By Darren Smith, Head of Cybersecurity for Public Sector, BlueFort Security
The Royal Armouries Museum in Leeds was the venue for this year’s HETT Leaders’ Summit. It was a packed, one-day summit that brought together a diverse audience including NHS leaders, IT and cybersecurity teams, as well as clinical staff operating on the front lines of our healthcare sector, who made time in their busy schedules to share cybersecurity insights, learn about the new initiatives that are shaping digital transformation across the sector, and connect with like-minded professionals.
Through my work identifying, deploying, and supporting the cybersecurity requirements of the healthcare sector, many of the discussions that I participated in – both formal and informal – resonated with what I’m hearing day to day. I’ve outlined my key takeaways below. If you were there, and there’s something you would like to add, please get in touch!
AI: Caveat Emptor
One of the four key themes of this event was AI, and how it’s being used to transform healthcare delivery. From a cybersecurity perspective, we recently wrote about the challenges of deploying security-compliant AI within the healthcare industry.
Whilst there’s no doubt that AI has the potential to make a significant difference in health and care settings (of note, the Department of Health and Social Care recently published the results of a Microsoft 365 Copilot trial, which it claims demonstrates monthly savings of potentially 400,000 hours each month for NHS staff) the security risks created by it are a clear and present danger. These include sophisticated threats targeting the entire AI lifecycle, including prompt injection, data poisoning, and model theft, all of which can manipulate outputs or steal data.
As concluded in that blog, the key challenge for security teams is not to stop staff using AI, it’s to find a way that enables them to use these highly productive tools in a safe, compliant way.
Tooling Overload: Driving Platform Consolidation and Automation
There was plenty of conversation on consolidation, automation, and platform plays. Despite being a topic of discussion for many years, ‘tooling bloat’ remains a key issue for many organisations. Many of the contacts I spoke with last week are keenly feeling the impact of this overload: operational skills shortages, increased threat surface, functional overlap, expensive renewals, platform friction, and steep learning curves for cyber teams.
As an aside, studies show that the average number of security tools deployed by organisations has increased by 30% in the past 3 years – up to 75 in some cases sourced from a multitude of vendors. When done right however, platform consolidation isn’t about sacrificing capability. Fewer vendors means simpler management, more straightforward procurement, and a stronger security posture. It’s about doing more with less noise. Read how we helped one NHS trust consolidate, improve security, and reduce spend in this case study
When it comes to automation, it may well be the golden ticket to helping time-poor, resource- stretched IT and security teams keep their heads above water. On a positive note, from the conversations I participated in at HETT, the benefits of automation are widely understood. It’s the planning and execution of an approach to deliver that automation piece which seems, so often, to be the barrier. And that’s because it’s more than consolidating tools. Automation needs to be part of a strategic cybersecurity approach that integrates with an organisation’s entire infrastructure.
OT Security is Becoming More Prevalent
Given the increasingly interconnected way in which organisations operate, it’s of little surprise that the subject of operational technology (OT) came up in conversation relative to healthcare. Once almost the sole focus of ICS and SCADA, OT is making its presence felt within healthcare: think ventilation in hospitals, diagnostic imaging, and even robotic surgery platforms.
Securing those platforms is paramount. At the very least healthcare organisations will need to ensure that external providers/partners are in sync with CAF-aligned DSPT guidance. These providers must be able to evidence which devices and systems they operate, document how these connect to NHS or client networks, and show clear responsibility for their security.
If you have not seen this, it’s definitely worth checking out a recently produced NCSC document entitled: Creating and Maintaining a Definitive View of Your Operational Technology. In addition to technical advice, it sets out how buyers, regulators, and partners will expect suppliers to manage OT security in future.
Continued Focus on Third-Party Supply Chain
Given the growing number of healthcare organisations that have suffered a breach through a third party, it was no surprise that this issue was top of mind. You might recall towards the end of last year, two significant cyber incidents impacted NHS services through supply-chain compromises. One involved Barts Health NHS Trust when criminals exploited a vulnerability in Oracle’s E-Business Suite. The second was a ransomware attack against DXS International, a GP software provider serving 2,000 practices and 17 million patients. As these two examples illustrate, third-party supplier risk has become one of the leading causes of data breaches.
NHS Cyber Security Charter
Given the relative newness of the NHS Cyber Security Charter, there was much debate about its effectiveness and its uptake. The general consensus is that it’s too early to gauge its impact so far, but it’s fair to assume that whilst DSPT and the Cyber Security Bill will mandate supply-chain assessments, the overarching principles laid out in the Charter are likely to become a benchmark for best practice. I posted a blog on this topic a couple of weeks ago.
Keynote: Managing Supply-Chain Cyber Threats in the NHS
We were joined at HETT by one of our partners, Orpheus Cyber. Together we delivered a keynote entitled: “The Risk You Can’t Always See: Managing Supply-Chain Cyber Threats in the NHS”.
The presentation demonstrates how, utilising the Orpheus cloud-based SaaS platform, BlueFort is able to provide a full risk assessment for suppliers that visualises how those suppliers look to a potential attacker on the outside world (including any references on the dark web). The assessment also identifies the presence of any security gaps, and assesses the security posture of the organisation.
The session was jam-packed, as there was limited seating. If you did not get a seat, but you’d like to know more, drop me a line.
BlueFort’s NHS and Healthcare Credentials
Improving the cyber resilience of the NHS is a core component of BlueFort’s mission. You can read some of our case studies here, here and here. We’ve aligned our solutions with the NHS Cyber Assessment Framework (CAF) and the Data Security and Protection Toolkit (DSPT), both of which can significantly enhance the security and resilience of healthcare systems within both the NHS and the private medical sector.
Want to Know More?
We will be joining forces with another technology partner, Silverfort, on 25th February at Cybersecure 2026, where we’ll explore how our partnership has supported multiple NHS trusts in achieving CAF compliance.
If you’d like a free third-party risk assessment (utilising the Orpheus platform) for up to three suppliers, to help you begin your organisation’s journey to a comprehensive TPRM framework, do get in touch.
Alternatively, for a no obligation, exploratory conversation, just get in touch here. We look forward to hearing from you.
