One Click is All it Takes: The NHS’s Third-Party Cyber Dilemma

By George Stern, NHS Digital Transformation & Security Lead

Healthcare organisations operate in an increasingly interdependent environment, relying more than ever on a wide ecosystem of third-party applications and suppliers. Hospitals today work with a complex ecosystem of software from EPRs, Patient Engagement Portals (PEPs) and diagnostic devices to the unknown world of AI, each connection a potential gateway for attacks. But with that reliance comes a rising tide of cyber risks, one that NHS leaders must confront with urgency and clarity.

Over the past year, we've seen a notable increase in the number of NHS Trusts raising concerns around third-party application security. 

When you integrate with external systems, it effectively opens up new doors into your environments. While many third-party vendors are reputable and security-conscious, not all are built equal. Some applications may lack the rigorous protections we’d expect for sensitive health data. Others may unknowingly introduce vulnerabilities through poorly managed APIs, outdated libraries, or inadequate patching processes.

And the reality is stark: all it takes is one weak link.

Learning From Past Breaches

Cybersecurity breaches connected to third-party systems are unfortunately no longer hypothetical, and in fact the numbers are only rising. Over 70 Trust’s have been affected by a cyber attack; with recent cases including NHS Dumfries and Galloway, ULCH and Southampton, Kings College Hospitals NHS FT & Guy’s & St Thomas’ NHS FT, CareNotes, and many more. These attacks forced Trusts to cancel surgical procedures and turn away outpatients, some Trusts were unable to access records and highly sensitive mental health patient data was lost, and - in the most severe cases - patients died as a direct result of the cyberattacks, due to the inability to carry out critical blood tests.

High-profile incidents both in healthcare and other sectors have repeatedly traced back to external suppliers. Indeed, SC Media reported that 90% of the 10 largest healthcare data breaches in 2022 were tied to third-party vendors.These breaches have taught us hard lessons - even when we are confident in our own defences, we are only as strong as the partners we connect with.

The consequences of these breaches extend far beyond financial damage. For the NHS, they strike at the heart of patient trust. Exposure of sensitive health records, disruption to clinical services, the takedown of operational systems… all have a direct and measurable impact on care quality, safety, and continuity.

The Cost of Inaction

One of the biggest misconceptions about cybersecurity in healthcare is that inaction is cheaper than investment. But the data suggests otherwise. The cost of a breach (financial, operational and reputational) far outweighs the cost of proactive protection. For instance, in a 2025 report from the Wirral NHS Trust, it was noted that a cyber attack contributed around £3.7 million to the Trust's overall £14.7 million forecasted deficit, as well as increasing patient wait time to 174-day RTT (referral to treatment), compared to 90-day RTT in the three months immediately prior to the attack.

If you consider the average cost of a cyberattack on a UK healthcare organisation, it can easily reach into the millions when you factor in system recovery, regulatory penalties, patient notification, legal fees, and, in the worst cases, harm to patients. That doesn’t even account for the long-term reputational damage or the erosion of public trust - something no Trust can afford to lose.

The Patient Perspective

Ultimately, cybersecurity in the NHS isn’t just about protecting systems, it’s about protecting people. Patients trust you with their most intimate, personal data. They expect you to keep that information safe, and to ensure the digital systems supporting their care are reliable and resilient.

When a cyberattack disables critical services (whether it's appointment booking, diagnostic imaging, or electronic prescriptions) the impact on patients is immediate and distressing. Scheduled procedures are postponed, life-saving treatments delayed, and clinicians are left without the information they need at the point of care.

This is not an abstract risk. It is tangible. And it’s happening.

What We Can Do Differently

More Trusts are now re-evaluating how they assess, approve, and monitor third-party applications. We’re seeing a shift towards creating stronger procurement policies, embedding security assessments earlier in supplier engagement, and introducing stricter controls around how third-party apps integrate with core systems.

But beyond policy, we also need the right technological foundations - secure platforms that allow us to inspect, control, and contain the behaviour of third-party applications without compromising agility.

Zero-trust principles, segmentation, and policy-based access control are key strategies in limiting the blast radius of any potential breach. Equally important is the ability to gain full visibility into application traffic and to enforce consistent controls across all connected services, whether hosted internally, in the cloud, or managed externally.

That’s where robust, cloud-native infrastructure platforms can play a vital role.

Taking a Smarter Path Forward

While no system is 100% breach-proof, you can build smarter, more resilient environments that reduce your exposure and protect what matters most… your patients.

The key is recognising that third-party risk is not someone else’s problem. It’s yours to manage, and it starts with visibility, control, and the right mindset. Treat third-party applications not as optional extensions, but as critical components of your healthcare delivery infrastructure - subject to the same scrutiny and security as any internal system.

With the right support, it's absolutely possible to maintain innovation while keeping risk in check.

Cloud Gateway acts as the secure network backbone that underpins third‑party connection points. It delivers the underlay that ensures visibility and control over the traffic entering and leaving the trust’s environment. By enabling network segmentation, enforcing policy‑based access controls, and delivering real‑time traffic monitoring, Cloud Gateway helps reduce the attack surface associated with external software.

Crucially, we support a zero-trust architecture - ensuring that even trusted suppliers are treated with caution and oversight. This reduces the likelihood of breaches and limits their impact should one occur. For NHS teams balancing tight budgets with growing cyber demands, we can offer a way to enhance protection without overhauling existing infrastructure - making security improvements both practical and cost-effective.

Click here now to find out more.