Cyber security guide for non-executive directors
This guide aims to help NHS Non-Executive Directors understand how cyber security could affect their own NHS organisation and how to become more resilient to cyber threats and attacks.
- the resources available to help NHS boards understand and deal with cyber security risks, and how external assessments can provide a critical insight into risks
- questions that an NHS board should be asking its team
Background
In recent years, serious disruptive cyber incidents to health and care organisations have demonstrated the impact they have on patient safety and trust. With over 10,000 deferred outpatient appointments and 1,700 procedures from one incident alone, the need to improve cyber resilience across the sector has never been greater as the sector moves to a more digitised way of working.
Although progress has been made through the development of the cyber security strategy for health and social care: 2023-2030, which aims to improve cyber resilience, the cyber threat has also grown with attacks that threaten the availability of vital systems and the exposure of sensitive patient data.
Despite the great work of our Cyber Security Operations Centre (CSOC) that, in collaboration with your local teams detect and prevent an increasing number of attacks targeted against the NHS, it's clear there are some very significant cyber security weaknesses across the NHS. It's these weaknesses (also known as vulnerabilities) – for example, out-of-date IT systems – that attackers try to exploit.
Being uninformed and unprepared could lead to patient safety incidents, service disruptions, reputational damage and costly financial implications (reaching millions of pounds). Understanding your risk landscape and making decisions around this is therefore essential.
Responsibility
Non-Executive Directors (NEDs) assist boards to provide independent oversight, governance, support decision making, and offer strategic direction/guidance to facilitate informed board decision making.
Boards have ultimate accountability for overseeing and directing an organisation’s security measures. Understanding your cyber risk approach will help you to do this.
We have produced this short cyber security guide for NHS NEDs. It draws on the National Cyber Security Centre (NCSC) board toolkit and aims to demonstrate how all NHS NEDs can contribute to keeping their organisation safe from cyber-attack.
We hope that you find this guide will help you to address the risk that cyber security presents to patient care.
"Cyber is a tier one risk affecting organisations of all shapes and sizes. The NHS is clearly not immune, as has been made abundantly clear over recent years. These incidents have not only been costly but have had direct impact on patient safety and care. Boards throughout the NHS have a key role to play in safeguarding patients from this risk.
As the Non-Executive Advisor leading on cyber security and risk within NHS England, I am pleased to share this guide, which has been designed to help NHS Non-Executive Directors execute their duties to ensure that their organisations are properly protected and to ensure that they are adequately prepared to safeguard patient interests in the event of a severe cyber event."
Dr Jamie Saunders, Non-Executive Chair of the NHS England Cyber Security Risk Committee
Last edited: 17 July 2025 9:26 am