St George’s, Epsom and St Helier University Hospitals and Health Group board most recent meeting explored steps being taken at Epsom and St Helier (ESTH) and St George’s (SGUH) to improve cyber security and information governance.
Cyber security remains “a significant area of risk”, the board says, with progress against the Data Security and Protection Toolkit (DSPT) “impacted by delivery delays and capacity constraints”. In June 2025, both trusts’ 2024-25 (version seven) DSPT toolkits were marked as “standards not met”. An improvement plan submitted by ESTH resulted in an improvement on this to “approaching standards met”, whilst SGUH’s outcome remained unchanged, reportedly due to its lack of a vulnerability management system, where implementation is now “in progress”.
A cyber security dashboard is in development, the trusts share, which will enable centralised visibility of real-time threat detection, incident response, and risk management. Go-live is set for Q4 of 2025/26. April 2026 is also the deadline given for migration over to Windows 11, with the group noting a requirement for new hardware to support this, including 3,000 computers and laptops. “Extended Support Updates have been procured across GESH and the technical teams are looking to deploy the licences to the Windows 10 device environment,” it states.
Target dates for digital projects “continue to be delayed”, the board highlights, with concerns raised at an earlier board meeting in November about cyber security and IT systems. The group is now looking to create a single cyber security team to promote a single view and ensure a project plan is in place across all projects, as well as considering options to migrate to NHS.net to help meet cyber security threats.
Elsewhere, the board shares that approval has been received from NHSE for Cyber Risk Reduction Funding for financial year 2025/26. SGUH and ESTH received a total of £60,000 each, which the group will use for its cyber strategy, prioritising the biggest risks, gaps, and technology. It emphasises a continued need to focus on digital infrastructure investment to enable future innovation.
A systematic review of current risks from a group perspective was completed in December 2025. “Through this exercise, and following a number of mini workshops, 3 gesh IT ‘extreme’ risks were created to represent critical overarching IT Infrastructure challenges,” the group shares. “These include data centre failure, core network infrastructure failure and cyber security attack.”
The digital strand of the board assurance framework will remain at its current risk score (20), the board agrees, despite progress around EPR implementation and the development of a group digital strategy, largely due to challenges in digital technology adoption, cyber security threat, and “constrained” capital position.
Wider trend: cyber security
A December HTN Now panel discussion explored cyber resilience within the NHS, focusing on some of the strategic challenges in this area around preparedness and recovery. Our panellists also discussed how to embed resilience into clinical, technical, and governance frameworks and make cyber security a priority across the healthcare sector. We were joined by Hubert Ametefe, CISO at Bedfordshire Hospitals NHS FT; Mike Fell, director of national cyber operations at NHS England; Julian Wiggins, healthcare solution director at Rackspace Technology; and Nasser Arif, cyber security manager for London NW University Healthcare and The Hillingdon Hospitals.
Barnsley Hospital NHS Foundation Trust’s annual cyber security report has shared insights into recent upgrades and assurance, in line with recommendations from external parties and professional bodies. Over the last year, the trust has upgraded its backup solution to provide a “digital air gap”, replaced its antivirus/malware and device control solution, upgraded its server antivirus solution, and completed whole system upgrades for radiology and pathology systems.
NHS England has shared plans for the reprocurement of the cyber operations external attack surface management system, launching a market engagement process. The engagement intends to brief the market ahead of procurement of a solution to protect IT systems that are internet-facing against cyber threats, with the scope to be delivered as a national service to NHS organisations. So far, NHS England has outlined how the solution should build on previous lessons learned, helping to reduce cyber risks and improve the overall understanding of security weaknesses within the NHS.
Barts Health NHS Trust has responded to a recent cyber attack where files from a database containing invoices were stolen and posted on the dark web. The stolen files include names and addresses of individuals required to pay for services at the trust over a period of several years, as well as staff members who left employment owing salary sacrifice or overpayments.
