I’ve watched the growth of this onslaught from the frontline. I’ve spent over 15 years helping national bodies and healthcare providers defend themselves and their patients. The challenges have been growing year-on-year, and today the threat is even more substantial.
But it wasn’t always like this. Not so long ago there was no bullseye on our back in healthcare. Historically, it was seen as above the fray - almost a sacred domain. After all, who would want to attack the industry that saves lives, the industry that, sooner or later, we all depend on?
For decades, the perception that we were safe led to what I saw as a chronic underinvestment in cybersecurity, which in turn led to a myriad of vulnerabilities. During this time, the attackers have become less ethical, better skilled, and more strategic in their attacks.
The WannaCry ransomware attack in 2017 served as a pivotal moment for the industry, affecting both older computers running Microsoft Windows and newer systems lacking essential security updates. Approximately 70,000 devices were compromised during this incident. The United States government attributed the attack to North Korea, a conclusion supported by multiple other nations.
Among the impacted organisations, the National Health Service (NHS) in England and Scotland experienced significant disruptions. The cost of this attack to the UK healthcare sector alone was estimated to be £92 million. Over 19,000 appointments/surgical procedures were cancelled, and patient records reverted to paper formats that required subsequent restoration. That alone took months to put back onto IT systems. Was this event preventable? Possibly not. Did this event highlight inefficiencies in preparedness? Definitely. However, this event also acted as a catalyst and the genesis of cyber risk quantification (CRQ) playing a pivotal role in translating healthcare outcomes and impact into quantifiable loss.
One thing everyone agreed on was that it could have been far worse if the attack had struck at a different point in the week, or during winter when pressures on health services are intensified. It served as a wake-up call, especially as our reliance on technology and interconnected environments in the NHS continues to grow, and attackers become more sophisticated.
We know the issues are real, and we know the impact poor cybersecurity can have. But can we measure it effectively in a way that allows us to quantify the impact, so that CEOs and C-Suites understand and can effectively help prioritise activities? Cyber was seen as a dark art—one often poorly understood by leaders. So, the first challenge the health and care sector faced was leadership becoming au-fait and informed in decision-making in this area.
Health and care is a people business. We care for people, ensure they live longer and healthier lives with their loved ones. But the challenge here is balancing what staff and patients want, which is timely access to great care, against the need to build safeguards to protect security. So, the second challenge that needed to be addressed is how do you build security design into a huge people business where cybersecurity is not their core skillset.
Attackers targeting the health and care sector have rapidly evolved from scatter‑gun opportunists to highly capable, organised, and increasingly automated adversaries. They now exploit supply‑chain weaknesses, harvest credentials at scale, and weaponise zero‑day vulnerabilities. This can be seen in incidents like the Synnovis ransomware attack and widespread credential theft via infostealer malware. These threat actors operate with speed, precision, and commercial discipline, overwhelming legacy systems and fragmented defences. So, our third challenge was clear: figure out how the health and care sector can outpace attackers who are now smarter, faster, and far more sophisticated than ever before. At the same time, the industry must also make sure spend is optimised to create the biggest impact in reducing cyber risk, since funding is constrained and value needs to be demonstrated against other public service demands.
In the UK, leaders of the health and care system took the threat seriously, but also wanted to know the scale of the issue. I saw first-hand how one of the biggest hospital providers in the UK configured a mock phishing email attack to breach patient data—addressing each of the aforementioned challenges in the process. The results of this test were concerning but also insightful: It took only six hours from launching a phishing attack to having access to patient data. Notably, this wasn't accomplished using advanced technology or sophisticated methods, but rather through a straightforward attack scenario matching the abilities of a novice. This finding highlighted the magnitude of the problem and prompted a collaborative effort with the UK government to counter the threat.
Across global health systems, every pound of investment is under scrutiny. Public healthcare is serving larger, older populations with rising expectations, while operating under relentless financial pressure. Technology has become essential to meeting that challenge — improving productivity, enabling new models of care, and shifting activity closer to patients.
But this dependence on digital infrastructure has quietly changed the nature of risk.
