The chief information security officer at Trustwave talks about how hospitals can protect themselves against healthcare cyberattacks. 

The ransomware attack on Synnovis, a supplier to the NHS, which affected hospitals like King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust in June last year, and the Russian ransomware attack on Adler Hey Children’s NHS Foundation Trust and Liverpool Heart and Chest’s NHS Foundation Trust in December are just the tip of the iceberg.

Cybercrime against Britain’s hospitals is on the rise and yet still not taken seriously. Kory Daniels, chief information security officer at Trustwave, talks to Healthcare Today about the different types of attacks against British healthcare and what hospitals and healthcare providers should be doing. 

Kory Daniels, chief information security officer at Trustwave
Kory Daniels, chief information security officer at Trustwave

 

Why are we seeing a rise in cyberattacks against the healthcare sector? 

The current trends in healthcare technology adoption present an interesting dynamic. The UK healthcare system, like many others, is witnessing rapid digital transformation. Hospitals are increasingly embracing AI, internet-connected medical devices and telehealth solutions. 

The urgency to adopt new technologies brings inherent tensions. While speed-to-market can improve care delivery, it also introduces vulnerabilities – whether compliance gaps, unintentional exposures, or opportunities for malicious actors. We’re observing increased criminal exploitation, ranging from fraud to sophisticated ransomware attacks targeting precisely these digital healthcare ecosystems. This reality necessitates balanced, vigilant approaches to technological adoption in healthcare settings.

 

“We’ve observed ransomware attacks which force hospital emergency protocols to divert ambulances during critical care situations.”

 

Where are these threats coming from? 

The healthcare sector faces threats from diverse actors with varying motivations. Nation-state operators, particularly those linked to China, frequently target intellectual property. These entities seek competitive advantage by compromising third-party providers within the healthcare supply chain or directly targeting research institutions developing novel treatments.

Equally concerning are financially motivated criminal enterprises. These organisations operate with disturbing sophistication, mirroring legitimate business structures. They maintain defined operating models, established supply chains and often subcontract specialised activities to other criminal networks. While some demonstrate selective targeting – occasionally avoiding particularly sensitive healthcare targets – others operate without such restraint.

The consequences manifest alarmingly in operational terms. We’ve observed ransomware attacks which force hospital emergency protocols to divert ambulances during critical care situations. This exemplifies how cyber threats transcend data theft and directly impact patient safety.

healthcare cyberattacks

 

What are the potential ramifications of a successful cyberattack? 

The consequences of cyberattacks on hospital systems extend far beyond data breaches. Surgical teams may find themselves mid-procedure with internet-connected instruments suddenly inoperative, raising urgent questions about system resilience and contingency planning. This vulnerability extends to fundamental infrastructure, including power supply to medical facilities.

Emergency departments face particularly acute challenges. The entire patient care workflow – from initial assessment to treatment delivery – relies on continuous access to digital systems. When electronic health records become inaccessible, clinicians lose vital medical histories, test results and treatment plans. 

These threats manifest through two primary vectors: direct attacks on hospital infrastructure, potentially compromising multiple systems simultaneously across different departments; and supply chain vulnerabilities, where attacks on third-party service providers (such as cloud-based medical platforms or connectivity services) can blindside healthcare facilities that depend on these external systems.

The growing integration of internet-connected medical devices, while clinically beneficial, has significantly expanded these attack surfaces. Each networked device – from surgical robots to infusion pumps – represents a potential entry point that threat actors could exploit.

 

“The most persistent threat we observe remains phishing and social engineering attacks.”

 

What are the most common types of attack that you’re seeing at the moment?

Ransomware inevitably dominates headlines due to its disruptive nature and the financial implications involved. The most persistent threat we observe, however, remains phishing and social engineering attacks. These involve threat actors directly targeting individuals through deception to harvest credentials or sensitive information. Their ultimate objectives vary. Some seek to exfiltrate patient data, others target intellectual property, such as computer-aided designs for medical equipment, either to replicate technology or identify vulnerabilities for future exploitation.

 

Do legacy systems in the NHS pose a bigger security risk than emerging technologies like AI-driven healthcare platforms?

Legacy systems present significant but distinct challenges compared to modern infrastructure. True legacy environments – those entirely disconnected from organisational networks – pose one set of issues. More problematic are brownfield systems: legacy equipment retrofitted for internet connectivity that was never designed for networked operation. Often, the imperative for connectivity overrides these security considerations.

