In 2025, a ransomware attack on a laboratory serving King's College Hospital in London contributed to the death of a patient. How does one of Britain's leading hospitals defend itself against cybercrimes? A CIO’s perspective.
The first confirmed victim of a cyberattack. Many similar cases remain unreported
Joe Harper, Chief Information Officer at King's College Hospital NHS Foundation Trust, has experienced that a cyberattack can become a patient safety crisis within minutes. Even when hackers never breach the hospital itself, the consequences can ripple through clinical operations, disrupting care when it matters most.
The crisis came on June 3, 2024, when a ransomware attack locked down critical IT systems used for testing and diagnostics at Synnovis, pathology services for the UK's National Health Service (NHS), including King's College Hospital London. Hospitals were forced to cancel more than 10,000 outpatient appointments and over 1,700 planned procedures.
The consequences extended far beyond operational disruption. In 2025, King's College Hospital NHS Foundation Trust confirmed that the death of one patient had been partly linked to a delayed blood test result caused by the cyberattack. It was the first officially acknowledged case in the United Kingdom in which a ransomware attack was associated with a patient's death.
King's College Hospital is one of the largest healthcare organizations in Britain, comprising seven hospitals, two emergency departments, and dozens of outpatient and community care facilities across southeast London. Epic serves as its enterprise electronic health record, yet, like most hospitals across Europe, the organization still depends on hundreds of separate IT applications and aging medical devices that cannot simply be replaced due to budget constraints. Those forgotten systems often become the weakest points in an otherwise sophisticated digital infrastructure, creating opportunities for attackers to gain access to hospital networks and sensitive patient information.
One integrated platform simplifies cybersecurity oversight
According to Harper, the greatest cybersecurity challenge facing hospitals is not sophisticated malware but decades of accumulated technical debt. Many organizations continue to rely on outdated applications, unsupported operating systems, and aging medical devices that no longer meet modern security standards.
The problem has developed gradually over many years. Individual departments purchased specialized digital tools to meet immediate clinical needs, long before enterprise-wide electronic health records became the norm. Later, hospitals attempted to integrate those isolated systems into a central EHR, but many niche applications remained indispensable. Cardiology, pathology, or radiology departments may still depend on software built on decades-old technologies.
These systems cannot simply be switched off. Every application expands what cybersecurity professionals call the attack surface – the number of potential entry points and the sum of different attack vectors. Modern cybersecurity software can only do so much when critical devices cannot be patched or upgraded. The challenge is especially acute for medical equipment that continues to function perfectly from a clinical perspective but is no longer supported by its manufacturer, leaving hospitals unable to install essential security updates.
For Harper, the long-term answer is to simplify the fragmented infrastructure. A single integrated digital platform reduces complexity, improves visibility across the IT estate and significantly lowers cyber risk. Protecting one enterprise-wide system is considerably easier than securing dozens of disconnected applications maintained independently across multiple departments.
Within the NHS, cybersecurity is no longer viewed solely as an IT responsibility but as an integral component of clinical risk management. The objective is not merely to prevent attacks but to ensure hospitals can continue delivering care during an incident and recover normal operations as quickly as possible afterward.
Data in the cloud – but on whose terms?
Harper believes the next major cybersecurity challenge will revolve around data sovereignty.
As healthcare organizations increasingly adopt artificial intelligence and cloud-based services, they must understand exactly who has access to patient information, where that data is processed, and how it may ultimately be used. Those questions have become particularly important as AI-enabled healthcare applications are developed on platforms operated by global technology companies such as Amazon Web Services and Microsoft Azure.
The concern extends beyond cybersecurity. Many AI developers require access to electronic health record data to train their models. Hospitals, therefore, need complete transparency regarding where patient information travels and what legal and technical safeguards protect it once it leaves their own infrastructure.
Britain has already experienced several high-profile controversies over secondary uses of NHS data. In 2017, Royal Free London NHS Foundation Trust partnered with Google's DeepMind, giving the company access to records from approximately 1.6 million patients. More recently, NHS England paused the Foresight project after concerns were raised about the use of anonymized records from 57 million patients to train a generative AI model. The Federated Data Platform, developed by Palantir, also attracted criticism following reports that identifiable patient information may have been accessible to external contractors before pseudonymization.
For Harper, these cases illustrate why cybersecurity and data governance must be discussed at the highest levels of hospital leadership.
The NHS has increasingly involved executive teams and boards in cybersecurity decision-making. Those conversations are rarely easy. Technical concepts must often be translated into business language for non-technical leaders. Yet Harper believes this process is essential because it transforms cybersecurity from an IT issue into an organizational risk that executives genuinely understand.
Hospital boards must clearly define which risks have been mitigated, which have been accepted and which have been transferred to technology vendors. Only then can IT teams stop reacting to daily crises and instead focus on building long-term resilience.
Planning for hospital operational continuity during cyber crises
Every hospital should be prepared to function with limited or no access to its digital systems.
For Harper, this is not a hypothetical scenario but an operational certainty. The Synnovis ransomware attack forced King's College Hospital to activate contingency procedures even though the hospital itself had not been directly compromised. Clinical teams reorganized patient pathways, adapted diagnostic workflows, and continued providing care under a fundamentally different operating model.
Preparation is therefore just as important as prevention.
Hospitals must regularly rehearse crisis scenarios, Harper argues. Across the NHS, organizations have adopted centralized command-and-control structures inspired in part by the emergency management model developed during the COVID-19 pandemic. These frameworks enable rapid operational decisions when digital infrastructure becomes unavailable. Instead of debating next steps during a crisis, staff immediately switch to predefined emergency procedures, including paper documentation and alternative clinical workflows.
People remain the greatest source of both vulnerability and resilience. During one NHS phishing exercise, six percent of employees clicked on malicious emails and even disclosed their login credentials. Harper believes this should not be interpreted as carelessness. Modern phishing campaigns have become highly sophisticated, often leveraging artificial intelligence to create convincing and highly targeted messages.
His objective, therefore, is not to build an organization that is impossible to hack. Such a goal is unrealistic.
The real measure of success is whether a hospital can continue treating patients during a major cyber incident, and restore normal operations before disruption becomes clinical harm.
