Cyber Security Month 2025: A Call to Action for Health CIOs

As we observe Cyber Security Month, it’s imperative for every health-system, hospital trust and IT leadership team to recognise that the threat landscape has shifted dramatically — and your hospital, or health organisation is squarely in the crosshairs.

According to the NCSC’s most recent review, the UK has recorded 204 nationally-significant cyber incidents in the 12 months to August/September 2025, compared with 89 in the prior 12-month period, (See NCSC Annual Review 2025: Surge in ransomware and hacking; growing gap between threats and national defenses). That’s more than a doubling of high-impact attacks.

In this ThoughtCast we're going to look into the reasons for the spike, and crucially, what Health CIOs should be doing now to mitigate the risk to their hospitals. Here’s what’s fuelling the spike 

What’s Driving the Surge?

1. Nation-state & grey-zone activity

The NCSC emphasises that hostile state actors (and their proxies) are operating in a “grey-zone” between peace and overt conflict. These campaigns target critical national infrastructure (CNI), including healthcare. In practice this means hospitals and health systems are not just victims of common cyber-crime, but of competition, espionage and disruption aligned with geopolitical agendas.

2. Ransomware and extortion-driven business models

Ransomware retains its position, having been identified as “the most significant, serious and organised cyber-crime threat” facing the UK. The increasing sophistication of attacks, now enabled by AI; double extortion models, which significantly increase hacker leverage and returns, have also fuelled the rise of these sorts of attacks. Attackers know hospitals are high-value targets: high stakes, sensitive data, critical service continuity needs, sensitive services, tight recovery windows, all make healthcare a lucrative target.

3. Expanding attack surfaces & digital complexity

Hospitals are increasingly digital: IoMT devices, remote monitoring, and working, API's, cloud services, connected legacy systems, third-party suppliers, telemedicine platforms. Each of these adds additional layers of risk, broadening the attack surface, widening the gap between 'exposure and threat', as the NCSC have been keen to point out.

4. Threat Detection Gaps

   
   

   Hospitals in the main can lack mature 24/7 SIEM (Security Information and Event Management) systems and monitoring, due to the expense of deploying the capability, in terms of the solutions and expertise. Infact, Paradigm believe this will be one of the many drivers or factors that will push the sector into greater convergence, and consolidation over time. However, good SOC, (or Security Operations Centre) capability, good incident response plans, and the capabilities to also hunt for, and uncover threats is also another aspect of this risk, which is further compounded by the shortage of experienced cyber professionals. However, the coming of the Government's impending Cyber Security and Resilience Bill, with its requirements around whole-ecosystem resilience, including 24 hour incident reporting and enhanced supplier obligations should begin to address a number of these gaps.

   
   

5. Supply-chain & third-party risk

Hospitals often rely on external vendors, managed service providers, medical device manufacturers and cloud suppliers. Attackers are increasingly exploiting supplier ecosystems as stepping stones to gain access to larger critical systems.

6. Skills, resource and governance pressures

Even though technical controls are improving in some areas, many organisations still lag in risk governance, incident-response preparedness and board-level ownership of cyber security. This could be said to be further compounded by both an underestimation and underinvestment in and by Leadership in cyber security, which has mainly been seen as as more of a technical, as opposed to a strategic issue.

Register Now

What Health CIOs Can Do: 7 Strategic Actions for Hospitals

1. Elevate cyber-resilience to the C-suite & Board table

Make cyber security and resilience an executive-board discussion. This issue is also one of the factors that represents or demonstrates the continued rise of the CIO role within the Hospital C-Suite, and is currently being evidenced by the designation of the title of the CIO role as 'Executive CIO", in some cases, or were Trusts are keen to make their elevation of the importance of this role to their Trust explicit.

The CIO and CISO (or equivalent) must have ongoing visibility, and escalation paths must be clear. The NCSC warns: this is no longer a purely IT issue. Interestingly, The Financial Times has even weighed in on the debate, setting clear KPIs (such as: mean-time-to-recover, number of tabletop exercises, third-party risk scoring) recommending their reporting at senior level.

