Healthcare is inherently a risk-averse environment. From delivering a baby to dispensing medication, risk permeates every aspect of day-to-day care. While the sector has long managed clinical and operational risks, a new and uncomfortable threat is emerging: cyber attacks.
This threat is underscored by recent news of Anthropic’s most sophisticated AI model, Mythos, exploiting vulnerabilities in their own code to escape a virtual prison and send an email to an engineer telling them they had escaped. The potential of AI in healthcare is untapped, but with it comes risks that have not been fully appraised or mitigated.
Healthcare is now overwhelmingly dependent on technology. Any disruption can have devastating consequences.
Unlike the impact of most consumer technology that simply hits the “pause button,” a cyber attack in healthcare can leave care delivery “in the dark.” Vulnerabilities in software are creating direct patient safety risks, forcing an unfortunate trade-off between efficiency and security.
This friction—risk versus progress—will always exist. What’s needed now is a commitment from the NHS and its supplier community to mitigate risk through proportionate, continuous action.
The Legislative Shield
The government is aware of this escalating danger. The Cyber Resilience Bill, announced in November 2025, while not exclusively written for healthcare, is a significant step. It brings cyber resilience onto the same level footing as Data Protection, which in a healthcare context goes hand in hand: compromise the system, compromise the data.
However, the core problem with any new compliance requirement or legislative mandate is the temptation for businesses to treat it as a ‘tick-box’ exercise—comply once, then forget, or worse, duplicate existing policies.
In the age of AI, this can no longer be the case.
How do we prioritise patient safety?
We must encourage and advocate for continued evaluation and compliance, embedding it as part of a supplier’s commitment to patient safety. This is especially vital given that the NHS is rich with providers, many of whom use integrated systems that share data. This connectivity, while beneficial, exposes vulnerabilities in API security and authentication protocols, making risk appraisal increasingly challenging.
By creating a connected system, we have simply created more risks that need mitigating.
How do we close the patient safety gap?
Risk mitigation starts with transparency and consistency. Over the years, the NHS has relied on several mechanisms to validate supplier security:
- DSPT (Data Security and Protection Toolkit): The primary mechanism, which is increasingly shifting its focus from data protection to information security.
- Cyber Essentials Plus: We are seeing a major shift with more clients now expected to undergo this audited certification. This validates controls and, for many, is the first audited step on their path to compliance.
- Penetration Testing: Proving external scrutiny is becoming essential for building trust and assurance, whether for a national API project or a new tool implementation.
But healthcare needs suppliers to take a further step forward to ensure the resilience of the technology, which is critical for care delivery.
Complying with the NHS Cyber Security Charter
Looking ahead, the new NHS Cyber Security Charter for suppliers, a direct response to recent high-profile attacks, is a positive step. While adherence is currently voluntary, it clearly articulates what the health and social care sector expects from responsible suppliers, building on existing compliance criteria. Suppliers must wake up to the opportunity this affords. Investing in these activities pays dividends versus paying for expensive damage control PR following a major patient safety event.
You can read more about the Cyber Security Charter requirements in our blog here.
From Annual Assurance to Continuous Compliance
The biggest area where many suppliers will fall short is the necessary shift from a state of annual assurance to continuous compliance.
Businesses must recognize the escalating and immediate threat posed by AI, which significantly increases the risk of cyber attacks. The UK Government even published an open letter to business leaders outlining why businesses should take Cyber Risks seriously and what they should look to do to mitigate their impact.
With the growing interdependence of systems between providers in every health system, while making healthcare more reliable, we’re simultaneously making it less resiliant to the devastating impact a cyber attack can have on critical infrastructure unless risk is managed proactively and proportionately.
Looking Ahead
Whilst we operate in a world of Charters, Compliance, and Certification, all are designed to help suppliers and the NHS mitigate risk. Framing them as ‘tick-box’ exercises or as a bureaucratic means of stifling innovation risks eroding the core principle of why teams feel obligated to build technology for the healthcare sector.
Ultimately, risk in healthcare is a shared parameter, demanding shared accountability. We cannot expect the supplier community alone to do the hard work on cyber resilience if the infrastructure they are integrating into isn’t secured to equivalent standards.
This is why the future of patient safety requires a shift to proactive continuous monitoring in the cybersecurity space. The digital vanguard is now the front line of care.
Ready to sign the Cyber Security Charter?
Work with our expert team of Privacy, Information Security and Cyber Security specialists to protect patients and your business. Book a free Security Consultation today.