A war on cyber-attacks: UK healthcare’s toughest defences

International Security Journal hears exclusively from Iwona Zalewska, Regional Director UK & Ireland, DRAM Business Manager, EMEA Region, Kingston Technology.

When it comes to the sectors that experience cyber-attacks, healthcare continues to be one of the most frequently targeted.

While breach-related costs on average decreased from $10.93 million in 2023 to $9.77 million last year, according to IBM, the overall picture remains bleak for UK healthcare providers and patients.

In the last four years, for example, a ransomware attack on Advanced Computer Group disrupted critical services, including NHS 111, leading to a £3 million fine for the company and the Royal Free London NHS Trust was sued for violating data protection laws by sharing the private data of 1.6 million NHS users. 

Healthcare facilities, from GP surgeries to hospitals, to specialist imaging and diagnostic testing units, are vulnerable, facing the kinds of data security challenges that no other sector deals with.

Smaller health organisations are less likely to employ cybersecurity specialists or teams who can put in place comprehensive security protocols.

Decisions about systems or software are all too often made in an ad-hoc fashion so there is a lack of unified defence and larger hospitals and units struggle to secure experienced cybersecurity professionals.

Add to this the unique flow of sensitive medical data being sent across healthcare networks and you have the perfect breeding ground for attacks.

This vulnerability makes it critical that the sector arms itself with more than just reactive security measures, instead putting in place widespread and proactive protection strategies.

As the fines outlined above indicate, the consequences of dealing with these challenges can be onerous in what is already a financially constrained sector.

The consequences of healthcare data breaches

While monetary loss is the primary threat, healthcare organisations suffering a data breach are forced to fight on many fronts.

Patient trust, for example, can deteriorate rapidly when medical records are exposed, creating risks of serious health issues if treatment details are altered or unavailable.

No healthcare provider wants to face lasting damage to their reputation, which can reduce patient registrations and it can take a long time to recover from an operational perspective with systems to restore and data to recover.

The scale of the problem is underscored by a 2024 Sophos survey, which found that 37% of healthcare organisations took over a month to recover from ransomware incidents with almost all victims reporting attempts to breach their backup systems.

Escalating ransomware threats

Ransomware remains one of the most damaging cyber-risks for medical facilities across the globe. In 2023, these attacks represented 54% of all cybersecurity incidents within the European Union.

Alarmingly, only 27% of surveyed healthcare institutions had dedicated ransomware defence programmes in place.

Hospitals and clinics are particularly appealing targets due to the critical nature of their services and the sensitive data they hold.

When systems vital to patient care are compromised, healthcare providers face intense pressure to restore operations quickly, making them more inclined to pay ransoms than many other sectors.

The stakes are extraordinarily high: delays in treatment or the inability to access medical records can directly jeopardise patient safety.

Today’s ransomware campaigns often go beyond locking files. Many include data theft and “double extortion” schemes, where attackers threaten to release private patient information unless additional payments are made.

This forces providers to weigh the protection of patient privacy against the urgent need to resume services.

Despite the risks, ransomware-specific protections in healthcare remain insufficient. Many organisations still lack adequate network segmentation, reliable offline backups and tailored incident response strategies.

Adapting to global cybersecurity regulations

Governments worldwide are tightening cybersecurity requirements for healthcare providers to combat growing digital threats.

In the European Union, the General Data Protection Regulation (GDPR) provides a foundation for safeguarding personal data, while the NIS2 directive sets standards for network and information security across key sectors, including healthcare.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) continues to evolve, with recent amendments enhancing cybersecurity standards for electronic protected health information (ePHI).

The European Commission has also proposed a dedicated Cybersecurity Action Plan for the healthcare sector, acknowledging that regulatory frameworks alone are not enough – education, funding and operational support are equally critical.

Achieving compliance requires deploying strong technical safeguards, with encryption playing a vital role in protecting sensitive information.

However, the level of protection varies greatly between different encryption solutions.

Hardware encryption and adopting best practice

Not all encryption methods provide the same degree of defence.

Hardware-based encryption delivers greater resistance against advanced cyber-attacks and physical tampering compared to purely software-based approaches, particularly when sensitive information is stored or transferred via external drives.

However, robust encryption should be a vital part of an integrated defence strategy that allows healthcare organisations to remain vigilant.

Other factors to consider, include:

• Conducting regular security training and promoting strong cybersecurity hygiene among staff
• Implementing proactive, structured security programmes instead of reactive measures
• Staying ahead of evolving regulatory requirements
• Investing in specialised cybersecurity talent to address skills shortages in the sector

The fact that the cost of cyber-attacks slightly dropped should not allow healthcare managers and decision makers to become complacent.

Vigilance is needed by implementing the right security tactics if they are to strengthen their defences, safeguard patient trust and ensure continuity of care.

Choosing the right encryption solutions is a critical part of that process.