The MDU in action
Shielding your practice from cyber threats
12.03.25
Cybercriminals are constantly testing boundaries and NHS organisations are prime targets because they hold a vast amount of sensitive personal data, which often needs to be shared, and have outdated IT systems.
If your practice has security gaps, you could also be vulnerable to an opportunistic attack.
What can go wrong?
Ransomware attacks on healthcare organisations are where an individual or gang ‘locks’ files on a computer or network and demands payment in return for access. They’re a growing global threat and hugely disruptive.
In fact, 2024 was one of the worst years on record.
In June, Russian criminals caused the postponement of more than 10,000 outpatient appointments and 1,693 elective procedures after successfully targeting Synnovis, which provides pathology services to the NHS. Stolen patient data was also published on the dark web.
In February, an attack on the US medical invoicing company Change Healthcare led to severe cashflow problems for practices and delays, although the company paid a ransom of $22 million.
And half the population of France are estimated to have been affected by January attacks on two French healthcare payment providers (Viamedis and Almerys) in the country’s largest ever cybersecurity breach.
Alongside the immediate disruption and distress for patients, organisations that fall prey to cyberattacks have to deal with the fallout. Even if they don’t pay a ransom, getting back to normal service can be expensive and there can be lasting reputational damage.
In addition, the Information Commissioners Office (ICO) has the authority to impose fines of up to £17.5 million or 4% of annual worldwide turnover of the organisation (whichever is higher) for serious breaches of data protection principles.
Regulations, standards and resources
In a briefing to the UN in November 2024, the head of the World Health Organization, Tedros Adhanom Ghebreyesus, called for international cooperation to address the growing crisis of ransomware and other cyberattacks on health services.
Meanwhile, the UK government is introducing a Cyber Security and Resilience Bill to Parliament in 2025. It says the bill will include measures to expand the remit and powers of regulators and mandate better incident reporting.
Although this isn’t yet law, your organisation must still “ensure that you have appropriate security measures in place to protect the personal data you hold,” in line with the General Data Protection Regulations (GDPR) security principle.
In addition, all organisations with access to NHS patient data and systems must use the Data Security and Protection Toolkit to assess their performance against data security standards set by the National Data Guardian for Health and Social Care.
You can also find guidance from:
- National Cyber Security Centre (NCSC)
- NHS Digital website includes resources on cyber and data security for NHS organisations.
- NHS England has also produced this guidance for GPs. Digital Health & Care Scotland promotes cyber security in Scotland.
- ICO website has detailed guidance on security measures.
- The GMC’s confidentiality guidance includes a section on ‘Managing and protecting personal information’ while the GDC’s ‘Standards for the dental team’ requires dental professionals to “keep patients’ information secure at all times” (para 4.5).
MDU advice
Cyberattacks on healthcare are a global concern but every organisation has a part to play in combatting it. You wouldn’t leave your practice without switching on the alarm, but neglecting IT security is effectively leaving the door open for criminals.
Here are the top things you can do to improve your practice’s IT security and resilience.
Review IT and data policies and procedures
Your practice should already have an information security policy and a designated person to ensure personal data is protected from unauthorised or unlawful processing, accidental loss, destruction or damage.
However, this document shouldn’t be left to gather dust. Revisit the policy at regular intervals to take account of new regulations and guidance or when there has been an IT security incident/near miss. Ask yourself if the policy needs updating to reflect the ways your practice currently processes data (migration to cloud data storage, for example).
Policies should include:
- the use and review of security software (including updates and data backup)
- procedures for safe handling of patient information, including the use of encryption
- the need for signed written contracts with all third-party suppliers, including IT contractors, setting out your confidentiality requirements
- rules on the use of home computers or mobile devices
- access controls and audits of electronic systems
- strong passwords and individual login profiles that should be changed regularly
- staff data protection training
- social media use and patient confidentiality
- secure disposal of practice computers.
Check how you measure up
If you’re not already required to meet the NHS data security standards, assess your practice’s cybersecurity controls against good practice standards.
The government-backed Cyber Essentials programme includes a ‘readiness toolkit’ that provides a personalised list of actions to improve cybersecurity. You’re awarded a certificate to show you’ve met the necessary standard.
Seek expert advice
Seek professional advice from a reputable specialist about IT security measures such as firewalls, virus protection and encryption. They should also be able to advise on penetration testing to see how your systems would withstand a cyberattack.
Train staff
Human error is a common factor in many cyberbreaches, such as clicking on a link or sharing passwords, so ensure staff inductions cover IT security policies and procedures and provide refresher training if required. Some organisations also use mock phishing emails to test how their staff respond to cyber threats.
Report data breaches
If the worst happens, you must report data breaches that are likely to result in a "risk to the rights and freedoms of individuals" within 72 hours of becoming aware of the breach using the ICO’s breach reporting service.
