Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

How to talk to busy teams about cyber security

Manpreet Pujara, Clinical Director for Patient Safety and Freedom to Speak up Guardian, says everyone working in health and care has a role in protecting the NHS from cyber attacks, and that clear, supportive messaging will help people do their bit.

Having worked with NHS Digital for over 14 years, I’ve had my fair share of conversations on how to engage frontline staff on technological topics. However, I’ve never dealt with an issue that is quite so critical and requires such universal engagement as getting cyber security embedded into clinical thinking in today’s NHS. We can’t afford not to; it’s as urgent a priority as I’ve ever seen.

Dr Manpreet Pujara stands in a building in front of a banner

It is quite simple: we now rely on healthcare technology to provide safe patient care. Cyber attacks can compromise access to this technology. Therefore, cyber security and clinical safety go hand in hand.

While the whole of health and social care is progressively exploring the benefits of digital ways of working, the NHS in particular cannot work without digital. Everything we do involves a digital transaction of one sort or another, which means that the impact of a healthcare system not being available for even an hour puts our systems, staff and patients at risk.

Just a few of us understanding cyber security isn’t enough; cyber security habits need to become second nature to us all.

It is no secret that our health and care system is under a lot of pressure. If we’re not investing time and funding in creating diligent cyber security measures, we risk those precious resources being diverted into fixing issues that could have been prevented.

A vital part of this is educating staff in staying cyber safe; every member of staff is equally important. Just a few of us understanding cyber security isn’t enough; cyber security habits need to become second nature to us all – and not just in Cyber Security Awareness Month.

Here are some thoughts on how we need to talk about cyber security to achieve this:

1. Sow lots of seeds

We know that, just like health and safety, every one of us has a responsibility for cyber security – no matter what role, department or organisation we’re in. Trees grow from little seeds, and it's all the seemingly ‘small’ things working collectively as one that makes the largest difference. So, one of the best ways to support our busy healthcare professionals in meeting their responsibilities is to talk about cyber security simply, regularly and often, embedding these discussions into our everyday lives. NHS Digital has a useful toolkit to help us take small steps to protect ourselves from cyber threats and keep patient data safe and accessible.

2. Make it personal

The good news is that many of the cyber security habits that protect our healthcare environments are just as relevant to our personal lives. That means engaging our people with ways to keep them and their loved ones safe at home can pay dividends in the workplace. For example, it’s easy to see how learning to keep your smartphone cyber safe would be useful, and the habits we build from this learning will naturally transfer to the work environment.

3. Consistently remind people

Knowing enough to recognise suspicious activity is just one side of the coin; we also need to know how to report anything that doesn’t look right, no matter how ‘minor’ the activity may seem. Suspicious emails, for example: taking a few moments to report one may save thousands of colleagues from falling victim to it. Regular reminders on the correct reporting routes are imperative; as well as the national channels, NHS organisations are asked to report suspicious activity to [email protected] and for social care staff, it's [email protected]

4. Remove the fear

In healthcare, we don’t just want to get things right most of the time; we want to get things right every time. Of course, we’re all human, and, if we do get something wrong – for example, mistakenly responding to a phishing email – it is just as vital to report it as with a clinical error. People must feel safe to speak up so issues can be fixed. The balance between emphasising the importance of individual responsibilities and avoiding a blame culture can be tricky but it is essential we get it right.

5. Defend as one

At NHS Digital, my team and I are continually working with our cyber and data security experts to ensure clinical safety has an overarching presence in the national effort to protect our NHS and care organisations from cyber attacks. But everybody across the healthcare system – nationally, locally and individually – must work together if we are going to effectively meet this ongoing challenge. We have many resources to help.

Find more information about the work of our cyber and data security teams, and how you can get involved, on our cyber security web pages.

Related subjects

Cyber security is more than ‘just an IT issue’; it’s ultimately about keeping patients safe.  Chris Day, Cyber Clinical Informatics Manager, discusses his role in embedding clinical safety deeper into our cyber security strategies. 
Cathy O’Keeffe, Associate Director of Cyber Delivery, says improving the diversity of our teams is crucial to the successful delivery of cyber security across the health and care system.


Last edited: 29 November 2023 12:42 pm