Patching the Security Holes in the NHS’s Ageing IT System 

Healthcare cybersecurity

By Trevor Dearing 

The NHS’s outdated IT infrastructure leaves it highly vulnerable to cyberattacks, with legacy systems introducing a substantial risk of data breaches and operational disruptions. The NHS must modernise its IT and adopt new security measures such as Zero Trust Segmentation to protect its patients. 

It’s no secret the NHS is vulnerable to cyberattacks, with a recent NHS England survey stating that four out of five patients worry about an attack on NHS IT systems.  

Over the years, cyberattacks have caused plenty of headaches for the NHS and the general public. For example, the recent ransomware attack against NHS Scotland showed the widespread pain that can be caused by cybercriminals, with immediate impacts on patient care and the long-term impacts of data theft.  

How legacy systems are increasing cyber risk  

The healthcare sector is a popular target for cybercriminals, who see it as a treasure trove of valuable data. Stolen patient records are sold on the dark web as a commodity, used to fuel further attacks, and held as blackmail material. A single record can sell for approximately $50 – so a breach that exfiltrates the information of thousands of patients is extremely lucrative.  

Further, frontline healthcare providers are highly vulnerable to disruptive attacks like ransomware which can target patient care. Attacks on St Bartholomew’s in London and third-party providers such as Advanced, which disrupted the 111 helpline, show how easily health services and patient care can be interrupted.  

Compounding this, the NHS is seen as a particularly profitable target because of the prevalence of outdated IT infrastructure. For many NHS organisations, legacy technology can account for as much as 30-50 per cent of all IT services. Some elements were designed over 20 years ago and have gone over a decade without an update.  

This ageing infrastructure is a gift for cybercriminals; old systems no longer supported by security patches provide countless attack paths. Vulnerable systems serve as easy entry points and can be exploited through lateral movement around the environment to reach critical assets.  

The infamous WannaCry ransomware attack from 2017 still reigns as the worst-case scenario when these vulnerabilities are exploited. NHS Trusts were heavily affected by the rogue malware, with thousands of hospitals cancelling appointments as essential booking systems and patient databases were rendered inaccessible. It’s estimated that the incident cost the NHS in excess of £92m.  

And while the NHS became one of the most prominent victims of WannaCry, it’s notable that the healthcare service wasn’t even an intended target – the ransomware began spreading of its own accord. The ageing IT systems were simply wide open.  

The financial toll  

It is evident that notable progress has been made since the wildfire of WannaCry. The NHS was quick to assess the damage and learning points of the incident, and the government has undertaken a far-reaching strategy aimed at boosting the general security of the UK’s healthcare.  

Nevertheless, legacy infrastructure is still prevalent across most trusts today and significantly increases the risk of a serious breach.  

Aside from catastrophic events like WannaCry, the potential economic consequences of cyberattacks on the NHS are staggering, with multiple elements quickly adding up to a sum few healthcare providers can readily afford.   

A HIMSS Healthcare Cybersecurity Survey in 2022 estimated that around 20 per cent of health and care system attacks result in monetary loss and 21 per cent lead to data breaches. Legal expenses, ransom fees and cybersecurity system replacement costs all contribute to the impact. Further, the urgency of investigating and implementing new measures ramps up costs.   

An FOI request found that trusts have paid more than £1.5m in data breach claims since 2021. In just one recent case, Norfolk and Norwich University Hospitals NHS Foundation Trust paid £47k in compensation to patients involved in a data breach.   

So, replacing legacy technology and investing in modern cybersecurity measures is essential to protect the NHS from these unsustainable economic and operational risks. 

Key priorities in reducing the NHS’s exposure to cyber risk 

With the cyber threat to healthcare providers showing no signs of abating, organisations must take decisive action to protect their patients. One of the priorities must be for organisations to gain a full understanding of their IT estates and discover where the greatest vulnerabilities are.  

An extensive audit will help to shine a spotlight on unsupported legacy systems, identifying those that pose an outsized threat because they can no longer be effectively secured. Automated tools can assist with asset discovery to avoid a resource-heavy manual search. Healthcare providers must invest in replacing all such systems as soon as possible. The cost of upgrades and replacements will be well worth it if it helps reduce the chances of multi-million-pound breaches.   

Additionally, some of the quickest and easiest ROI in security spending comes from preventing lateral movement within the network.  

Wherever possible, trusts should align with the ‘Zero Trust’ approach, a security strategy grounded in the principle of “never trust, always verify.” It assumes that threats could already be inside the network and mandates continuous verification of user and device identities. This proactive stance is crucial in modern cybersecurity, where the perimeter-based security model is no longer enough due to the increasing complexity and diversity of attack vectors. 

Zero Trust is becoming widely adopted in most business sectors and is especially valuable for the NHS in protecting its ageing IT systems. A critical pillar of the Zero Trust approach is Zero Trust Segmentation (ZTS), which creates micro-perimeters around critical assets using the “always verify” approach.  

Moving forward to Zero Trust Segmentation 

ZTS is a simple to deploycybersecurity solution that divides a network into smaller, isolated segments. Each segment is protected with stringent access controls, ensuring only verified and authorised users can access sensitive areas.  

The highly granular control afforded by ZTS significantly reduces the risk of lateral movement by attackers, effectively containing potential breaches. A total economic impact report into Illumio ZTS found that it can reduce the ‘blast radius’ or reach of a breach by an average of 66 per cent.  

Unlike traditional segmentation methods that rely on static, legacy firewalls, ZTS offers dynamic, scalable security across cloud environments, endpoints, and data centres. This makes it a strong fit for NHS IT environments that often include a wide variety of systems. 

For trusts, ZTS can build on the groundwork of mapping out NHS networks to identify critical assets and potential vulnerabilities. Because the segmentation and access controls are highly granular, organisations can prioritise securing the most high-risk and vulnerable areas first, such as sensitive patient data or legacy assets that cannot yet be replaced.  

Addressing unsecure legacy technology must be a top priority for all NHS organisations, especially those providing frontline patient care. However, with decades of overlapping IT investments to deal with, legacy infrastructure isn’t an issue that can be resolved overnight. Organisations must balance the long-term goal of removing old systems from their IT environment, with ensuring security for their staff and patients. Measures such as ZTS will help deliver immediate risk reduction by reducing the impact of incoming attacks and minimising the disruption to patient privacy and care.

About the Author 

Trevor DearingTrevor Dearing has worked in networking and security for over 40 years. He has attended the birth of nearly all the technologies that we now take for granted including, Ethernet Switching, VPNs, Firewalls and virtual networks. Originally an engineer working on some of the first network and cyber security systems. He is now the Director of Critical Infrastructure for Illumio. 


Please enter your comment!
Please enter your name here