Hackers took advantage of flaws in the software, used to manage staff mobile phones, that allowed them to break in and potentially run their own code. While the trusts confirmed that no patient records or passwords were taken, some staff mobile phone numbers and device identifiers were exposed. The good news: the flaw has since been fixed by Ivanti, and NHS Digital and the National Cyber Security Centre quickly issued guidance to patch affected systems.

But the incident is a warning. Even systems that don’t directly hold patient data can be used as a doorway into larger networks if they are not properly protected.

Why This Matters

• Trust: Patients expect the NHS to keep their data safe. Even a minor breach can damage public confidence.

• Escalation risk: Hackers often use small bits of information, like phone numbers, as stepping stones to bigger attacks.

• Dependence on suppliers: Much of the NHS relies on third-party software. If that software has flaws, the risk spreads across many trusts.

• Cost of inaction: Recovering from an attack is always more expensive than preventing one.

What NHS Leaders and CEOs Should Do

This isn’t just an IT department problem. It needs leadership at the top. Here are the key steps every NHS trust and public sector organisation should take:

1. Patch quickly

   When a security fix is released, apply it straight away. Delays give hackers an open door.

2. Know your systems

   Keep an up-to-date list of all the software in use, who supplies it, and whether it is fully supported. You can’t protect what you don’t know you have.

3. Plan for the worst

   Have a clear and rehearsed plan for what to do if systems are hacked: who to call, how to contain it, and how to tell staff and the public honestly.

4. Hold suppliers accountable

   Contracts with software providers should include strict timelines for fixing flaws and helping with investigations if things go wrong.

5. Test and train

   Run regular cyber-attack exercises with senior leaders, not just IT teams. Everyone should know their role in a crisis.

The Bigger Picture

Cyber criminals and state-backed hackers are increasingly targeting healthcare because it is essential, data-rich, and under financial strain. Attacks don’t always hit the headlines, but they can delay treatment, disrupt services, and cost millions.

Protecting against these threats requires more than technical fixes. It means:

• Leadership that treats cyber security as a boardroom issue, not an afterthought.

• Investment in monitoring systems that can spot unusual behaviour early.

• A culture where staff feel supported to report suspicious activity quickly.

The Takeaway

The Ivanti incident shows that vulnerabilities in everyday tools – even software used to manage phones – can put hospitals at risk. For NHS leaders and public sector CEOs, the message is simple: act fast, know your systems, demand more from suppliers, and practise how you’ll respond.

Cyber security is not just an IT issue. It’s a patient safety issue, a trust issue, and a leadership responsibility.

For a Detailed plan of action for CEOs and Public Sector Leaders, please take a paid subscription, its the price of a cup of coffee!