Skip to main content
Vantyris

For clinics

Cyber hygiene checklist for UK clinics, 2026.

Published 2026-05-25 · 12-item checklist · Approx. 12-minute read

Most UK clinics, dental, GP, vet, physio, run on the same basic infrastructure: a website, a booking system from one of three or four vendors, an email setup that handles patient correspondence, and a back-office system the receptionist uses. That's a small attack surface. It's also the attack surface the ICO writes about when it issues monetary penalty notices to healthcare providers for data breaches.

This is the checklist we'd run if we were starting from scratch on a clinic's public-facing security. It's in priority order, not alphabetical. The first three items close more than 70% of the practical risk; the rest are polish-level once the first three are clean. None of them require buying anything from Vantyris (though we built our scanner to check them all in 90 seconds).

First three: where 70% of clinic risk lives

1. Confirm your domain has DMARC enforcing at quarantine or reject

Almost every clinic phishing attempt we see rides the clinic's own domain. A scammer sends "Your appointment has been rescheduled, click to confirm" from `appointments@yourclinic.co.uk` to your patient, and the patient's Gmail or Outlook treats it as legitimate because no DNS record tells the receiving server otherwise. DMARC is the DNS record that closes this. At `p=quarantine` or `p=reject`, unauthenticated mail from your domain is bounced or sent to spam.

How to verify: ask your DNS provider (your domain registrar, or whoever set up your email) "is DMARC enforcing?" If the answer is "what's DMARC?" you have your answer. Or paste your domain into mxtoolbox.com/dmarc.aspx for an instant read.

If it isn't: read our DMARC explainer for the exact steps. Whoever maintains your DNS adds one TXT record. About 30 minutes.

2. Confirm your booking system serves HTTPS-only with a valid certificate

If a visitor types your booking-system URL and the address bar shows "Not secure", you have a problem the regulator will eventually notice. ICO guidance on the Data Protection Act has been clear since the 2018 update: appointment data, contact details, and any free-text symptom field a patient might fill in count as personal data, and submitting them over an unencrypted connection is a breach waiting to happen.

How to verify: open your booking page in an incognito browser window. The address bar should show a padlock icon and the URL should start with `https://`. If it shows "Not secure", or if the certificate is shown as expired when you click the padlock, you're in priority-fix territory.

If it isn't: read how to enable HTTPS. If your booking provider doesn't support HTTPS in 2026, that's a different conversation: move to one that does.

3. Confirm your domain has SPF, and review who's allowed to send for it

SPF is the DNS record listing which servers are allowed to send email from your domain. Without it, DMARC has nothing to enforce. Even with it, the common failure mode is "we set it up in 2017 and added every vendor over the years until it has 14 includes and starts failing the 10-lookup limit."

How to verify: mxtoolbox.com/spf.aspx shows the record and the count.

If it isn't: read what is an SPF record. Your DNS administrator adds one TXT record.

The next nine: tightening

4. Disable TLS 1.0 and 1.1 on the server

Both are deprecated. Every modern browser already refuses to use them. Leaving them enabled hurts your security grade and gives compliance auditors a reason to fail you. Plain-English explainer. Five minutes in your host's SSL panel.

5. Add HSTS (Strict-Transport-Security header)

One header that tells visiting browsers to always use HTTPS for your domain. Closes the brief window where a visitor on hostile Wi-Fi could be downgraded to HTTP. How to enable safely. Start with a short max-age, increase over a week.

6. Add a basic Content Security Policy

CSP blocks injected scripts, including the kind that show up when a CMS plugin is compromised. A basic policy is enough; you don't need to perfect it. Plain-English guide. Most useful for sites running WordPress or any CMS with plugins.

7. Add X-Frame-Options or frame-ancestors

One header. Blocks clickjacking. Almost every clinic site can safely set this to DENY. The anti-clickjacking header. Five minutes.

8. Add a CAA record to your DNS

Lists which certificate authority is allowed to issue TLS certificates for your domain. Closes a class of attack where someone tricks a different CA into issuing a certificate for your domain. CAA records explained. One-time DNS edit.

9. Set TLS certificate renewal monitoring

Expired certificates take a clinic site fully offline. A free monitor (UptimeRobot has a TLS check on the free tier, Vantyris's continuous monitoring fires the alert at 14 days) costs zero and prevents the worst kind of preventable outage. If your certificate just expired.

10. Confirm your booking system's vendor takes security seriously

You won't find this on a scan. Ask the vendor: do they have an ISO 27001 certification? A Cyber Essentials Plus certification? A SOC 2 Type II report? Where are their servers hosted? How is patient data encrypted at rest? If the vendor cannot answer any of these questions, the security posture of your booking system is whatever it happened to be when they wrote the code. That's a problem worth raising with them.

11. Set up a regular external scan

Configuration drifts. A plugin update can re-introduce a header you fixed three months ago. The point of continuous monitoring is to catch the drift the same week it happens, not at your annual cyber-renewal questionnaire. Vantyris's continuous-monitoring tier (€5 per endpoint per month) does this; if you'd rather not buy it from us, set yourself a quarterly calendar reminder to re-run the free teaser.

12. Document everything for the ICO's file

The ICO doesn't ask for perfection; it asks for evidence that you took the security of patient data seriously. A folder with your last few scan reports, the dates you fixed each item, and the calendar reminder for the next scan is the evidence. Three PDF layouts from a Vantyris scan, the full report for the file, the executive summary for the board, the single-issue work order for your IT contractor, are designed for exactly this purpose.

Where Vantyris fits

We built Vantyris because the existing tools were either free single-purpose checkers (SSL Labs is excellent, please use it for item 4) or enterprise platforms with €1,500/month minimums. Neither fits a clinic.

A free Vantyris teaser scan covers items 4 and 5 in plain English. A verified scan (€10 for the starter pack) covers items 1, 2, 3, 6, 7, 8 with full remediation guidance, plus the Cyber Essentials alignment section that maps each finding to NCSC's five CE control areas. Continuous monitoring (item 11) is the optional add-on. And the public trust page at /trust/your-clinic-slug is what you put on your ICO file or your insurer's renewal form for item 12.

That's the case. We're not the only way to do any of this; we're the cheapest way to do all of it in one session.

Run a free check on your clinic's website now.

No card, no signup. Paste your domain, get a teaser report in seconds. If you like what you see, the full verified scan with remediation guidance is €10.

Editorial

Vantyris editorial team · methodology v1.0.0 · references: ICO guidance · NCSC Cyber Essentials