Insights: Cyber resilience and recovery in the NHS
Beyond prevention: a new focus on recovery
As cyber attacks against healthcare become increasingly inevitable, NHS organisations must focus on resilience and recovery to keep pace, writes Thelma Agnew.
20 January 2026
It is easy to assume that an NHS organisation which suffers a cyber breach has invited disaster by its poor cyber hygiene or the weakness of its defences. But such an assumption overlooks the determination and active malice of today’s cyber criminals.
Expert contributors to this Digital Health Insights report warn that the NHS needs to rethink its approach to cyber resilience to keep pace with the changing nature of the threat.
Since security breaches are inevitable, and designed to devastate an increasingly digitally connected NHS, traditional cyber security techniques focused on prevention are no longer enough. It is time to make resilience and recovery a strategic priority.
Part 1
“This is an evolving domain,” says Julian Wiggins, solutions director at cloud solutions expert Rackspace Technology.
“What we’ve learned is that in the event of a cyber attack, something hasn’t just failed – it has been maliciously taken apart and there’s been extra effort put in to make the impact of that attack as damaging as it possibly can be.”
In the past he says that some cyber hackers may have been in it for “fun and giggles”, but the motive now is “hard, cold cash”.
“It’s become a lot more focused. There are specific organisations that are looking to profit from this and if you want to get a little more geopolitical there may also be state actors involved,” Wiggins adds.
Attackers now deliberately corrupt backups and recovery paths, leaving malware and systems “entangled around your assets”, designed to cause maximum damage after the initial attack.
This second bundle of trouble will arrive sooner rather than later, says Wiggins. “The gestation period has dropped off significantly. There’s a kind of cat and mouse thing going on. They don’t want to leave it too long, lest you discover them.”
Wiggins says the “crucial” nature of healthcare can make the NHS attractive to cyber criminals because it means organisations are under huge pressure to resolve the situation quickly.
“But I wouldn’t say that the NHS is particularly vulnerable per se. I just think this is a very new domain we find ourselves in – and everybody’s vulnerable.”
Historically if you had a robust prevention strategy that probably would have protected you, but the likelihood of getting breached at some point has climbed to a point where it’s no longer enough just to protect yourself from violation.
Julian Wiggins
The growing malevolence and sophistication of the cyber attackers is one problem.
One example is the June 2024 ransomware attack against pathology supplier Synnovis, which disrupted NHS services across London and led to thousands of patient appointments and operations being postponed.
The breach has been officially linked to at least one patient death and more than 120 cases of patient harm.
However, cyber criminals targeting NHS systems have no particular interest in disrupting healthcare services, according to Nasser Arif, security manager at London North West University Healthcare NHS Trust.
“There aren’t specific [threat actors] for healthcare. These are organised criminals who are working across different sectors,” he says.
Another concern is that the NHS’s increasingly connected digital landscape – with a hugely expanded NHS App and the single patient record now in view – presents an expanding target.
Lee Rickles, chief information officer and director at Humber Teaching NHS Foundation Trust, says that this landscape increases the risk of attacks.
He points out that an outage that might once have been limited to a hospital department can now disrupt an entire NHS trust and in future, potentially, “take out England”.
Rickles adds that cyber criminals are using AI to outpace defensive responses to attacks.
“AI is the biggest risk around cyber attacks because the speed it can move at is devastating.” Saif Abed, founding partner and director of cyber security services at The AbedGraham Group, warns that we are making life much too easy for criminals.
“If we do not address our cyber resiliency and we go down this single patient record [route], and start interconnecting all our heath organisations together, then we are going to exponentially magnify our cyber vulnerability.
“The average cybercrime gang, instead of having to target every organisation individually, could launch regionwide or nationwide attacks through a single point of entry. At that point we are far more vulnerable than we have ever been.”
Part 2
“Recovery is as important as prevention,” says Rickles. “Let’s be honest, we can do all we want [to prevent attacks], but the reality is it will happen, and now AI is starting to lead on the cyber attack front, they’re going to happen more regularly.”
