Q&A: Bridging the cybersecurity gap in the NHS with exposure management

NHS trusts are warning of rising cyber risks amid funding constraints. How critical is this challenge today?

The NHS is under the thumb of increasing threats, with consequences continuing to escalate. In the last 12 months, 41 percent of UK health organisations have experienced a breach. The combination of high-value patient data and the primary focus on operational continuity makes the NHS and its Trusts an attractive target for ransomware groups who know disruption can force a quick response.

The challenge is real, yet resources to counter this are not keeping up. NHS trusts, like all healthcare organisations, face an increase in cyber risks as attacks get increasingly disruptive. Healthcare is feeling the strain of these threats more than most sectors due to its more limited resources.

For example, Torbay and South Devon NHS Foundation Trust publicly warned that funding cuts are directly impacting their ability to replace unsupported, end-of-life equipment. This puts further stress on their exposure to cyber threats as these legacy systems are not able to keep up with modern day cyber risks.

Vulnerability management has been the traditional approach to mitigating these risks. Why is that no longer sufficient for the NHS?

Vulnerability management has its place, but it holds a large focus on heavily patching software flaws identified through severity scores like CVSS. The problem here is, in healthcare environments such as NHS estates, there are so many vulnerabilities per device that CVSS alone doesn’t sufficiently account for the environment. For example, is the device in the ICU, or a remote clinic? These contextual questions are key.

Claroty’s analysis of nearly three million devices across over 350 healthcare providers revealed a critical gap in how we manage cybersecurity risk. 99 percent of devices had at least one known exploited vulnerability (KEV). Even more alarming, 89 percent of Internet of Medical Things (IoMT) and Operational Technology (OT) devices were exposed to these same actively exploited threats. KEV is a better measure of criticality than CVSS alone.

This exposes a fundamental issue with the vulnerability management approach. Most tools are designed to flag technical weaknesses based on severity scores or theoretical risk. This often misses what really matters; context. For example, is this vulnerability actually being used by attackers today? And does the affected device play a critical role in patient care or operational continuity?

This is complicated by the fact a lot of devices still use default passwords or run on outdated operating systems. These issues don’t always show up as high-risk in a scan, because they may not register as high-severity vulnerabilities in isolation. Yet in reality, they’re among the most common entry points for attackers.

As a result, traditional vulnerability management can create a false sense of security. We need to move away from the idea of just finding and patching known flaws. Instead, we should look to understand what risks are exploitable, which systems are critical, and how attackers are likely to move through your environment. Without context, you can end up focusing on the wrong problems while the real threats slip through unnoticed.

So how does exposure management offer a better fit for the NHS’s specific challenges?

Exposure management looks beyond the question “is this device vulnerable?” and asks, “is this device actually exposed in a way that attackers can exploit?”

For the NHS, this is essential. Many devices can’t be patched quickly due to clinical safety concerns or regulatory approvals. Exposure management helps focus efforts on assets that are both vulnerable and reachable, ensuring finite resources are used where they’ll have the biggest impact.

For instance, when exposure management was applied to a healthcare provider’s asset inventory, the number of high-priority devices dropped from 111,000 to just 3,800. That’s a reduction of over 30 times, giving NHS security teams a much more manageable and realistic workload.

What real-world incidents highlight just how high the stakes are if this shift doesn’t happen?

Absolutely. The attack on Synnovis, a pathology provider serving NHS hospitals in London, is a recent example. The Qilin ransomware group disrupted services, delayed more than 10,000 appointments, and caused financial losses estimated at £32.7 million.

Globally, we’ve seen even larger impacts: the attack on Change Healthcare in the US cost $3.1 billion in operational disruption and led to a $22 million ransom payment.

These attacks exploit the very systemic weaknesses I’ve mentioned, legacy systems, poor segmentation, and exploitable exposures.

For the NHS, avoiding similar outcomes means going beyond patching and focusing on real-world exposure.

Given limited NHS budgets, what’s your practical advice for getting started with exposure management?

Organisations should start by identifying the clinical services and processes that they can’t afford to have disrupted. From there, look to map out the critical devices supporting those services, and build a comprehensive asset inventory.

Then, look at your devices through the exposure lens of risk assessment. So, which assets are vulnerable, which are reachable, and which would impact patient care if compromised.

Often, simple measures like network segmentation or tightening access controls and isolating high-risk legacy systems can dramatically reduce exposure. These actions are far more achievable within existing NHS budgets than wholesale infrastructure replacements.

What’s the key message for NHS digital and security leaders balancing cyber risk with tight resources?

The threat landscape isn’t slowing down. Cybercriminals are becoming more sophisticated, and the NHS’s resource challenges are unlikely to disappear overnight. But adopting an exposure management approach helps trusts make smarter and more strategic decisions about where to focus protection efforts.

It’s not about doing everything at once. It’s about making sure that the limited resources you have are deployed where they’ll protect what matters most: patient safety and continuity of care.