As the world’s geopolitical landscape grows increasingly unstable, the definition of critical national infrastructure (CNI) is evolving. Once reserved for sectors like energy, water, space and defence, governments are beginning to expand this designation to include the digital systems that support other vulnerable services. At the end of 2024, the UK took the important step of reclassifying data centres as CNI, recognising that digital resilience is now a key part of national security. But there is still one vital sector missing from the list – healthcare.
Healthcare systems and the health data they manage are essential to society. The NHS alone serves around 1.6 million patients every day. Any disruption to its systems, whether through cyberattacks, outages or misinformation, pose operational risks and threats to people’s health and wellbeing. It’s time for the UK to extend the same level of security, coordination, and resilience planning it affords to other sectors and to formally recognise healthcare and health data as critical national infrastructure.
Cyber threats are growing
Cyber threats targeting the healthcare sector are rising in volume and sophistication. From ransomware attacks such as the Synnovis hack which stole sensitive patient data. The risks are clear, and several NHS Trusts and healthcare providers were forced to cancel appointments, divert patients, and operate on paper-based systems for days after these cyber incidents. The economic, social, and human cost is evident.
At the same time, healthcare organisations are increasingly reliant on technology and data. Cloud-based systems, remote patient monitoring, connected medical devices and digital patient records are all transforming the delivery of care, but they’re also creating a much larger attack surface. As these systems become more integral to better health outcomes, their security must be treated as a matter of national importance.
A step in the right direction
The UK government’s decision to reclassify data centres as CNI at the end of last year is a welcome move. These facilities power the digital foundations of services like the NHS. Their new status brings enhanced government support, threat intelligence sharing, and access to security agencies such as the National Cyber Security Centre, to help operators defend systems against cyberattacks, IT failures, and extreme weather conditions.
However, protecting the infrastructure that stores NHS data is not the same as protecting the healthcare system itself. Data security is multifaceted and the threats healthcare organisations face, go beyond infrastructure. Without a comprehensive approach that treats the entire healthcare ecosystem – systems, data, people and services – as critical, we risk leaving significant vulnerabilities unaddressed.
The Sudlow Review, published in November 2024, reinforces this point. Commissioned by the Chief Medical Officer for England, NHS England’s National Director for Transformation, and the UK National Statistician, the review calls for health data to be treated as CNI. It highlights the essential nature of this data for public health, research, and operational delivery, and the serious consequences of disruption.
Learning from other critical sectors
Other sectors designated as CNI, such as defence, finance, and emergency services, benefit from robust governance and government backed resilience planning. These sectors are held to rigorous cybersecurity standards, often with dedicated resources and reporting lines into national security frameworks.
Healthcare should be no different. By adopting similar practices, NHS organisations can improve their ability to anticipate, endure and recover from incidents. Threat intelligence sharing, testing and mandatory risk assessment can all support a more secure and resilient health system.
Encouragingly, we are beginning to see the adoption of this mindset in the NHS. Especially with the move away from the Data Security and Protection Toolkit (DSPT) towards the Cyber Assessment Framework (CAF) a model used by established CNI sectors. Unlike the DSPT, which focused heavily on compliance and self-assessment, the CAF requires organisations to take a much more proactive, risk-based approach to cybersecurity. It introduces new reporting structures, external validation, and continuous risk analysis. Pushing NHS organisations to go beyond surface level fixes and address the root causes of vulnerability.
This directive encourages healthcare organisations to embrace cybersecurity as a core operational priority noting the growing threat. That means investing in skilled professionals, closing gaps in legacy infrastructure, and prioritising remediation over mitigation.
Recognising healthcare as a national priority
As cyber threats become more advanced and as healthcare grows more reliant on digital systems and data, the case for reclassifying healthcare as critical national infrastructure becomes stronger. Of course, we need to defend against the threats we face today, but it’s also about future proofing the systems that citizens rely on when they are at their most vulnerable.
By following the recommendations of the Sudlow Review and embracing a CNI mindset, the UK can help the NHS build the resilience it needs to face a more uncertain world. Ultimately, healthcare is not just another service, it’s a fundamental element of national security and it’s time we treated it that way.
By Afshin Attari, Senior Director of Public Sector and Unified Platforms at Exponential-e