The ICO also says you must notify individuals concerned without delay if there’s a ‘high risk’ to their rights and freedoms. This sets a higher threshold for notifying individuals of the data breach, but this obligation might well be engaged in the case of health data. This can be a difficult area, so contact the MDU for advice if you are unsure.
The ICO defines a personal data breach as “a security incident that has affected the confidentiality, integrity or availability of personal data.” It may also belong to one or more of these categories. For example, an unauthorised or accidental disclosure of or access to personal data, an accidental or loss of access to or destruction of personal data or unauthorised or accidental alteration of personal data.
When you notify a breach, you’ll be required to provide information, including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of the data protection officer or other contact point
- description of likely consequences of a personal data breach
- description of measures taken or proposed to be taken to deal with a personal data breach, including measures to mitigate possible adverse effects.
The ICO advises organisations to report major cyber incidents to the NCSC and incidents that could heighten fraud risk for individuals to Action Fraud or Police Scotland.
As an MDU Connect policy holder, you and your team have access to expert medico-legal and dento-legal guidance and support.
We encourage you to address issues early to pre-empt problems, so contact us for specific advice or explore our resources.
This page was correct at publication on 12th March 2025. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Sarah Jarvis
Risk advisory partner
Sarah has been a full-time medico-legal adviser since 2013, and has wide experience of supporting healthcare companies in dealing with complaints, inquests and general medico-legal queries.
A GP partner and trainer before joining the MDU, she is a team leader in the advisory department, where she also draws on experience gathered from sitting as an MPTS fitness to practise panellist, including chairing the panels.
Oliver Lord
Risk advisory partner
Oliver is part of a specialist advisory team that assists members with disciplinary investigations and has an interest in doctors’ wellbeing.
Before joining the MDU in 2013 Oliver was a consultant psychiatrist in a crisis resolution team. He provides regular talks and courses to members on medico-legal issues, conflict resolution and unconscious bias.
John Dale Skinner
Risk advisory partner
John is a medico-legal adviser and risk advisory partner. John has been with the MDU for the past 10 years, having previously worked as a GP.
He has wide experience as a senior medical claims handler helping MDU members defend clinical negligence claims.
Kathryn Leask
Risk advisory partner
Kathryn has been a medico-legal adviser with the MDU since 2007. She is a team leader and trainer in the medical advisory department.
Before joining the MDU, she worked in paediatrics, gaining her MRCPCH in 2002, and holds a CCT in clinical genetics. Kathryn also holds an MA in Healthcare Ethics and Law, a Bachelor of Law and a Professional Doctorate in Medical Ethics. She is also a fellow of the Faculty of Forensic and Legal Medicine and has previously been an examiner and deputy chief examiner for the faculty.
Kathryn is currently a member of the faculty’s training and education subcommittee and a member of the Royal College of Pathologists (medical examiner).
Jerard Ross
Risk advisory partner
Jerard has been with the MDU for over 10 years, and now works as a risk advisory partner.
Prior to joining the MDU, he was a consultant neurosurgeon balancing a busy NHS practice with private sector work. He is currently the educational lead for the MDU and head of Scottish affairs.
Ed Farnan
Risk advisory partner
Ed has been a medico-legal adviser at the MDU since 2013, and now works as a risk advisory partner. In addition to providing advice and assistance to members. Ed has worked as a clinical risk manager in the underwriting department and as a member of the medical education team.
After qualifying from Queen’s University Belfast in 1995, and as a GP in 2000, he worked as a partner in general practice for around 12 years before joining the MDU.
With an interest in clinical governance, Ed sat on a regional research ethics committee, completed a master’s degree in medical law in 2011 and became a Fellow of the RCGP in 2015.
Ed also writes articles for the MDU and other publications as well as running courses and webinars.
Leo Briggs
Risk advisory partner – dental
Leo is a risk advisory partner specialising in supporting dental practices in dealing with complaints and regulatory matters, as well as general dento-legal queries.
Having qualified from University College Hospital London in 1989, he has worked extensively in the Community Dental Service as well as in general dental practice. Leo also gained an MSc in Periodontology from the Eastman in 1995 and is on the GDC specialist register for Periodontics.
Leo worked part time as a clinical tutor at the School for Professionals Complementary to Dentistry in Portsmouth and started working part time for the DDU in 2005. He has been with the DDU full time since 2009 and became deputy head of the DDU in 2016.
Sarah Ide
Risk advisory partner – dental
Sarah is a risk advisory partner and has been working at the DDU as a dento-legal adviser since 2015, initially combining this work with general practice.
She qualified from Guy's Hospital Dental School in 1992, working there as a house officer before entering general practice as a vocational trainee.
Sarah subsequently worked in independent and private general practice for 25 years and completed an MSc in Aesthetic Dentistry at King’s.
