Cybersecurity in healthcare isn’t an IT sidebar; it’s now a core operational risk and a foundational element of patient safety and innovation. This write-up captures the highlights, insights, and next steps from our June 2025 event (last Monday), convening leaders across health, cyber, academia, and business.

Contents

Overview

On 30 June 2025, innovators, clinicians, technologists, and policymakers gathered at Aston University’s John Cadbury House for a unique joint session of the Cyber Working Group (CWG) and the Innovative Health Working Group (IHWG). Brought together with the support of the Innovation Alliance for the West Midlands (IAWM), DSIT, the West Midlands Cyber Resilience Centre (WMCRC), Midlands Cyber, TechWM, and Innovate UK, the afternoon challenged some of the most deeply held assumptions about cybersecurity in health and care environments.

The theme underpinning every discussion was clear: it’s time to stop treating cybersecurity in healthcare as an IT issue and recognise it as a critical component of operational safety, patient trust, and innovation readiness.

For anyone interested in why this framing matters so profoundly, have a look at my article “Theatres of Risk: Rethinking Cybersecurity in Healthcare as Operational Technology, Not IT”. There are a couple of others in the series that build this case in more detail:

• “Understanding OT: Operational Technology in Context”
• “Environments That Are Actually OT (But Often Misclassified as IT”
• “Military Theatres and Battlefield Tech: Archetypal OT, Misgoverned as ICT”

Below is a reflection on the day’s sessions, key insights, and the urgent questions that emerged. The original link to Eventbrite is: https://www.eventbrite.co.uk/e/cwg-ihwg-cybersecurity-in-healthcare-securing-health-in-a-digital-world-tickets-1348002003279

Welcome and Introductions

The event opened with joint chairs, Perninder Dhadwar, CEO and Founder of Imobisoft and Innovate Health, and I, representing Cyber, the WM CWG, Cyber Tzar, and Psyber Inc. I’d just come from a morning session reviewing Aston University Cyber students’ projects, on behalf of Dr Anitha Chinnaswamy and Dr Laura Di Chiacchio, and frankly, I was zapped. But by the time we got to the event, there was a real “buzz,” and I must have picked up an extra life.

After thanking the organisations and individuals who made the session possible, particularly the Innovation Alliance for the West Midlands (IAWM) Team, for their tireless work in convening and championing collaboration across the region, attendees were reminded that cybersecurity and health innovation are not parallel conversations but fundamentally intertwined challenges demanding shared ownership.

It’s also worth noting that as the West Midlands moves to strengthen its leadership in this field, we must recognise that cyber is not simply a series of projects or networking groups; it is a cluster in its own right. At present, there is real fragmentation as groups spring up to pursue their own particular agendas in isolation. A joined-up, cluster-based approach, reporting to the WMCA and coordinated strategically, is essential if we are serious about scaling capability and credibility. I explored this in depth in “Cyber as a Cluster: A Critical Review of the Midlands Engine Cyber & Defence Report”.

Setting the Scene: The Case for Urgency

Before the first panel session, Dr Haider M. al-Khateeb, Associate Professor in Cyber Security and Deputy Director (Industry Forum) of Aston University’s Centre for Cyber Security Innovation (CSI), offered a compelling opening address that framed the day’s conversations.

In a clear call to action, Haider underlined that cybersecurity in healthcare is no longer a hypothetical or peripheral concern; it is one of the most pressing challenges of our time. He spoke about the urgency of moving from discussion to delivery, and the necessity of collaborative action led by experts across health, cyber, academia, and business.

Reflecting Aston’s commitment to advancing this agenda, he noted how the Centre for Cyber Security Innovation is working at the intersection of research and practice, convening partners to explore how innovative technologies, integrated policies, and strong cross-sector partnerships can together strengthen the resilience of our digital health infrastructure.

Haider congratulated the Innovative Health Working Group, in partnership with the West Midlands Cyber Working Group, for convening such a valuable and forward-looking discussion, and he welcomed the audience on behalf of Aston University.

His remarks set the tone for a day defined by urgency, collaboration, and a shared belief that securing health in a digital world demands nothing less than collective resolve.

If Cyber Threats Can Shut Down Life-Saving Equipment, Why Are We Still Treating Security as Just an IT Problem?

Panel Session 1 Speakers:

• Jen Nucifora, Founder and CEO, Axions Technology Ltd
• Haider M. al-Khateeb, Associate Professor in Cyber Security, and Deputy Director (Industry Forum) of Aston’s Centre for Cyber Security Innovation (CSI)
• Perninder Dhadwar, Imobisoft and Innovate Health

This panel tackled a provocative premise: in an era when ransomware can halt critical care, why do we persist in thinking of medical cybersecurity as a matter for the IT department?

Jen Nucifora highlighted the “complexity explosion,” describing how healthcare has evolved from standalone mechanical devices to vast, cloud-dependent ecosystems. Yet procurement, standards, and governance have not kept pace. She shared a vivid example of identical infusion pumps configured four different ways within the same trust, some hardened and others wide open, an illustration of how inconsistent operational practices remain a huge exposure.

Haider M. al-Khateeb focused on staff empowerment, noting that frontline clinicians often see cybersecurity as abstract or secondary to patient care. He argued that until training and engagement are woven seamlessly into clinical workflows, like infection control, progress will remain incremental.

