The Autumn Budget firmly put NHS technology infrastructure investment on the map, with an additional £300 million of capital funding on top of the £10 billion already committed through the 2025 Spending Review. These investments are intended to modernise services, unlock efficiencies, improve productivity and support better outcomes through digital and frontline care.
But as the NHS accelerates its use of digital health technologies, it is also becoming a more attractive and more exposed cyber target. Cybersecurity investment has not kept pace with digital ambition, and the gap is becoming harder to ignore.
To put the threat in perspective, from January to June 2025, researchers tracked 211 ransomware attacks against healthcare organisations worldwide. In the UK, recent incidents affecting NHS trusts such as and Barts Healthcare NHS show how quickly cyber risk can spill into operational pressure. In some cases, it’s led to cancelled appointments and delayed care. These are not edge cases, but part of a wider pattern as the NHS expands its digital footprint.
Complexity creates opportunity for attackers
Electronic patient records, connected medical devices, cloud platforms and remote access tools are now central to healthcare delivery. These technologies enable more joined-up care and faster clinical decision-making, but they also introduce complexity into already stretched IT environments. Health records are also one of the most lucrative types of information that a hacker could steal.
To access this information, attackers do not need to breach the most advanced systems. They look for the forgotten laptop, the unpatched server or the unmanaged device that sits outside day-to-day visibility. In large, complex estates, those weaknesses accumulate quickly.
This is particularly true when it comes to third-party software, where patching is only possible if organisations have accurate, real-time insight into what is actually running across their estate. At NHS Informatics Merseyside, limited visibility into non-Microsoft applications made patching increasingly difficult across thousands of devices and hundreds of locations. Gaining live endpoint data allowed teams to identify missed updates instantly, replace multiple legacy tools and move away from relying on days-old information to manage risk.
Many NHS organisations still struggle to maintain an accurate, real-time view of their endpoint environments. Without confidence in what is connected to an organisation’s network, what condition it is in and what vulnerabilities exist, it means teams are left reacting rather than preventing.
This risk is amplified during periods of rapid digital change, when new systems are deployed faster than security controls can keep up. Despite this, cybersecurity investment is rarely ring-fenced as part of digital health investment programmes. Cybersecurity is still too often treated as a secondary consideration rather than core infrastructure.
Cyber incidents are a patient care issue
Cybersecurity is sometimes framed as a technical or compliance problem, but in healthcare the consequences are operational, clinical and personal. When systems are unavailable, clinicians revert to manual workarounds, diagnostics are delayed and services slow down.
In some cases, care pathways are disrupted entirely and patients impacted directly. The UK has already seen how serious this can become. A ransomware attack on NHS pathology services in 2024 led to more than 10,000 cancelled appointments across London hospitals and GP practices and was later linked to the first recorded patient death associated with a cyber incident in the NHS.
As digital systems become more deeply embedded in frontline care, resilience directly underpins patient safety. Downtime cannot be tolerated, and attackers understand the pressure that this places on healthcare organisations.
Visibility, hygiene and speed make the difference
Most healthcare cyber incidents are not the result of unknown threats. They exploit weaknesses that were already understood but not addressed proactively or in time. In many cases, attackers succeed because risk accumulates quietly across large healthcare environments, rather than through a single dramatic failure.
Forward-thinking healthcare organisations are already showing how this risk can be reduced. At Leeds and York Partnership NHS Foundation Trust, gaining real-time visibility across more than 3,000 endpoints has allowed teams to patch vulnerabilities faster, retire five legacy tools and cut upgrade timelines from more than a year to just weeks, delivering more than £100,000 in savings while reducing exposure during periods of change.
Security teams need to know what exists across the estate, what state it is in and where risk is concentrated.
Security with usability is possible. Infrastructure designs should incorporate industry practices such as multi-factor authentication, network segmentation and limiting the number of privileged users to minimise risk.
Automation also plays a growing role and there’s virtually no limit to what automation can help organisations streamline, accelerate and improve. Autonomous IT solutions that unify endpoint management and cybersecurity are the future. When used with appropriate governance and human oversight, the right unified IT and security platform with AI and real-time intelligence allows overstretched teams to patch and innovate faster, enforce policy consistently, remediate issues before they escalate and stay resilient.
Leadership and funding must align
Recent healthcare cyber incidents follow a familiar pattern. Attackers gain access through a known vulnerability, move laterally, escalate privileges and deploy ransomware once safeguards are weakened. Recovery plans matter, but they cannot compensate for weak foundations.
This gap is now being acknowledged at a national level. The government recently announced the next stage of its £210 million Cyber Action Plan aimed at strengthening cyber resilience across public services, alongside tougher expectations for organisations delivering critical digital infrastructure. This direction closely aligns with the NHS Cyber Security Strategy for Health and Adult Social Care to 2030, which sets out a system-wide approach to improving visibility, strengthening cyber hygiene, improving incident response and reducing the impact of cyber incidents on patient care.
Both strategies recognise that resilience depends on foundational controls, clear accountability and sustained investment – not one-off programmes or reactive fixes. The focus on visibility, faster response and resilience at scale is welcome, but for NHS trusts modernising under pressure, the real test will be whether cyber resilience is embedded into digital health programmes from the outset, rather than treated as a parallel or follow-on initiative.
This requires leadership-led change, clear accountability and investment models that recognise cybersecurity resilience as essential healthcare infrastructure. When organisations have confidence in their endpoint visibility, cyber hygiene and response speed, they can adopt new technologies without increasing risk, accelerate decision agility, and stay resilient for exceptional patient care.
By Kieran Bamber, Director of Strategic Accounts – UK Healthcare and Local Government Lead, Tanium
