Build ‘brick’ defences against attacks, says NHSE cyber lead

NHS England’s clinical lead for cyber operations has called on NHS organisations to accept the inevitability of cyber attacks and ensure their defences are made from “brick” not “straw” or “wood’.

Speaking at Rewired25 at Birmingham’s NEC on 18 March 2025, Chris Day warned: “At some point you will be hit by a cyber attack. It’s not if it will happen, but when it will happen.”

The choice for NHS organisations, he said, was whether to opt for “straw”, “wood” or “brick” defences. At the highest level of defence, brick, the board was fully engaged with cyber security and all patches and updates were completed with clinical and operational staff’s understanding.

A “straw” approach was characterised by a disengaged board and clinicians resisting patches and updates, even though “the downtime for some patches is next to nothing”.

Day emphasised that the quality of digital solutions was irrelevant if their security was weak. “You may have a brilliant EPR solution but if it is built on matchsticks and doused in petrol it’s not a brilliant EPR. Because if those [security] foundations are not in place, what’s the use?”

Cate McLaurin, director at Public Digital, added: “You can’t make yourself totally cyber safe, even if your house is made of brick. But you can make yourself ‘cyber safer’.”

McLaurin drew on her experience in 2020 of responding to a major ransomware attack against Hackney Local Authority.

“The attack took out most of our systems… We lost all access to data on vulnerable children. We couldn’t make payments or take in payments from council tax.”

Multi-disciplinary working and good communications were vital to the local authority’s recovery, but it was a slow process. “The recovery isn’t days – it’s months or years,” said McLaurin.

She revealed six lessons from the “incredibly stressful” experience:

• Crisis response is a team sport. There must be “collective responsibility at every level of the organisation”.
• You need honest and decisive leadership – even when things are uncertain. “Be bold and use the crisis to accelerate strategic changes that are already in motion. At Hackney, we moved everything into cloud [systems already in cloud were at the time of the attack were not compromised].”
• Work openly. “The natural reaction is to go into protect mode but be as transparent as you can.”
• Team members should support each other. “It sounds obvious, but it’s the foundation of recovery.”
• Prioritise your own and your team’s wellbeing. “We made the decision not to work 24/7 because we knew we would burn ourselves out.”
• Focus on building your cyber resilience. For example, “invest in cloud and have a ‘zero trust’ policy”.

James Jones, regional director UKI at Cynerio, emphasised the increasing vulnerability of NHS hospitals, with many more mobile and unmanaged devices in use compared to 10 or 15 years ago.

Statistics from Cynerio customers suggested there were 2-4,000 vulnerable devices per NHS hospital.

Jones said NHS organisations needed a comprehensive “layered defence”, with early detection and the capability to “stop bad actors in real time”.

McLaurin also emphasised the role of suppliers in meeting cyber security standards and supporting public organisations’ security: “Some suppliers in Hackney were incredibly helpful during our recovery – and some weren’t.”

She added: “A brick house doesn’t stand on its own, it’s in an eco-system.”