Cyber Security for GP Surgeries: The Complete Guide

This guide covers the complete cyber security requirements for GP surgeries in the UK — the specific threats, regulatory obligations, and practical controls that every practice should have in place. It is written for GP principals, practice managers, and information governance leads who need a clear, actionable view of security in the primary care context.

Your Specific Risk Profile

A GP surgery's cyber risk profile is shaped by four factors unique to primary care:

Patient safety dependency. Unlike most small organisations, the unavailability of your clinical system is not just a business continuity problem — it is a patient safety event. The controls that prevent system downtime, and the processes that manage it safely when it occurs, have a clinical dimension that other sectors do not share.

Special Category health data at scale. A practice with 8,000 registered patients holds Special Category health data on every one of them. This is not a typical small business data profile — it is a healthcare organisation profile, and it attracts both the regulatory attention and the criminal interest that healthcare data generates.

NHS network connectivity. Your connection to NHS national systems — Spine, NHS Mail, EPS, SystmOne/EMIS — means that your security posture affects not just your practice but the organisations connected to you through the shared infrastructure.

Supplier dependency. Your practice management system provider, your IT support provider, your telephony provider, and your clinical system integrators all have varying degrees of access to your systems and data. A compromise at any of these suppliers can cascade into your practice — as the Advanced ransomware incident demonstrated at national scale.

Clinical System Security

Your practice management system — SystmOne, EMIS Web, Vision, Microtest — is your highest-value and highest-risk asset. It requires specific security attention beyond what general IT management provides.

Implement role-based access within the clinical system. Receptionists do not need access to full clinical records. Administrative staff do not need access to safeguarding flags. Access should be configured to match clinical role and reviewed when staff change roles or leave. Audit logging within the clinical system — which users accessed which records — is both a clinical governance requirement and a GDPR accountability measure.

Confirm your backup arrangement directly with your clinical system provider. The backup of a relational clinical database is not the same as the backup of the files on the server, and many practices discover this distinction at the worst possible moment. Your backup must produce a restorable copy of the clinical database that can be used for patient care — not just files that can be recovered.

Clinical systems should be on a network segment that restricts access from general internet browsing. A staff member who inadvertently visits a malicious website should not be able to provide a pathway to the clinical system. Network segmentation between administrative and clinical functions is a proportionate control for the data sensitivity involved.

NHS Mail and Email Security

NHS Mail accounts should be treated as privileged accounts. They provide access to clinical correspondence, safeguarding information, and communications from secondary care that relate to named patients. Credentials for NHS Mail should be unique (not shared with any other service), managed in a password manager, and protected by MFA wherever NHS Mail supports it.

Configure DMARC for your practice's own domain (the @practicedomaingp.co.uk address used for patient-facing communications) to prevent criminals from spoofing it when targeting your patients or referral partners.

Train reception and administrative staff on the specific phishing scenarios targeting GP practices: fake NHS England notifications, NHSD system alerts, ICB communications requiring urgent action, and pharmacy query emails with malicious attachments. These are the most common vectors for credential harvesting in primary care.

Backups: The Clinical Safety Net

Your backup must be both comprehensive and ransomware-proof. Comprehensive means it captures the clinical system database, the document management system, the recall and exception reporting system, NHS Mail archives relevant to clinical care, and any locally stored clinical documents. Ransomware-proof means at least one copy is offline, disconnected from the network, and cannot be encrypted by malware running on your systems.

Test restores quarterly. A backup that cannot be restored in a reasonable time is worse than no backup, because it creates false confidence. Document the restore process clearly enough that it can be followed under stress by someone who was not present when it was configured.

Know your recovery time objective. How long can the practice operate safely without access to the clinical system? For most practices, the answer is measured in hours, not days. Your backup and recovery process must be capable of meeting that objective.

Controlled Drugs and EPS Security

The Electronic Prescription Service credentials used to generate and authorise prescriptions are targets for criminal groups. EPS credentials should be protected by the same standards as any privileged credential: unique passwords, password manager storage, and immediate revocation when a user leaves or changes role.

Maintain your Controlled Drugs register — whether paper or electronic — with the same rigour that the Controlled Drugs (Supervision of Management and Use) Regulations 2006 requires. If your CDAO function is shared with a neighbouring practice or PCN, confirm how the register is maintained and how it would be recovered in the event of a system failure.

Staff Training: Primary Care Scenarios

Annual data security training completion is a DSPT requirement. It should cover the specific scenarios most relevant to primary care staff:

• Phishing emails targeting NHS credentials — particularly those using NHS branding and creating urgency around system access
• Social engineering calls impersonating NHS IT support, requesting remote access to clinical systems
• Patient impersonation attempts requesting record access or prescription authorisation
• Safe disposal of clinical waste including printed patient correspondence
• The 72-hour ICO notification obligation and who to contact when a potential breach is identified

Supplier Security: Your IT Provider

Your IT provider almost certainly has privileged access to your systems — the ability to connect remotely, to manage accounts, to access servers. A compromise of your IT provider is a compromise of your practice. Ask your IT provider what security standards they operate to, whether they hold Cyber Essentials certification, and what their own incident response process is. These questions are proportionate given the access they hold.

If your IT provider is also your clinical system support, ensure that the access they use for clinical system support is distinctly managed from general IT access, and that remote access sessions are logged and attributable to specific support events.

The Investment Case

A GP surgery with a typical patient list of 6,000 to 10,000 patients operates between 20 and 40 networked assets — clinical workstations, the clinical system server, administrative desktops, a reception desk, and laptops. This falls within the SOC in a Box Small or Medium plan. The monthly cost is less than the cost of a single session of out-of-hours locum cover — and it provides 24/7 protection for the systems that, if compromised, would require weeks of that locum cover to manage the disruption.