A cyber resilience strategy that includes a clear plan for recovery should be a board level responsibility, he says.
“Any cyber attack will likely cause harm to the provision of care. This should be a patient safety issue.”
Unfortunately, there is no consensus in the NHS about how high to set the bar for recovery and what constitutes an acceptable recovery timescale.
“What is an acceptable recovery time – and how much time and effort should go into it?
“We definitely need better clarity about the level of testing and resilience required for different systems based on the impact they can have for patient care.
“You need to be far more prescriptive of where responsibility sits and what’s a reasonable recovery time, rather than it being a blunt object. Because if it’s a blunt object, it’s just ignored,” says Rickles.
The average cybercrime gang, instead of having to target every organisation individually, could launch regionwide or nationwide attacks through a single point of entry. At that point we are far more vulnerable than we have ever been.
Saif Abed
The Cyber Security and Resilience Bill, introduced to parliament in November 2025, aims to bring a new robustness to the cyber defences of the NHS and other vital services.
It requires third-party suppliers to boost their cyber security in areas such as risk assessment, hands regulators more tools, and gives the technology secretary powers to update the regulatory framework and ensure a swift response to new threats as they emerge.
Rickles welcomes the Bill, but stresses that it will need to be reinforced by regulation and standards to make sure organisations are compliant.
He also emphasises the need for NHS trusts to question suppliers about their cyber resilience.
This should include checking whether they have run simulation exercises to test how their recovery plan will perform in the event of a security breach.
“What’s your recovery plan? And when was your last exercise? Was that [just] a desktop exercise?
“The management of vendors is very poor across the NHS,” he says.
It’s a point underlined by Abed who is scathing about the “lack of political leadership” on NHS cyber security and resilience, and unimpressed by the NHS’s record.
“It’s one thing to pass a piece of legislation – enforcement is the issue.
“We are so bad at enforcing our mandatory standards and legislation in the NHS when it comes to technology,” he says.
Abed wants to see “a much more aggressive approach” towards managing the NHS supply chain’s cyber resilience.
“Cyber attacks are going to happen. Companies who have been negligent need to be punished.
“We need to say, ‘you’re barred from market access if you can’t, within six months, address your side of security’. Because it’s a risk to patients’ safety and public health.”
Wiggins says that we are now living in a post-prevention world.
“Historically if you had a robust prevention strategy that probably would have protected you, but the likelihood of getting breached at some point has climbed to a point where it’s no longer enough just to protect yourself from violation.
“You need to have contingency in the event of getting hacked.”
He adds: “Planning for recovery has been something people have shied away from because in a sense it’s admitting failure. But I think moving forward, it’s truthfully thinking about risk and probability.
“It’s spending some time to make sure if it does happen, you have a plan that holds water and a business that has considered what it needs.”
Cyber attacks against the NHS are abhorrent acts that risk patient safety and our Cyber Strategy for Health and Care is clear on the need to not only prevent them but also to develop response and recovery practices to minimise harm caused by these criminal acts.
Mike Fell
Wiggins has been struck by the “depth and gravity” of the systems that get destroyed in an attack.
Rackspace has worked with organisations post-attack, where staff have been left with nothing but their personal Gmail accounts and WhatsApp for messaging.
Meanwhile, “fantastically written recovery plans” are sitting on a SharePoint site that has been taken off the air, he says.
Mike Fell, director of national cyber operations at NHS England, says that there are “increasingly close partnerships with the NHS’s suppliers to prevent and respond effectively to the cyber threat faced by sectors across the UK”.
“We promote a culture that encourages learning and sharing of cyber experiences across the health service to help build resilience,” he adds.
Part 3
Modernising recovery capabilities
For any organisation facing cyber threats in 2026, the essential foundation for recovery is self-knowledge.
“In order to respond effectively, the elemental thing you need to understand is how your trust operates,” says Wiggins.
“What are the systems you use, what are they used for, who uses them? What happens if they’re not there?”