Perninder Dhadwar underlined the necessity of reframing medical environments as operational technology (OT) first, observing that “if a surgical robot fails, it’s a patient safety incident, not an IT ticket.” He called for governance models that unite biomedical engineers, IT teams, and clinical leaders in shared accountability.

The Q&A that followed surfaced a recurring frustration: the accountability vacuum between manufacturers, procurement teams, and operational leadership. Jen’s insight was particularly useful and her real-world experiences came to the fore. These examples vividly reinforced the argument I’ve made elsewhere: that treating critical clinical systems as “just IT” is fundamentally a category error.

How Can We Unleash Bold Health Innovation Without Making Patient Data a Hacker’s Playground?

Panel Session 2 Speakers:

• Jen Nucifora
• Haider M. al-Khateeb
• Wayne Horkan, moi!

This session explored the tension between innovation ambition and security reality. With remote monitoring, AI decision support, and virtual wards reshaping the health landscape, how do we protect the trust patients place in their data?

Haider called for breaking down the silos between IT, security, and clinical teams, suggesting that the first step is defining shared goals around patient safety. He advocated for joint teams to build a culture of collaboration rather than compartmentalisation.

I reflected on the hidden cost of innovation without embedded security, warning that trust erosion is the price of cutting corners. I argued that funding for digital transformation must explicitly include cybersecurity from day one, rather than treating it as a bolt-on.

Jen posed a striking thought experiment: if she could fix one security weakness instantly, she would mandate secure-by-default device configurations, eliminating entire classes of preventable vulnerabilities.

This discussion again highlighted that cybersecurity, when fragmented across multiple groups with competing priorities, risks duplicating effort and leaving gaps unaddressed. A proper cluster model, where expertise, standards, and resources are coordinated regionally, is the only credible way to ensure resilience scales alongside innovation.

During the discussion, several participants expressed frustration that healthcare lags far behind other safety-critical industries like aviation, where regulators enforce minimum standards uncompromisingly. This set the stage for a broader debate about procurement standards, regulatory teeth, and the need to hold manufacturers to account.

Elsewhere in the Innovation Alliance

To round out the afternoon, Cliff Dennett of IAWM and David Kidney of West Midlands Health Technologies Cluster (WMHTC) shared updates on parallel innovation initiatives, including efforts to foster cross-sector collaboration and the emerging opportunities for health and cybersecurity companies in the West Midlands. Their updates further underscored that to avoid duplication and fragmentation, these initiatives need to sit within a coherent regional cyber cluster strategy.

It was great to see so many of the West Midlands Cyber ecosystem attend, especially Ryan Protheroe of Midlands Cyber and Stuart Stanton of BrumSec Connect and Marston Search. Plus Cyber Tzar was represented by Maham Naqvi, who brought her friend and colleague from Aston University, Sean Fullen, who’s currently working with Christian Toon at Alvearium Associates. Finally, I should add a massive “Thank you!” to Ros Povilionis of Sustainability West Midlands (SWM), Gosia Dzierdzikowska of Aston University, and Emma Yeap of WMHTC.

Closing Reflections

The event concluded with a reminder that cyber resilience is no longer optional or peripheral in healthcare. It is integral to patient safety, public trust, and the credibility of health innovation itself.

Participants left with a renewed sense of urgency and a clear consensus that the old models of governance, procurement, and siloed responsibility are no longer fit for purpose.

If you’d like to continue this conversation, explore collaboration, or share perspectives on developing a joined-up cyber cluster strategy, please get in touch. The best place is probably via LinkedIn, so please message me there: https://www.linkedin.com/in/waynehorkan/

Final Thoughts

Three themes resonated throughout the day:

1. Much of healthcare is operational technology. The language of IT risk doesn’t capture the life-or-death implications of device compromise.
2. Accountability must be collective. The handoffs between manufacturers, IT, clinical staff, and procurement are still dangerously fragmented.
3. Trust is the foundation of innovation. Without rock-solid security, digital health’s promise will be met with patient scepticism.

As the West Midlands continues to position itself as a centre of excellence for health and cyber innovation, events like this underline that real progress depends not just on technology but on culture, regulation, and the courage to challenge outdated assumptions. We must also acknowledge that cyber itself is a cluster, deserving of strategic recognition and a coherent plan to avoid fragmentation and duplication. Otherwise, we risk repeating the same mistakes in governance that hold back other sectors.

Related Articles

You may enjoy the following related articles, some of which were created as background materials for the event itself.

1. Understanding OT: Operational Technology in Context
   A primer on how OT differs from IT, and why that matters in sectors like healthcare and logistics.
   https://horkan.com/2025/06/24/understanding-ot-operational-technology-in-context
2. Environments That Are Actually OT (But Often Misclassified as IT)
   Real-world examples of OT systems mistaken for IT, and the risks this creates.
   https://horkan.com/2025/06/25/environments-that-are-actually-ot-but-often-misclassified-as-it
3. Theatres of Risk: Rethinking Cybersecurity in Healthcare as Operational Technology, Not IT
   Why hospital systems should be governed like OT, not IT.
   https://horkan.com/2025/06/26/theatres-of-risk-rethinking-cybersecurity-in-healthcare-as-operational-technology-not-it
4. Military Theatres and Battlefield Tech: Archetypal OT, Misgoverned as ICT
   A look at defence systems as OT, and how poor governance creates mission risk.
   https://horkan.com/2025/06/30/military-theatres-and-battlefield-tech-archetypal-ot-misgoverned-as-ict