The hidden threat of unknown NHS legacy debt

Guest blog by Afshin Attari, Senior Director of Public Sector at Exponential-e

Across the NHS, the level of legacy debt varies dramatically. A report from the Department of Science Technology and Innovation (DSIT) has revealed that legacy tech can range from 10% to as much as 60-70% and 15% could not even estimate the size of their legacy estate.

Without visibility into what exists and what risks it carries, organisations struggle to secure it and this presents a major cybersecurity challenge. Knowledge, therefore, is the first step toward action - and ultimately, toward resilience.

Start with discovery and assess every situation

Legacy applications hold decades of data and can be difficult to modernise, especially when migrating to cloud environments. Meaning their complexities make them vulnerable to security risks.

Securing an environment begins with understanding what exists. This means using mapping exercises to highlight legacy systems, clinical applications, and unauthorised software that may be flying under the radar. These tools help build a real-time picture of the IT estate and lay the foundations for an effective security strategy.

Once discovered, these applications must be assessed: Are they supported? Are they patched? Are they still needed? Prioritising business critical systems while decommissioning or isolating redundant ones reduces risk and frees up resources.

This visibility is the starting point and strategic enabler for meeting key security requirements, including Cyber Essentials and Cyber Essentials Plus, and for conducting meaningful supply chain risk assessments.

From insight to action

Implementing security measures is the next stage to defend systems from cyber threats. Replacing legacy infrastructure isn't always feasible, so organisations must find ways to bolster their existing environment by implementing robust measures which include:

Protect data in transit – securing data in motion is vital, particularly as healthcare organisations move towards more integrated care models and shared records. Patient data flowing between departments, systems, and even organisations must be encrypted and segmented using modern security principles like Zero Trust and Secure Access Service Edge (SASE).

Secure the borders – healthcare estates are increasingly borderless, with staff working remotely, using mobile devices, and accessing cloud services. Protecting these entry and exit points through firewalls, endpoint detection and response (EDR), and robust identity controls helps prevent external threats from breaching the core infrastructure.

Empower a human firewall – frontline NHS staff are focused on delivering care, not cybersecurity. But every user is a potential risk or a valuable line of defence. Ongoing education, delivered in a way that supports rather than burdens staff is key to preventing phishing, social engineering, and accidental breaches.

Maintain monitoring and visibility – healthcare systems must operate around the clock but so must monitoring. Real-time analytics and alerting help CISOs detect unusual behaviour, system anomalies, and early indicators of compromise. With AI-powered tools, it’s possible to gain insights without overwhelming IT teams with false positives.

Test relentlessly – regular penetration testing and incident response exercises are crucial in healthcare, where the stakes of a breach are high. Testing validates your defences, identifies overlooked vulnerabilities, and builds confidence in your ability to respond to real-world attacks.

Build a resilient framework – ultimately, what healthcare CISOs need is a repeatable, scalable security framework that connects discovery, application management, transit protection, border security, user awareness, visibility, and testing. This holistic approach creates resilience not just in systems, but across the organisation.

Preparing for the future

It’s essential for healthcare organisations to partner with technology companies, who can integrate these solutions into existing environments while ensuring compliance with the latest security standards. This level of expert assistance can also help healthcare organisations to assess and develop security processes, strengthen postures, and educate staff. With the right support, the NHS can safeguard critical systems for years to come without compromising operational efficiency or patient care.

Health and Social Care Programme activities

techUK is helping its members navigate the complex space of digital health in the UK to ensure our NHS and social care sector is prepared for the challenges of the future. We help validate new ideas and build impactful strategies, ultimately ensuring that members are market-ready. Visit the programme page here.