Once an organisation fully understands itself work can begin on an enhanced business continuity plan, and the creation of an isolated recovery environment (IRE) and recovery infrastructure.
The IRE concept – which Wiggins describes as “a discrete air gap set of computing resources” – is key to Rackspace’s approach to cyber resilience and recovery.
Designed to stand separately from normal systems, it is out of reach to bad actors but offers support in the form of verified immutable backups, clean images of critical applications and core services, and offline copies of recovery documentation, including playbooks, license keys and configuration details.
Rackspace applies an analysis technique borrowed from engineering, failure mode and effects analysis (FEMA), to the entire IT and business service stack to scrutinise recovery challenges and identify potential weak spots.
The aim is to ensure that no single failure point can derail the organisation’s recovery.
Returning to business as usual, as quickly as possible, without reinfecting or losing systems is difficult, so recovery plans need to be tested before a crisis hits.
“This is where war gaming is really effective.”
For Arif, recovery planning is not only about protecting patients and the organisation but about supporting staff wellbeing and communication.
In a cyber breach, everyone should know what to do, who to talk to, and how to reach them.
“Relationship building is a key part of recovery,” he says.
Abed argues that NHS organisations should be expected to carry out simulation exercises once a year and should submit evidence that they have done so to NHS England or the Department of Health and Social Care.
“A key part of resiliency is how you stop a cyber attack from being devastating,” he adds.
Avoiding devastation isn’t just a technology challenge, it comes down to how people behave in a crisis.
“They’re much more likely to respond without panicking if they’ve been rehearsed and know the recovery processes like the back of their hand,” Abed points out.
Cyber security is seen as a tech issue. The first question is ‘do we have copies of our backups?’
Mike Fell
The enormous stress on staff who find themselves caught in a cyber attack is “tremendously underplayed”, he says.
“Cyber security is seen as a tech issue. The first question is ‘do we have copies of our backups?’.
“In the meantime, clinicians are panicking. They’re switching to WhatsApp, they’re trying to figure out ‘do we have any paper forms and are they fit for purpose’.
“It’s very haphazard and that’s where the harm happens.” Abed says that cyber resilience is about investing in people and developing mature processes.
“It’s not a product you can buy off the shelf. Cyber security products do not address cyber resilience – they’re a very small part of the puzzle”.
If the NHS is going to improve its cyber resilience it will have to get to face up to what he calls “the maturity paradox”.
“In the NHS we’ve invested a lot in trying to accelerate digital maturity, and that creates digital dependencies, but we’ve never really invested in increasing security maturity.
“All our health organisations are increasingly dependent on digital technology, but they don’t know what to do when it all becomes inaccessible.
“That’s where clinical risk and public health and national security risks manifest. That’s where we are now.”
Fell says: “Cyber attacks against the NHS are abhorrent acts that risk patient safety and our Cyber Strategy for Health and Care is clear on the need to not only prevent them but also to develop response and recovery practices to minimise harm caused by these criminal acts.”
He adds that NHS England’s cyber operations deliver national services to support local preparations for cyber attacks “including a 24/7 national cyber monitoring service, so that response teams accredited by the National Cyber Security Centre can help support affected organisations contain, investigate and remediate when incidents happen.”
Part 4
Cyber attacks against healthcare are no longer a remote possibility, they are an inevitability. For the NHS, this means shifting from a mindset of prevention alone to one that prioritises resilience and recovery as core components of patient safety.
Recovery planning should not be seen as admitting failure, but as a strategic necessity in a world where attackers deliberately target backups and recovery paths.
Every NHS organisation must ask how quickly it can restore critical services without reinfection.
The answer lies in modernising recovery capabilities, building isolated recovery environments, maintaining immutable backups, and rigorously testing plans through simulation exercises. These steps are essential to protect patients, staff, and public trust when systems fail.
Cyber resilience is a culture of readiness. It demands investment in people, processes, and technology to ensure that when, not if, a breach occurs, the NHS can respond decisively and minimise harm.
In a post-prevention world, recovery is the new frontline.
For more information, visit Rackspace’s website.