Over the past decade, cyberattacks targeting hospitals, medical infrastructure and associated supply chains have increased markedly, exposing systemic weaknesses in healthcare digital security. High-profile incidents have demonstrated how cyber disruption can compromise patient data, interrupt clinical services and generate significant financial losses. The 2017 WannaCry ransomware attack on the UK National Health Service affected dozens of hospitals and drew global attention to the fragility of healthcare information systems. More recently, large-scale incidents in the United States and France highlighted that cyber threats are not confined to a single health system or governance model. As healthcare becomes more digitally dependent, cybersecurity has emerged as a critical issue for patient safety, operational continuity and public trust, with implications that extend across national borders.
Must Read:Securing Cloud and GenAI in Healthcare
Digitisation Increases Exposure and Complexity
Rapid digitisation and the growing adoption of innovative technologies have transformed cybersecurity into a central priority for healthcare. The sector is now widely recognised as high risk, requiring robust measures such as network segmentation, near real-time anomaly detection and coordinated response mechanisms to maintain continuity during widespread cyber incidents. These requirements reflect the extent to which digital systems are now embedded in everyday care delivery and administration.
Despite this recognition, healthcare infrastructure remains vulnerable. Outdated information technology systems and legacy cyber-physical components continue to operate in many settings, often alongside newer digital tools. Limited cyber awareness among staff further increases exposure, while financial constraints restrict the ability of organisations to modernise systems or invest in specialist expertise. These structural weaknesses allow cyber threats to evolve more quickly than defences, increasing the likelihood of service disruption.
The risk profile is expected to intensify as emerging digital care models become more prevalent. Hospital-at-home services, artificial intelligence-driven clinical decision support systems and the Internet of Medical Things introduce additional points of connectivity and dependency. While these technologies offer potential benefits for care delivery, they also expand the attack surface, making it more challenging to secure healthcare environments that extend beyond traditional hospital networks.
Financial Impact Highlights Systemic Vulnerabilities
The financial consequences of cyber incidents in healthcare remain substantial. According to IBM’s Cost of a Data Breach Report 2023, healthcare recorded the highest average breach cost across all industries for the 13th consecutive year, at US$10·93 million (approximately €10 million), almost double the global average. Although the sector accounted for only 5% of incidents in the IBM X-Force 2025 Threat Intelligence Index, it continues to be a prominent target due to the sensitivity of health data, high operational pressures and the persistence of outdated systems.
These figures underline the scale of risk faced by healthcare organisations and the limitations of fragmented security approaches. The combination of financial loss, potential patient harm and reputational damage has increased calls for stronger regulatory intervention. Incidents occurring across diverse health systems suggest that vulnerabilities are often structural rather than localised, with shared weaknesses in infrastructure, workforce readiness and supply chain dependencies.
Supply chains represent a particular area of concern. As healthcare delivery relies increasingly on external data centres, managed service providers and digital platforms, cyber incidents can disrupt services indirectly as well as directly. Such disruptions may affect access to clinical systems, billing processes and data management functions, amplifying the operational impact beyond the initially targeted organisation.
UK and EU Policy Responses Focus on Resilience
In response to escalating threats, both the UK Government and the European Union have introduced policy initiatives aimed at strengthening healthcare cybersecurity. In November 2025, the UK Government introduced the Cyber Security and Resilience Bill to Parliament, following a policy statement issued earlier that year. The proposed legislation seeks to reinforce national cyber defences and protect critical infrastructure, including healthcare. Key measures include extending regulatory scope to cover data centres and managed service providers, stricter incident reporting requirements and enhanced enforcement powers for regulators.
At the European level, the European Commission launched a European action plan on the cybersecurity of hospitals and healthcare providers in January 2025. The plan addresses supply chain risks, promotes cybersecurity awareness and guidance, and proposes the establishment of a near real-time threat alert system. It also acknowledges the financial burden of cybersecurity investments, suggesting mechanisms such as a Cybersecurity Support Centre and Cybersecurity Vouchers to encourage good practice among healthcare organisations.
The action plan positions cyber-secure health infrastructure as essential for the European Health Data Space, launched in March 2025. While the initiative aims to improve access to and use of electronic health data for care, research and innovation, it also heightens concerns around data privacy and security. Although cybersecurity is identified as important, the framework includes few concrete operational requirements, raising questions about whether high-level oversight alone can deliver meaningful change without sustained investment in frontline systems.
Alongside policy initiatives, emphasis is placed on accountability and compliance. Measures highlighted as relevant include financial penalties for data protection failures, mandatory breach notification within 72 hours, cybersecurity audits and certification requirements such as ISO/IEC 27001 compliance. Particular attention is also directed towards cyber-physical systems and medical devices, which remain among the most vulnerable components of the healthcare ecosystem.
Cybersecurity threats to healthcare systems are increasing in frequency, complexity and impact, with clear implications for patient safety, data protection and operational resilience. High-profile incidents in the UK, United States and Europe illustrate how cyberattacks can disrupt services and generate substantial financial losses. Policy responses in the UK and EU reflect growing recognition of these risks, focusing on resilience, supply chain security and accountability. Addressing cybersecurity challenges requires sustained investment in infrastructure, workforce awareness and medical device security, alongside regulatory compliance, to support the safe and reliable delivery of digitally enabled care.
Source: The Lancet Digital Health
Image Credit: iStock
