In the wake of Sir Keir Starmer’s announcement that NHS England, the body with many responsibilities relating to cybersecurity, will be scrapped to cut costs and improve efficiency, questions around cybersecurity have been raised relating to the NHS’s ability to prevent cyberattacks.
NHS England is an administrative body established in 2013 that operates separately from the UK government but is guided by it. The service manages how health services in England (other UK countries have separate organizations) operate in relation to things away from the frontline, such as training and data collection.
Relating to cybersecurity, its current responsibilities include ensuring that the outcome of cyber security assessments is acted upon and that organizations register to the Respond to an NHS Cyber Alert service, act on advisories when they are issued, and submit remediation plans.
Good News?
Any move designed to save taxpayers money, cut bureaucracy, and restore democratic control must be good news, right? The government insists it is, but the level of disruption this will bring presents opportunities for cybercriminals.
We recently reported on an NHS investigation into an alleged API flaw emanating from an online healthcare provider working with the NHS that may have exposed confidential patient information.
Owing to the continued outsourcing of NHS services and the critical need for APIs that facilitate real-time medical data sharing, our featured expert in the article questioned whether it was best for organizations to be ‘marking their own homework’. Currently, outsourced providers are not contractually obliged to have a third party test their systems before using live public sector data. Will gaps like these be more likely to be resolved or exasperated by the removal of NHS England?
Oversight and Implementation
Although not perfect by any means, there are frameworks in place that are experiencing ongoing development. Back in September 2024, the NHS Data Security and Protection Toolkit for 2024-25 adopted the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its foundation for cyber security and information governance assurance. As a result, NHS Trusts, integrated care boards (ICBs), commissioning support units (CSUs), and arm’s-length bodies (ALBs) experienced a revised interface that outlines requirements aligned with the CAF in terms of objectives, principles, and outcomes.
Organizations are required to assess themselves against the updated requirements by June 30, 2025. If they cannot meet the required achievement levels, they must submit an improvement plan by June 30, 2026. Failure to agree on a plan will result in receiving a 2024-2025 DSPT status of “Standard Not Met,” indicating a lack of an approved plan for achieving necessary cybersecurity and information governance levels.
Analysis
Cybersecurity expert Graeme Stewart, head of public sector at Check Point Software, believes that the move to disband NHS England could potentially leave the NHS vulnerable.
He likened the removal of the centralized cybersecurity infrastructure to “a hospital suddenly removing its emergency department and expecting patients to fend for themselves.” Adding that “At present, NHS England provides the backbone for our cyber defenses, from a unified email service to specialized threat protection. Removing these central functions risks leaving individual NHS Trusts to fend off cyberattacks with a patchwork of under-resourced teams.”
He also echoed our sentiments about raising security concerns over the regulation of third-party suppliers offering outsourced NHS services. Speaking on how the removal of a centralized service presents an opportunity for an influx of third parties, he posited that “While more suppliers might seem like a win for competition, it also fragments our defense and leaves us vulnerable; each new supplier is a potential weak link in our security armor.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.