Compounding this is the human factor. Maintaining these legacy systems requires specialised knowledge increasingly scarce as experienced technicians retire. This skills gap affects multiple sectors, particularly in medical industrial control systems where ageing workforces possess irreplaceable institutional knowledge about legacy technologies.

In contrast, purpose-built greenfield systems designed from inception for connectivity should theoretically offer greater security. Modern supply chain complexities, however, introduce new vulnerabilities. Third-party devices often incorporate multiple proprietary and open-source components – we’re seeing products comprising 35% open-source code and 65% vendor-supplied elements, wrapped in custom applications. 

Without comprehensive software and hardware bills of materials, healthcare providers cannot properly assess fourth-party risks when failures occur. Was an outage caused by a vulnerable open-source component? A supplier’s compromised infrastructure? This opacity creates unacceptable exposure in critical healthcare environments.

 

“A multi-layered approach is essential for effective cybersecurity in healthcare organisations.”

 

What should hospitals and healthcare providers be doing?

A multi-layered approach is essential for effective cybersecurity in healthcare organisations. 

At the governance level, board members and senior executives must champion cybersecurity as a strategic priority. Without this top-down commitment and clear communication throughout the organisation, security teams face an uphill battle in implementing protective measures. Leadership must articulate why cybersecurity matters not just for compliance, but to maintain patient trust and operational continuity.

In complex hospital environments with numerous connected systems, security teams struggle to maintain visibility. Business units must proactively engage security specialists early in procurement processes – particularly when acquiring new clinical technologies. Rather than viewing security as an obstacle, teams should recognise its role as an enabler that facilitates safe innovation. Each new system requires evaluation beyond basic compliance.

The human element forms the third critical layer. Cybersecurity awareness must permeate the entire organisation, from clinicians to administrative staff. Every employee serves as a potential first line of defence. The threat landscape has grown more sophisticated with AI-enabled deepfakes creating highly convincing phishing attempts. Regular training and testing programmes are essential to maintain cyber awareness across all staff levels.

Ultimately, theoretical preparedness must be validated through realistic testing. Organisations need to simulate scenarios like ransomware attacks that disrupt patient care systems. The first real test should not occur during an actual crisis. 

 

What does/should an effective response framework look like?

I would strongly recommend that security teams avoid treating cybersecurity as a separate, specialised domain. Most hospitals already have well-established emergency response frameworks and rather than creating parallel systems, cybersecurity should integrate seamlessly into these existing risk management structures.

The challenge lies in normalising cyber threats as just another operational risk, not some exceptional digital phenomenon. While security professionals might instinctively want bespoke solutions, we must recognise that crisis management principles remain consistent whether responding to a physical emergency or a cyberattack. The same crisis communication protocols should apply – involving public relations, legal counsel, executive leadership and, where appropriate, law enforcement.

healthcare cyberattacks

Is there a role for government? What should the UK government be doing?

Government undoubtedly plays a crucial role in cybersecurity, with approaches varying across jurisdictions – from the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts in the US to the UK’s participation in Five Eyes intelligence sharing. This global cooperation highlights the importance of public-private partnerships in threat intelligence dissemination.

The challenge lies in the disparity between large healthcare providers with dedicated security resources and smaller entities lacking such capabilities. While major hospitals may maintain their own threat intelligence programmes, most healthcare organisations simply cannot afford equivalent investments. They rely on government to share actionable intelligence and create safe reporting channels without punitive regulatory consequences.

Regulation presents something of a paradox. While necessary, an overly compliance-focused approach risks misaligning priorities – emphasising box-ticking over genuine security improvement. Government guidance should instead clearly communicate why specific measures matter and help private healthcare providers understand their security responsibilities while benefiting from state-level intelligence that would otherwise remain inaccessible.

 

Do you get a sense that the healthcare sector is starting to wake up to the threats?

The growing awareness of cybersecurity risks in healthcare has evolved significantly following several high-profile global breaches. The stakes extend far beyond financial considerations – at the heart of this lies patient trust. When individuals share their most sensitive data, including genomic information and family medical histories, they require absolute confidence in its protection. This trust forms the foundation of patient-provider relationships and influences healthcare choices.