In an annual SIRO report, Tim Rycroft, CIO and SIRO at Bradford District Care NHS Foundation Trust has shared insights into the trust’s performance on information risk management over the last twelve months, noting key successes, plans for 2025/26, and progress in areas such as paper records.
Achievements in 2024/25 included reaching full compliance with the Data Security and Protection Toolkit 2024/25 outcomes, reviewing and updating its information asset register and bulk data flows application, and onboarding an AI-driven solution for record redaction. Information governance performance is now regularly monitored through an IG dashboard and reported to the risk and compliance committee.
When it comes to paper records, the SIRO reports that the trust is “actively reducing” use in line with retention schedules, with records stored by the IG team at a commercial storage facility down from 21,400 boxes in June 2023, to 19,956. The process to remove all paper records is ongoing, with those found being reviewed, logged, and either stored or sent for confidential destruction as part of the transition to “more secure and efficient” electronic records management.
In 2024/25, the trust had two information governance risks on its service level risk register, Rycroft shares. The trust’s approach includes involvement by both the IG and cyber security teams, reportedly helping ensure “robust protection of the trust’s information assets through continuous monitoring, strategic oversight, and proactive enhancements”. Teams regularly review risks and alerts from sources including NHSE and vendors, and collaborate with other trusts including Bradford and Airedale through weekly briefings to share intelligence and best practice.
A vulnerability management solution is now live, reportedly playing a “key role” in ensuring “all required patch to servers and endpoint devices are identified proactively and remediated in line with standard practice”, whilst the Microsoft Sentinel Security Incident and Event Management solution has been deployed to the trust’s private tenant on M365 to ensure its cloud infrastructure is well monitored and secured. A Microsoft Copilot pilot is underway, with the trust looking at options to deploy across the organisation.
Other developments at Bradford District Care include in multi-factor authentication, with the trust receiving funding through the regional bidding process for hardware security. Staff awareness around cyber security has been supported by regular communications via newsletter, updates on its Connect (SharePoint) landing page, and posts on company and cyber team pages.
Plans for 2025/26 include reviewing and meeting the 2025/26 DSPT outcomes, refreshing the trust’s cyber strategy with a “just approach” and linking to the regional cyber strategy, implementing a new training strategy for IG and security management, and adapting to new requirements of the Data (Use and Access) Bill, including AI. Data sharing will be promoted within the trust and health and social care, IG policies and procedures will be reviewed, and its IG and cyber security dashboard content will be enhanced. The SIRO is also looking to promote the use of the Microsoft suite for information sharing agreements and data protection impact assessments, to build staff awareness, to onboard a third-party company temporarily for its Data Protection Officer function, and to offer guidance to the trust on good practice relating to AI and emerging technologies.
Wider trend: NHS cyber security
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
The government has published its Cyber Growth Action Plan, aiming to support innovation across the cyber sector, and outline up to £16 million in funding to help commercialise cyber research. As part of this, University of Bristol and Imperial College London’s Centre for Sectoral Economic Performance will be tasked with exploring the UK’s cyber sector and offering a roadmap for future growth, with the government noting that “this will culminate with a set of recommendations”.
Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.” The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
