Cybersecurity in Health and Care: Building Resilient Infrastructure and Protocols for a Digitally Driven Future

At HETT North, cybersecurity experts came together to discuss the growing digital risks in healthcare and the urgent need for resilience. Led by Nasser Arif, Cyber Security Manager at London North West NHS Trust, the session explored how NHS and care providers can better protect critical infrastructure while balancing the need for digital transformation. 

The panel included: 

• Catherine O’Keeffe, Deputy Director of Security (Delivery), Cyber Operations, NHS England 
• Daniel O’Shaughnessy, Head of Programme Delivery, Digital Care Hub 
• Daniel Hallen, Chief Information Officer, East Lancashire Hospitals NHS Trust 
• Mohammad Waqas, CTO of Healthcare, Armis 

The discussion began with an interactive word cloud, where attendees highlighted their top concerns. Hacking, ransomware, risk, and patient safety emerged as dominant themes, underscoring the real-world impact cyber threats can have on care delivery. 

Arif acknowledged that while digital advancements are driving efficiency, many organisations fail to address cybersecurity basics: 
"One thing I think all panelists will agree on is within the healthcare sector, we are becoming very reliant on new technology, new complex systems as a means to continuously improve. However, do we feel that our focus should step back a bit and we should focus on covering the basics first?" 

The Critical Need for Cybersecurity Basics 

Catherine O’Keeffe, who oversees NHS cyber incidents, stressed that most breaches stem from the same recurring issues. These include: 

She noted that many cyber incidents could be avoided with basic security measures, urging organisations to take a proactive approach to risk reduction: 
"You get all of these basics right, and not only are you decreasing your risk, but you are also increasing your resilience and the fact you can recover from a cyber-attack." 

A Global Perspective on Cyber Threats 

Bringing an international viewpoint, Mohammad Waqas described cybersecurity as a risk management issue rather than just an IT concern. Without visibility into IT infrastructure, many organisations don’t even know what they’re trying to protect. 

"If we don’t know what’s there, if we don’t know what we’re supposed to protect, if we don’t understand the different critical elements of it, we won’t necessarily be able to secure it at all." 

He warned that failing to test resilience is a major issue: 
"We're never going to be a hundred percent secure. That risk will result in some type of downtime, or some type of a cyber incident. How are we going to respond once we are compromised or once any of our services actually are interrupted?" 

Waqas advocated for simulated cyber incident drills to ensure real-world readiness. 

Cybersecurity in Adult Social Care 

Daniel O’Shaughnessy shifted the discussion to cybersecurity in adult social care, a sector that often lacks the same resources and awareness as the NHS. He explained how the Data Security Protection Toolkit (DSPT) has helped care providers improve their cyber resilience, though progress remains slow. 

"Even though, yes, they are often a bit of a compliance check, there's an underlying reason for those things. There's an underlying reason those things should be there." 

He emphasised that cybersecurity takes time to implement, but when organisations embed it into their daily operations, it becomes much easier to maintain. 

Changing the Culture: Awareness and Training 

The conversation then turned to the human factor in cybersecurity. Daniel Hallen emphasised that a culture shift is needed, too many staff members lack awareness of cybersecurity risks in their day-to-day work. 

"For the last 17 years, we've handed people a smartphone and expected people to understand how the functions of a smartphone work without any understanding of the security." 

The result? Risky habits that expose organisations to cyber threats. Hallen argued that security needs to be embedded into everyday workflows. Solutions like single sign-on and automated authentication can make security seamless rather than a burden. He also called for more engaging cybersecurity training, rather than dry, compliance-driven exercises that staff often ignore. 

Audience members shared their experiences with successful cybersecurity awareness initiatives. Several organisations reported that simulated phishing exercises had been highly effective, with staff surprised at how easily they could be tricked. Others highlighted the value of tabletop exercises, simulated cyber incidents where executive teams practice crisis response in real time. 

Protecting NHS Leaders from Cyber Threats 

An emerging concern was the growing risk of cybercriminals targeting NHS executives and senior leaders. 

Daniel Hallen explained that attackers scrape public information from social media to craft convincing phishing emails or impersonation scams. 

To counter this, NHS leaders were urged to: 

• Enable MFA on personal and professional accounts.
• Be mindful of oversharing on social media, attackers gather intelligence from personal posts.
• Educate executives on cybersecurity risks, as they are often key targets for phishing and fraud. 

Strengthening Cyber Resilience 

The discussion closed with a call for greater urgency in addressing healthcare cybersecurity challenges. While new technologies offer enormous benefits, they also introduce new vulnerabilities. Without strong cybersecurity foundations, the sector remains at serious risk of disruption. 

The consensus was clear: cybersecurity in healthcare isn’t just about protecting data, it’s about protecting lives. 

Join us at our upcoming event, HETT Show on 7-8th October at ExCeL London to be part of the conversation. Register your interest below.