Appointment platforms, digital diagnostics, shared care records, remote monitoring—these are no longer “IT systems.” They are clinical enablers. When they fail, care slows. When they are compromised, patients are put at risk. Cybersecurity, therefore, has become inseparable from service continuity and patient safety.
The health and care sector has recognised this shift. In the UK, technology adoption is accelerating across clinical pathways and patient engagement, with security and privacy increasingly embedded into solution design. Secure‑by‑design principles are now being applied earlier, and new delivery models are assessed not just for clinical benefit, but for resilience and trustworthiness.
At the same time, the sector is addressing structural constraints. The shortage of cyber specialists remains acute, but regional capability models and a growing professional cyber cadre are beginning to emerge. Mandatory annual training has improved baseline awareness, while more advanced education is developing specialist expertise within trusts and integrated care systems.
Progress is real, but it is uneven. And it has exposed a deeper issue.
Despite increased investment and awareness, many health leaders still struggle with a fundamental question: how much cyber risk are we actually carrying, and is our spend reducing it?
Traditional cyber reporting, which includes maturity scores, control compliance, heat maps, etc., rarely answers that. It tells boards what exists, but not what it means. It doesn’t translate outages into cancelled procedures, or data breaches into recovery cost, or control gaps into patient harm. As a result, cyber risk has historically sat uncomfortably in executive conversations: acknowledged as serious, but difficult to prioritise against visible operational pressures. This is where many programmes stall—not because leaders don’t care, but because they lack decision‑grade insight.
High‑profile incidents have forced a shift. WannaCry showed how systemic vulnerabilities could cascade across an entire health service. The 2024 Synnovis ransomware attack reinforced the lesson, disrupting pathology services for months, cancelling procedures, and exposing sensitive data. These were not abstract IT failures. They were care delivery failures, with real human consequences.
What changed after these events was not just investment levels, but the way risk was being discussed.
Cyber risk quantification is a critical enabler. By using established quantitative risk approaches, health leaders are able to express cyber risk in financial and operational terms: annual loss expectancy, service disruption cost, recovery time, and the likelihood of patient harm. For the first time, cyber risk could be compared directly with other enterprise risks, and governed accordingly. In the NHS, this enabled a step change. CRQ is currently being used in many guises: from helping quantify the benefits of cyber transformation initiatives to helping over 200 organisations prioritise investment in cyber. This means that leaders can now ask: “Where will our next pound reduce the most risk to patients and services?”
Perhaps the most powerful benefit of CRQ is not prioritisation, but feedback.
By quantifying risk before and after interventions, organisations can finally assess effectiveness. If £10,000 invested in multifactor authentication reduces expected annual loss by only a marginal amount, that becomes visible. If an alternative control materially reduces outage risk or data compromise, that too becomes clear.
This shifts cybersecurity from a faith‑based exercise to an evidence‑based one—essential in a sector where resources are finite and opportunity cost is real. More importantly, it allows cyber leaders, clinicians, and executives to align around a shared objective: protecting care outcomes, not just systems.
Healthcare has come a long way since WannaCry. But the journey is far from over.
The sector now understands that cyber threats are not moral outrages or technical nuisances. They are real dangers that are persistent, well‑resourced, and indifferent to patient impact. Adversaries optimise relentlessly. Healthcare cannot afford not to.
What gives cause for cautious confidence is not technology alone, but a change in mindset. Cybersecurity is being reframed as a core component of operational resilience and patient safety. Risk is being discussed in terms leaders understand. Investment decisions are becoming more disciplined, more transparent, and more defensible.
This is not a moment for complacency or self‑congratulation. But it is evidence that healthcare is learning how to fight a modern threat on modern terms—by making cyber risk visible, measurable, and governable.
And in a system built to save lives, that matters more than ever.
This article is part of the Reinventing Cyber Budgeting publication. It's a joint publication by KPMG and TAG Infosphere, written for CISOs, risk leaders and executives who are being asked to do more – with less – and need a better way to explain, justify and defend cyber investment decisions. Read the full report here.