However, this does also highlight the need for greater ongoing training, orientation, and support for Board members in these specific skills, that's in addition to the existing mandatory training requirements around IG and Cyber Security/Resilience that the Health CIO, and or CISO may need to also consider. (Paradigm may be able to assist with both ideation, recommendations or support in this area, if of interest pls contact us)

2. Conduct a focused health-sector risk assessment

Map your hospital’s digital ecosystem: connected medical devices, remote systems, interoperable platforms, suppliers, legacy systems. Then assess:

• Map your attack surface: identify which systems are mission-critical (patient safety, diagnostics, EPR, telehealth)

• What would happen if they were disrupted (you might need to simulate “screens go blank”, records inaccessible)

• What are the upstream dependencies (power/telecoms/cloud, supplier availability)

• Carry out regular audits

• Tabletop, that is both Discussion-based and practical incident-response exercises

3. Harden your cyber hygiene foundations

Ensure you’ve got the basics fully covered:

• Multi-factor authentication (MFA) for all staff and supplier access

• Segmentation of networks (especially medical devices and legacy systems)

• Zero-Trust Architecture, (also see our previous Technology Review on SASE)

• Deploy Endpoint Detection, (EDR) tools

• Timely patching and vulnerability management

• Back-up and restore capabilities tested under real conditions

• Supply-chain security controls (vendor risk assessments, contracts with cyber clauses)

These may not stop every attacker, but they raise the overhead of an attack, and reduce the vulnerability surface.

4. Develop & relentlessly test incident-response plans

Hospitals must assume an incident will occur. Plan for worst-case disruption: systems down, data encrypted, supply chain unavailable, clinical workflows on paper. Run regular tabletop exercises with clinical, operational and IT stakeholders. Bring in suppliers/vendors. Test communication plans (internally, with regulators, with patients). Include cyber-scenario in business-continuity planning: how do you keep critical services running if IT is unavailable?

• Develop formal Incident Response plans with well defined roles and escalation procedures, and reporting lines.

• Run simulated cyber-incident exercises with senior execs and Board participation: in order to test (your response plans) them periodically and rigorously.

• Embed within culture of the organisation: run periodic cyber awareness campaigns, in Cyber Awareness Month is a good time to focus collective minds.

  • Run ongoing training, pen-testing and phising simulations for staff

  • Work to instil a 'no blame' culture to encourage the honest reporting of incidents and unusual activity.

5. Focus on third-party and supply-chain risk

Evaluate the cyber security and PQC Compliance posture of your vendors, including in contracts, and continually monitor access and behaviour of your third parties. Also while your at it Evaluate your insurance posture and confirm position with the C-suite, or Board for things like cover for ramsomware, business interruption, and regulatory fines. especially as its not uncommon for some insurance companies not to cover either some, or even in extreme cases, all aspects of these sorts of attacks, as has happened recently in the US. In these event the Board, or specifically the CEO will need to be clear, and have a plan as to how they'll address any non-insured, or residual risk. Don't forget to incorporate these aspects into your Incident Response plans also.

However, as regards Supply Chain. Start by asking yourself following questions:

• Do all your suppliers have robust cyber-security postures?

• Are their incident-response plans effective?

• What is their criticality to your operations if they fail or are compromised?

• Do you have contractual rights and alternatives? Neglecting supplier risk remains a common cause of major hospital incidents.

6. Embed a culture of awareness & accountability

Technical controls are essential, but humans remain often the first line of defence (or failure).

• Regular training for clinical and non-clinical staff on phishing, social engineering, safe remote working

• Simulated phishing campaigns, measured results

• Clear accountability: who owns cyber risk? What happens when protocols are not followed?

• Encourage a reporting culture (no-blame) for near misses and anomalies

7. Monitor emerging threats & horizon-scan regularly

Given the accelerated pace of change (AI-driven tools, evolving ransomware-as-a-service models, more aggressive state-actor tactics), your threat-intelligence capability must keep pace. Ensure you receive alerts (including from NCSC, NHS Digital, sector partners) and translate those into action — patch updates, configuration changes, crisis-planning adjustments.

Final Thought

For hospital CIOs, the message is clear: the threat is no longer hypothetical; it is already material. With the UK now averaging around four “nationally significant” cyber incidents per week, we can no longer afford to treat cyber-resilience as an optional extra. It must be a core strategic pillar of our digital health transformation.

Use Cyber Security Month as the trigger: walk the floor, talk to your clinical leads, review your incident-response plan, test your backups, review supplier contracts and report to your Board, in order to ensure that digital health tools don’t become digital liabilities.

Your hospital may not yet be the headline incident — but the next one could very well aim for the weakest link in your ecosystem. Make sure that link is not your organisation.

Download the Trust IT Cyber Resilience Checklist

Details the minimum Trust IT Cyber Resilience requirements that all Health CIO's should ideally have implemented within their Trusts to date to assure a reasonable to good standard of cyber resilience for their organisations.

Contact Paradigm to see how we can assist you enhance your Cyber defences & PQC (Post-Quantum Cryptography) Compliance: Submit an RFP Request

#DigitalParadigm #FuturistHealthCIO #theideatory

Cyber Security Month 2025: A Call to Action for Health CIOs by Ann Samuels © 2025. This blog is licensed via CC by ND-4.0