top of page

Cyber security hygiene tips for your health and social care business

Over the last 10 years, the cyber threat to the health and social care sector has unsurprisingly, increased significantly. With this has come an increase in news stories relating to cyber attacks taking up space on our timelines and news feeds.

Cyber attacks on the health and social care sector a particular concern as the attacks can directly threaten not just the security of systems and information but also the health and safety of patients.

Why are health and social care businesses targets for cyber criminals?

The healthcare industry is 24 hours, 7 days a week, 365 days a year business, so with that comes an attractive opportunity for cyber criminals to strike and a heightened risk of attack to the businesses within the industry.

Health and social care businesses are also attractive targets as:

  • Cyber criminals can steal and then sell on confidential data such as patient medical and billing information on the darknet for insurance fraud purposes.

  • Cyber attacks like ransomware are easy to launch and in doing so they can lock down patient care and back-office systems and charge extortionate ransom fees in order for the data to be accessed.

  • A lack of training for employees can often lead to cyber attacks taking place due to human error.

  • Internet-connected devices that are not regularly updated are susceptible to tampering.

In May 2017, the UK’s National Heath Service (NHS) fell victim to a huge cyber attack which is commonly known as the WannaCry cyber attack. This attack was relatively unsophisticated and could have been prevented by better IT security practice. On Friday 12th May 2017, a computer virus that encrypts data on infected computers and demands a ransom payment to allow user access was released worldwide.

The attack led to disruption in at least 34% of the NHS’s trusts in England and led to thousands of appointments and operations being cancelled. 80 if the 236 hospital trusts were affected, alongside 595 of 7,454 GP practices.

The report into the attack revealed that NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.

The attack was only halted due to cyber security researcher activating a ‘kill switch’ so that the virus was stopped in its tracks and could no longer lock devices.

All health and social care organisations can, and should, have strong cyber security measures

in place, not least because the protection of patients' confidential health and social care

data is fundamental to delivering high quality and safe services.

To help your health care business strengthen its cyber security, you can follow and adopt these basic practices, outlined in the Small Business Guide from the National Cyber Security Centre (NCSC). The guide sets out five key areas for businesses to help improve their cyber security.

The five recommended areas of focus are:

1. Backing up your data: Top tips include keeping a back-up of dan ta separate, reading our Cloud Security guidance, and backing up regularly.

2. Protecting from malware: Top tips include switching on firewalls, preventing staff downloading dodgy apps, and controlling how USBs can be used.

3. Keeping your smartphones (and tablets) safe: Top tips include making sure devices can be wiped remotely, not connecting to unknown Wi-Fi networks and keeping device software up to date.

4. Using passwords to protect your data: Top tips include avoiding predictable passwords, using two-factor authentication, and changing default passwords.

5. Avoid phishing attacks: Top tips include checking for obvious signs of phishing, reporting all attacks, and testing resilience using our Exercise in a Box tool.

Here at WMCRC, via our free core membership we provide guidance and toolkits like this to help businesses improve their cyber resilience and mitigate the threats posed by cyber criminals.

We provide a range of services delivered by top talent from local universities, including staff training. We also have a network of Trusted Partners who can help you complete the Government-backed Cyber Essentials programme – designed to protect businesses from up to 80% of the most common cyber attacks.

Find out more via our membership page.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page