June 25th 2025
When it comes to cyber attacks in the health, care and public sectors, we’re often reluctant to talk openly about what’s gone wrong. There’s a nervousness sometimes bordering on fear about sharing the details of what happened, why it happened, and what we’ve learned. And that silence could be putting more systems, more services, and ultimately more people at risk.
We often say that we want to learn from incidents. But how can we learn if we don’t talk?
Fear, blame and reputational risk
In care and health settings, the idea of being the organisation that suffered a cyber attack can feel shameful. There’s a fear of reputational damage, that you’ll lose the trust of the people who use your services, your commissioners, your funders. There’s a worry about the regulator. Will they think we’ve been negligent? Will we be penalised?
But cyber attacks are not always the result of negligence. In fact, most successful attacks exploit very human traits trust, curiosity, pressure to act quickly. All it takes is one person clicking a link, one password reused, or one system left unpatched. These things happen across every sector, and to every kind of organisation.
Yet we still tend to blame the victim. And that makes it harder for people to come forward and share honestly when something goes wrong.
Misunderstandings about the law
There’s also widespread misunderstanding about what can and can’t be shared after a cyber incident. Some organisations believe they are legally barred from disclosing anything beyond the minimum required out of fear of breaching data protection laws or contractual terms. In reality, the UK’s data protection laws do not prevent organisations from sharing anonymised or generalised learnings from cyber incidents.
You don’t need to give away personal details or sensitive commercial information to say, “Here’s how the attackers got in, here’s what they targeted, here’s what we’ve done since.”
The National Cyber Security Centre (NCSC), the Information Commissioner’s Office (ICO), and other authorities actively encourage responsible sharing of lessons learned. Not only does it build trust, but it helps others in similar settings understand the real-world threats they face and how to prepare for them.
Risk aversion in public service culture
There’s a broader issue at play too: a risk-averse culture within health, care and public services. Many public sector organisations are still governed by traditional management cultures, where the instinct is to close ranks, protect reputation, and avoid criticism at all costs.
This is particularly acute in social care, where most services are delivered by thousands of small, independent organisations under intense financial and regulatory pressure. Few of them have in-house cyber expertise. When something goes wrong, it’s not just an IT issue, it can feel existential.
And so, too often, lessons are buried. Staff are told not to talk about it. Reports are labelled “commercially sensitive” or “confidential.” Even where a post-incident review is done, it’s rarely shared beyond the organisation that commissioned it.
What we lose when we stay silent
The result of all this fear and silence is that we miss critical opportunities to learn and improve.
When attacks happen in isolation, it’s harder to spot patterns. We can’t identify which threats are being used repeatedly across different types of services. We can’t crowdsource the best responses. We don’t get to build up a shared understanding of the risks we’re facing or the defences that work.
And the organisations that haven’t yet been attacked are left in the dark falsely reassured that “it’s not happening here” or “that wouldn’t happen to us.” Until it does.
This culture of silence is no longer tenable.
We need a new mindset
Cyber threats are now part of everyday risk management. They are not just IT problems, they are service continuity problems, safeguarding problems, and in some cases, life-and-death problems.
We need to normalise sharing learning from cyber incidents. That doesn’t mean pointing fingers or naming and shaming. It means being honest about what happened and how others can avoid the same outcome.
We’ve already seen positive steps in this direction. NHS England’s Data Security Centre has promoted the value of learning from incidents. The Local Government Association and the Better Security, Better Care programme have supported care providers to reflect and share safely. But we need more open spaces, more supportive leadership, and more willingness to say: “We got caught out, and here’s what you should know.”
By shifting from blame to learning, from secrecy to support, we can all be better prepared. Because the question is not if your organisation will face a cyber attack, but whether you’ll be ready, and whether you’ll help others be ready too.
Find out more
Visit our cyber security guidance
Access free elearning and training resources
Photo by the blowup on Unsplash
View all News