NHS Cornwall and Isles of Scilly’s (C&IoS) cyber security strategy to 2026 has been put forward for board endorsement, with a focus to identify and managing risk; strengthen governance; embed cyber awareness and culture; critical IT systems and suppliers; and prediction, prevention, detection, response and recovery.
Outlining the current situation in C&IoS, the ICS highlights that implementing the Cornwall Cyber Security Operations Centre has been “advantageous”, enabling greater value around cyber security operations and offering improvements around compliance, risk and governance. It also notes challenges around ongoing funding to support the ICS’s cyber plans, with limited finances or resources often meaning tech assets are utilised for “longer than originally designed”.
The vision for cyber, the strategy goes on, is to deliver and support systems that are regularly updated and which maintain confidentiality, integrity and availability; to use cyber secure and identifiable data transparently that is resilient to outages and cyber attacks; and to use system-wide governance to identify risk exposure and weaknesses. It follows five pillars developed collaboratively with NHSE around focusing on greatest risks and harms, defending as one, people and culture, building secure for the future, and exemplary response and recovery.
The ICS identifies its main five cyber risks and formally documented gaps in controls and actions to be taken on ICS members’ risk registers, whilst quarterly cyber security assurance reports are provided to board level committees of member organisations, and a cyber security checklist is regularly reviewed to ensure staff member awareness of current threats and issues. A cyber security sidebar is reportedly installed on PCs managed by the IT team to highlight important cyber security issues, and staff can access a dedicated cyber security page on its intranet which offers advice and guidance on cyber security. A training needs analysis has been developed using DSPT principles, and an ICS-wide cyber incident response exercise was carried out in 2024 with results fed back to the ICS’s emergency preparedness, resilience and response teams.
The system’s most critical IT systems, including on-premise and cloud, have been identified, and a manual process has been developed for assessing the risks of new IT system suppliers. Work is also underway on amalgamating the DTAC questionnaire requirements with the DPIA, the local cloud-hosted questionnaire, and the requirements of DCB0129 and DCB0160. A 24×7 service is available to support response to cyber incidents, and the CSOC and IT teams work with information governance leads to ensure continued adherence to DSPT principles.
In terms of work to be done to achieve the strategy aims, key themes cover the greatest risks and harms such as cyber governance, risk management, third-party risk management, asset management, legacy systems, and cyber awareness and culture. Here, the ICS looks at identifying and recording risks including from the third-party supply chain, reviewing cyber risk as part of corporate risk management, and ensuring ICS members maintain an understanding of their suppliers’ cyber security risks and controls.
The defend as one pillar for C&IoS looks to themes such as regional collaboration, alignment with agreed cyber security standards, managing data access, funding, levers and incentives, regional incident response, and threat intelligence. For the ICS’s people and culture, it touches on developing an “appropriately resourced and accountable” cyber security function, encouraging the sharing of good practice, recruiting and retaining cyber staff, and promoting user awareness and education.
On building secure for the future and looking to formulate an exemplary response and recovery, C&IoS is focused on building systems and services that are cyber secure by design, engaging suppliers on their cyber security, outlining expectations of partner organisations, and leading on incident response exercising. Key security themes include IT procurement frameworks, contract management, critical systems and suppliers, security certifications and accreditations, network security, endpoint security, cloud security, and security architecture and testing.
Specific actions to be taken in line with these aims cover agreeing consistent risk scores for cyber security risk across member organisations, formally developing a Board Assurance Framework cyber security risk and reporting process, defining a system-wide tolerance for cyber risks, identifying realistic targets and cyber security KPIs, carrying out surveys to gauge cyber-security awareness across the ICS, and streamlining the requirements around DCB0129 and DCB0160 alongside those of DTAC, the DPIA and local supply chain.
Focusing on cyber security and resilience in health and care
A recent HTN Now webinar focused on sharing best practices around cyber security, with HTN joined by an expert panel including Neill Crump, digital strategy director at The Dudley Group NHS Foundation Trust; Nasser Arif, cyber security manager at London North West Healthcare NHS Trust (LNWH) and Hillingdon Hospitals NHS Foundation Trust; and Martin Knight, privileged access management at Imprivata. The session explored key considerations for NHS organisations in their approach to cyber security, assessing cyber security maturity, good cyber security practice, the challenges in this area and tips to overcome them.
The Department for Science, Innovation and Technology has outlined plans for the Cyber Security and Resilience Bill, noting measures to enhance oversight, regulating the supply chain, and progressing CAF’s basic and enhanced profiles. It first looks to bring more entities under the scope of the regulatory framework, to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains” including interconnectedness, which it states can have “cascading effects on our essential services”. Managed service providers offering core IT services will also be brought into the scope, whilst the government is similarly looking to enable regulators to designate “critical suppliers” and set stronger duties for the supply chain.
