to concerns about it degrading their security, Lee predicted. “As far as being prepared for threats and getting in front of them, I’m not sure you can. It’s just things like looking at your business continuity and recovery plans – are you testing them and really kicking the tyres?” At Humber Teaching, the team undertakes a rotating audit process as part of EPRR, he noted, pointing to the importance of not only conducting tabletop exercises but also looking at testing processes. “We say cyber, but really we’re talking about the absence of technology – the recovery is much more about testing an operational service going down. Have your playbook, but also test it from an operational angle, and have that operational ownership.”
“It’s obvious that healthcare will always be a high value target,” Andy shared. “There’s a lot of data in there, there are a lot of legacy systems, and we’re highly interconnected. As Lee pointed out, it’s an arms race that we’re never going to win – we’ll always be one step behind, because all the attackers are doing is looking for weaknesses and exploiting them, whereas our main focus is obviously patient care.” Research has shown that identity is now the most common vector of attack within cyber security, he cited, “and we have a soft underbelly that could be exploited relatively easily where we can put in place firewalls and all these technology solutions, but people are often the weakest point in any cyber security defence”. As an organisation, the key thing is how you’re going to mitigate and manage that, being prepared, and offering more support, training, and resources in that regard, he concluded.
Something that has been widely accepted in cyber security in general is that there’s no way of predicting everything that is going to happen, Nasser put forward. One thing that is needed for NHS cyber security is a better understanding of the attacker mindset, he noted, instead of just reacting to things as they happen. “Another thing is why are we relying on auditors to come in every year and tell us what our weaknesses are? We should know them ourselves, and that’s the kind of thing we need to be asking our cyber security teams, making sure we give them the tools and creative freedom to experiment with it.” Attackers are growing increasingly creative, he told us, whereas defence has remained about meeting the requirements in the DSPT. “There’s a place for that, but we can also look at how we exploit the skills we have, the new tools coming in, and how we can be more proactive to fix things before something bad happens.”
AI and emerging technologies
Nasser pointed to the potential for AI to be harnessed by attackers for reconnaissance and identifying or developing new exploits “very easily”. From a defensive standpoint, it can also be useful, he contended, in speeding up detection and finding things it would take humans a long time to identify manually. “There’s a lot of good to be taken from the use of AI in the health space, and we need to embrace it, because it’s not going away. It goes back to what I was saying before about experimenting, and the first step is being very honest about where you are, so you can get to a point where you can better understand it.”
Andy echoed the sentiment that AI can bring both positives and negatives to the wider healthcare space, stating that from a vendor point of view it has the potential to help find flaws in code faster, improve iterations, and give people using products more confidence because patches can be deployed more quickly. “In the NHS, there’s an onus on NHS organisations to deploy those patches, which is resource-heavy, and that can create windows where things can be exploited because you haven’t had time to do that,” he explained. “I think we’re going to see a lot of use of AI agents as we move forward, and we need to look at those agents like human beings, because it’s not just an RPA process that repeats a task over and over; these are things that have a degree of intellectual curiosity, and there have been instances where AI agents have been let loose in environments and taken down entire databases – we need those guardrails in place.”
The key thing AI has that human beings don’t is speed, Lee told us, meaning within an hour it could be capable of picking up any inconsistencies or errors within an environment, skimming data, and then transferring that data elsewhere. Without AI also used in monitoring and detection, those kinds of compromises might not get picked up for hours or longer by humans, he continued. “Then we have the risk around quantum. If we’re not using the right tooling now to defend against that, it will just breach all the encryptions, and it will all just be open in ten seconds.”
The supply chain
Emphasising the importance of having a clear picture of who critical suppliers are and knowing which systems would have the biggest impact on the organisation if they went down, Nasser talked about the necessity of initial and then ongoing checks for things like compliance. “The starting point is mapping out your suppliers, and then it’s checking you have ongoing monitoring in place the same way cyber security teams monitor infrastructure,” he said. “I think the Cyber Resilience Bill will help with that, as it puts in place consequences for suppliers who aren’t following the rules, which helps us trusts.” Suppliers may need a bit of support or clarity on expectations, he considered, “and a lot of the suppliers I have worked with have been nothing but helpful once you get that relationship going – it’s a two-way relationship, and they want to fix things, so they will jump on those with you, which improves the product for everyone”.
