South West London ICB has shared an update on its current cyber assurance and details of system-wide cyber improvement activities, extending to progress around governance and promoting alignment with provider organisations. The update follows news that the ICB’s digital team has secured more than £1 million in funding from NHS England to support its delivery of the SWL Cyber Strategy in 2025/26.
The ICB’s latest Cyber Security Strategy set out six objectives to be achieved by 2030: strengthening governance, managing risk, understanding critical systems and suppliers, prevention and resilience, detecting and responding to threats and incidents, and embedding cyber awareness and culture.
Martin Ellis, the ICB’s CDIO, emphasised that as the system’s digital transformation progresses, “security must be embedded in everything we do”. He added: “This strategy ensures that our digital initiatives are built on a strong and consistent foundation of cyber security, safeguarding patient data, critical systems, and the trust our communities place in us.”
For 2025/26, the ICB lists key priorities that include strengthening governance, ensuring board-level accountability, establishing a cyber assurance committee, introducing a unified risk management framework across the system, and improving transparency and consistency in risk reporting and mitigation. A centralised inventory will be created of critical systems and suppliers, along with a centralised monitoring and detection capability, and an impact analysis to inform incident response planning.
In the year, the ICB was successful in securing £1,068,000 in capital and revenue funding, allocated to key cyber schemes including £210,000 for privileged access management, and £160,000 for medical device security for Kingston and Richmond Hospital, involving the deployment of additional firewalls.
Two specific operational cyber risks are noted: third-party remote access, and personal devices connected to local LAN. “Numerous” third-party suppliers are being used in general practice, according to the ICB, with a number of different support connection requests made to connect to the network. This could inadvertently lead to users installing web-based applications on the device, granting third-party access to the network, and whilst Sophos is being used to block known URLs, SWL recognises “this does not cover all requirements and solutions in use by third-parties”. A longer-term solution is being introduced with the use of Datto, which should be in place by the end of the 2025/26 financial year.
“Cyber security is not just an IT issue – it’s a business priority,” SWL states. With this in mind, it continues, the board’s role is to take a proactive approach to cyber security to ensure resilience, incorporating “simple” safeguards and strategic investments. “Current Board members have not completed ICB specific Board level cyber training, given the current cyber threat level and compliance requirements this gap must be mitigated,” SWL adds. A date of April 2026 is suggested for the completion of NHSE-provided cyber training.
Elsewhere, the board outlines current cyber security controls in place across the system, with a cyber baseline assessment having been completed to establish current risk position, an ICB cyber lead appointed, a review of multi-factor authentication, incident exercises, and shared standards. Controls in development include the modernisation of risk management, incident response, and asset management practices, the standardisation of cyber training, and the promotion of awareness across the ICS.
Wider trend: Cyber security and strategy across the health sector
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
The UK Government has updated its Cyber Action Plan, to tackle “critically high” cyber risk as part of the Roadmap for Modern Digital Government, looking to move toward proactive action, clear accountability, mandatory requirements, and comprehensive central support. £210 million has been invested in forming a new Government Cyber Unit, to provide direction and expert support. The government shares findings from the first year of GovAssure, its cyber security scheme for assessing government critical systems, noting “significant gaps” in departments’ cyber security and resilience, and levels of low maturity with asset management, protective monitoring, and response planning.
NHS England has shared an open letter to current suppliers across the health and care system, outlining the shared responsibility to strengthen cyber security, and plans for direct supplier engagement. From January 2026, NHS England will be looking to contact suppliers directly to discuss current cyber security controls, requesting supporting information or evidence “where appropriate”, such as in instances where suppliers deliver services deemed to be critical to patient care or operational continuity. “This is not an audit, and it is not a pass or fail exercise,” NHS England explains. “This programme is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone.”
