Cyber attack - health and social care system

This risk is featured in the full matrix, representing the averages of multiple different scenarios presented together in the ‘cyber attacks on infrastructure’ category.

Impact 5
risk indicator
ID 11
Risk theme Cyber
Impact & Likelihood
Impact key
5 Catastrophic
4 Significant
3 Moderate
2 Limited
1 Minor
Likelihood key
5 >25%
4 5-25%
3 1-5%
2 0.2-1%
1 <0.2%


The health and social care system remains a target for cybercriminals. The 2023 Cyber Security Strategy for Health and Adult Social Care sets out a plan to promote cyber resilience across the sector by 2030.


The reasonable worst-case scenario would involve significant systemic service disruption due to ransomware moving quickly across the health and care IT estate. Systems would become inaccessible and organisations would move to offline services. Data loss would be widespread across the affected estate, with data also compromised and/or stolen. Some data would be unrecoverable from backups. At least 50% of the estate would be infected with ransomware, but 100% of the estate would be impacted as systems move offline and/or data loss or compromise is experienced. The impacts would be felt immediately, for example cancelled appointments, delays to medical procedures and tests, and A&E diversions.

Therefore an outage could potentially have immediate direct clinical care impacts on patients, as well as cause harm. The second-order impacts are likely to manifest themselves increasingly over time, as the delays and cancellations would mean medical conditions worsen or are not diagnosed promptly.

Key assumptions

The assessment is based on the WannaCry incident (2017), which was a global attack. This impacted approximately 30% of NHS Trusts and lasted 4 days before the ransomware ‘kill switch’ was identified, allowing the system to start coming back online.


A cyber attack specifically targeting NHS systems, which will be more severe if the intent is to create disruption. We have already seen ransomware targeting healthcare systems around the world, for example the Health Service Executive in Ireland suffered an attack in May 2021. Although the decryption keys were offered free of charge by the attackers, they still requested a ransom be paid to prevent publication of stolen data.

Response capability requirements

Additional staff to handle paper records (during and after the incident), communications team to provide public and responders with clear information, and, possibly, third-party IT support depending on the type and severity of the incident. A Cyber Incident Response Retainer has been established to cover key national systems and address the immediate impacts of incidents


There is likely to be a long recovery time with elective care backlogs lasting months to years. Return to normal service use is characterised by a phased return of priority service functions over several months to years. This is dependent on the type of attack and the different levels of resilience across the cyber system, meaning the most resilient NHS Trusts may come online sooner but will need to handle cases from nearby NHS Trusts that are slower to return to online systems.