Sharing intelligence and what has worked with other NHS trusts or organisations is integral, Nasser stated, “and in the NHS we’re really good at that, but looking ahead we need to do that for things like the best way of implementing a new system – it’s being honest with yourself, and also with others”.
“The NHS has a lot that it could benefit from in working as a national service rather than as a franchise,” Lee said. “Unless we do something different, that problem will still exist. There’s still a massive risk relating to organisational awareness of the posture of vendors and what they are doing, and a need to really be kicking the tyres and checking evidence – we’re missing knowledge of key systems or solutions, which would be a massive opportunity to improve our cyber resilience and just general knowledge of systems.”
At Imprivata, having clinicians on the team who can go in and engage with those on the frontline to understand the workflows and the challenges is “really important”, Andy stated. “Technology isn’t just something you buy off-the-shelf and that’s it – if it doesn’t work properly, there’s the potential for reputational damage both for vendors and NHS organisations, so you’re always invested in making things successful and secure.” Vendors need to be able to access NHS networks to perform contractual duties like maintenance and service delivery, but there should always be visibility of that access and what they’re doing within the systems, he added.
Cyber security for vendors should be part of DCB0129 assessment, and vendors should be required to show how products work, the implications if something goes wrong, and plans to mitigate risks to ensure continuity of care, according to Andy. “Then you have things like the EU NIS2, which some may argue is a little bit heavy-handed, but which forces organisations from board level down to take ownership of who they contract with, the security posture of the services they’re delivering to you as an organisation. I think that’s really important, so it’s not just a procurement thing, or ticking a bunch of boxes; it’s understanding impact on patient safety, continuity of care, and that’s an ongoing process.”
Workforce culture and cyber literacy
Nasser talked about his passion for cyber education and encouraging cyber literacy, highlighting the importance of focusing on the impact of cyber awareness not only as part of an organisation, but also as part of people’s personal lives. “I think that’s more important than ever before, because the shift to community means there will be a greater onus on us as individuals to look after our own information. Things like clicking on a phishing link may only seem like small incidents, but those can lead to something far greater.” The NHS stance on asking people to take more ownership over their own health presents a good opportunity to add an element of personal responsibility for cyber and how we look after ourselves digitally, he noted.
“The other point is to be quite visible as cyber security, so people don’t only come across you when something has gone wrong,” Nasser continued. “There’s a tendency to focus on the metrics, and that’s fine, but you need to be mindful that actual cultural change is not going to happen just by completing the DSPT. It’s going to happen through those interactions, the building trust and relationships – you can’t just be there showing the bad, you have to show the good as well.” More consistency is needed across the NHS in how cyber teams are structured, he suggested, along with greater recognition of the impact of cyber on things like clinical care and making cyber a fundamental part of every discussion.
“I love what Nasser said about culture, because I think any progress we make in the shorter or longer term has got to be driven by a fundamental change in culture where cyber security isn’t seen as a barrier to care, but an integral component of care,” said Andy. “We’ve started talking about the long term plan and shifting out to the community, but ultimately all that’s trying to do is deliver better care for the patient – it’s really important we design technology to support care that’s very person-centric, making it easy to use, getting the basics right, maintaining transparency; once those fundamentals are there, then we can get on to things like AI.”
Lee agreed that culture was important, particularly as we move to the neighbourhood model and think about how we work together. He moved on to consider the need to change outdated funding and contracting models which prevent a lot of collaboration and innovation. “The final thing is, as an organisation or region, being really clear on what your risk appetite is, and whether that’s the same across all of your partners,” he noted. “If we don’t hit all of those things, we’re going to continue to see issues in the future, because we will not learn from history, and we’ll just repeat it.”
We’d like to thank our panel for taking the time to share these insights with us.
