Cyber attacks are no longer a distant threat for the NHS. They are a recurring reality, disrupting services, delaying care, and eroding public trust. This week, NHS England published new guidance for boards and non-executive directors, underlining that cyber resilience cannot be left to IT departments alone. As Jamie Saunders, chair of the NHS England Cyber Security Risk Committee, put it, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.”

The guidance sets out practical ways that non-executive directors (NEDs) and boards can exercise oversight. It does not ask them to become technical experts but to engage seriously with the governance questions that determine how prepared an organisation really is. Among them: how often do boards discuss cyber risk, and how much are they willing to invest to manage it? Do leaders understand the organisation’s cyber posture? And how confident are they that staff know their roles when an incident occurs?

Boards are also encouraged to ask more detailed questions of their cyber teams. How is the organisation defending against phishing and other common attack methods? How are privileged accounts secured? Is there a technology lifecycle plan that ensures old, vulnerable systems are not left in service? Do suppliers and partners meet the same standards, and how resilient are the supply chains they rely on? Crucially, are backups reliable, tested, and integrated into business continuity plans?

The message is clear: cyber security is not an add-on but part of core governance. Risks should be visible on dashboards alongside clinical and financial performance, and boards should be assured that cultural change is happening across their organisations. Staff awareness, incident drills, and ongoing training are as vital as firewalls or intrusion detection systems.

This NHS England guidance lands within a wider landscape of change. The government has launched its Cyber Growth Action Plan, pledging £16 million to help commercialise research and strengthen the sector. Leading universities such as Bristol and Imperial will map the cyber economy and propose a roadmap for growth. Meanwhile, the National Cyber Security Centre has updated its Cyber Assessment Framework to include AI-related risks, better detection methods, and new approaches to software maintenance. The updates reflect an uncomfortable reality: the gap between escalating threats and our ability to defend against them is widening.

Healthcare is uniquely vulnerable because disruption carries direct human costs. A delayed appointment or cancelled surgery due to a cyber incident is not just an IT failure, it is a failure of care. That is why board-level leadership matters. Governance structures, investment decisions, and cultural priorities all flow from the top. If boards do not own the risk, organisations will remain exposed.

The new NHS guidance should not be seen as a checklist to be filed away but as a call to embed cyber resilience into the DNA of health service leadership. With ransomware groups and state actors probing constantly for weaknesses, the question is not if but when the next attack will hit. The responsibility of boards is to ensure that when it does, the NHS is not caught unprepared.