NHS staff lack confidence in health service cyber measures

Frontline and backend NHS staff alike all understand the role they have to play in protecting Britain’s health service from cyber threats, but only a minority believe that current safeguarding measures are sufficient, according to BT research that sheds light on cyber concerns, legacy system risks and training gaps across the NHS.
BT, which works with over 200 NHS trusts around the country, polled both health service workers and members of the public.
In the wake of several high-profile cyber attacks against NHS targets and suppliers, its study uncovered “strong public awareness” of how critical appropriate security measures are to keep the health service running, but also found that 60% of the public are concerned that critical systems could be disrupted or disabled, and 56% are concerned about their private medical data being exposed by malicious hackers.
Among NHS staff, it found that despite the near-universal acceptance and understanding of their responsibilities, only 36% believed the health service was currently adequately able to defend itself, and just 42% trusted that existing systems were sufficiently robust to protect sensitive data.
Additionally, 64% of NHS staff lamented “outdated” systems that they said make data hard to access and use, and 60% reported a lack of regular security training.
Natasha Phillips, former chief digital nurse to NHS England, founder of Future Nurse and BT Clinical Advisory Board (CAB) member, said: “In healthcare, cyber security isn’t just about protecting data; it’s about protecting lives. Nurses are often the first point of care. To deliver life-saving and compassionate treatment, they depend on easy access to secure systems.
“As we embrace digital innovation, we must ensure that all clinicians have the confidence, training and tools to work safely and free from disruption. Ultimately, building a resilient NHS requires a united effort, where technology, training and trust come together.”
BT director of healthcare Sultan Mahmud said: “The NHS is rightly focused on saving lives, so it can be hard to stay ahead of cyber security threats with the landscape shifting so quickly.
“Threats targeting healthcare have grown in frequency and sophistication, endangering patient care and compromising vital services,” he said. “BT logs 2,000 signals of potential cyber attacks every second, totalling 200 million per day across sectors. With over 1.7 million employees, the NHS is the UK’s biggest employer, so empowering this workforce is vital.
“Across the NHS, high awareness of cyber risk is overshadowed by a lack of preparedness. Moreover, significant frustrations with legacy systems are affecting care, exacerbating training gaps.”
Mahmud, who prior to joining BT worked across the NHS in various capacities – most recently as chief innovation, integration and research officer at Royal Wolverhampton Hospital NHS Trust – acknowledged the pressing nature of the cyber challenges faced by the health service, as well as the importance of collaboration to address them.
“Through initiatives like our Clinical Advisory Board and Vanguard Programme, BT Health is enabling collaboration between healthcare, policy and business to drive meaningful change,” he said. “A cyber-resilient NHS will be a better NHS for everyone.”
New tech, better training needed
Drawing out more of the key themes of the report, BT said the NHS was clearly facing a “critical challenge” with its legacy tech systems, which often lack the levels of inbuilt security protections that one would expect to find in more modern environments, both hindering care delivery and collaboration.
Respondents to the survey said they found patient data isolated and inoperable, and felt their ability to deliver safe and efficient healthcare suffered as a result.
On security training, the survey found that in some areas, things may be going backwards, as despite a modest rise in training on new technologies, training on both new and existing systems had dropped almost 10%, particularly among frontline clinical staff. BT said the data strongly suggested that security training is seen as a one-off initiative, rather than an ongoing, iterative process. This is likely exacerbating both cyber risks and the impact of vulnerabilities on the NHS.
On the same issue, the public-facing element of the study found that ordinary Brits are onboard with the need to beef up the NHS defences, with well over half saying they saw the need to train NHS staff in new technologies as a priority. BT spoke of a “growing public understanding” that equipping staff with appropriate security knowledge is crucial to improving overall healthcare delivery.
The data in BT’s report – more information on which can be found here – were drawn from an independent survey of 76 staff at 56 NHS and Integrated Care System organisations in September 2024, while the public’s views were gathered by YouGov from a weighted survey of 2,159 adults taken in July 2024.