As part of a ‘Plan for Change’ to ‘cut bureaucracy across state, focus government on the priorities of the working people, and shift money to the frontline’, the Prime Minister Sir Keir Starmer in a speech yesterday said that the Labour Government would bring management of the NHS ‘back into democratic control, by abolishing the arms-length body – NHS England’.
That would however call into further question what place, if any, there would be for national direction of security management for the National Health Service, which has been dormant since the 2018 decision to do away with the NHS SMS (security management service) which left the NHS Counter Fraud Authority (NHSCFA) as independent from other NHS bodies and accountable to the Department of Health and Social Care (DHSC). As the NAHS (National Association for Healthcare Security) heard at its 2023 conference, as featured in the January 2024 edition of Professional Security Magazine, NHS England was at work on setting back up some of the things that the NHS SMS had done, such as standards-setting.
Comment
Graeme Stewart, head of public sector at Check Point Software, said, “While the Prime Minister’s sweeping reforms cover everything from cutting red tape to reining in bureaucracy, one critical area must not be left in the lurch: our cybersecurity defences. Scrapping NHS England’s centralised services is not just a bureaucratic shake-up; it’s like a hospital suddenly removing its emergency department and expecting patients to fend for themselves.
“At present, NHS England provides the backbone for our cyber defences, from a unified email service to specialised threat protection. Removing these central functions risks leaving individual NHS Trusts to fend off cyberattacks with a patchwork of under-resourced teams. As the adage goes, ‘a chain is only as strong as its weakest link,’ and our cyber chain is already under severe strain with attacks on the rise.
“Moreover, dismantling these central services could open the door for a surge of third-party suppliers to step in. While more suppliers might seem like a win for competition, it also fragments our defence and leaves us vulnerable; each new supplier is a potential weak link in our security armour.
“We need a robust, unified security system that acts like a digital fortress, not a hodgepodge of outsourced patches. In the midst of these broad reforms, let’s ensure the cyber element isn’t left out in the cold. Our digital defences must be retained or replaced with an equally robust solution; otherwise, we’re setting the stage for a cyber disaster.”
Background
The NHS Digital arm of NHS England looks after cyber for the health service; such as response to the ransomware cyber attack against Synnovis in summer 2024 that affected hospitals in London. The Wannacry malware attack of 2017 showed that the NHS among others still used old, unsupported and hence vulnerable versions of Microsoft software.
