This site is intended for health professionals only


Cyber security – what GP practices need to know to protect themselves

17 June 2024

Share this article

Attacking GP surgeries can prove lucrative for cyber criminals. What are the cyber security concerns practices should plan for?

Understandably for surgeries, keeping pace with the latest in practice systems and technologies can often take lower priority than meeting patient needs.

However, with the rise of more sophisticated cyber attacks, and the unknown implications of AI on the industry, failure to keep up when it comes to technology and cyber security exposes a significant risk.

At best, a surgery can be lucky and avoid face any threats, but at worst, it could be exposed to serious data breaches, long-lasting reputational damage and loss of patients and contracts.

Most GP surgeries operating through the NHS will have a contract that sets out services they must provide. This will usually include maintaining records and having the right technology and systems in place to run the practice. As a minimum, practices typically have a website, patient contact form, telephone lines, an appointment book, a mobile app, and patient login systems.

But that’s just the public facing side. Behind the scenes there is software to manage payroll, systems to help with management finances and HR, and tools to keep track of day-to-day practice running costs.

The amount of software required is huge and will hold hundreds of thousands of pieces of data.

With almost every aspect of this maintained online and essential to running a practice, it leaves GP practices exposed to fraud and cybercrime.

What and where are the risks?

Cyber criminals aren’t ethical about who they target and attacking GP surgeries can be lucrative. For practices, this threat usually falls into one of two categories.

The first one relates to patients. Breaking into patient records and accessing information, particularly sensitive data, can be hugely damaging for a surgery, but sadly, profitable for a cyber-criminal.

The second threat relates to the practice and its staff. There is the chance that the technology used to support the running of the practice such as appointment booking systems, or HR software for confidential staff information, can be compromised.

Not only does this pose a threat to the day-to-day operation of the business, it can also cause considerable anguish to the colleagues who may be victims to subsequent crimes.

When it comes to enhancing security, there are three steps practices can take. These are:

1.Look at and review cyber defence.

Practice managers and owners should make colleagues aware of the potential threats and challenges.

Action to take could be as simple as not digitally recording patient information outside of official systems, or making sure everyone is adhering to best practices around updating passwords and is alerted to suspicious email traffic.

It can also be worth factoring in physical security too, such as keycards. Assigning responsibility to someone who will do regular security checks and share reminders with the team can be useful.

2. Manage the risks

 Monitoring and logging incidents and near-misses may help to identify patterns or expose wider concerns that warrant a closer look. Each breach should be properly investigated to avoid it happening again. Defending what you’ve got, and having a robust plan in place to deal with it should a breach occur is essential.

These plans should include clear actions to keep the practice running smoothly, plans to manage patients and an external and internal communications plan.

3. Understand what support you have in place and what extra backup you might need

While some contracts with providers might cover you for cyber-attacks, others might not. Similarly, your contract with the NHS may cover any NHS-related data stored on NHS systems, but may not extend to the same data being used on other platforms.

Take the time to understand what your obligations are in protecting the data you use and if you’re exposed speak to an insurance expert. There are also cyber security insurances available that can help provide another layer of support and advice should an attack happen.

Kabir Ahmed is commercial manager at Wesleyan Financial Services specialists in GP finances