In its most recent meeting, the NHS England board offered a series of updates around cyber resilience, single patient record, neighbourhood technology, the genomics programme, and 10-Year Plan acceleration programmes, citing “a number of concerns” that need to be addressed prior to investment commitments.
On the single patient record and neighbourhood technology, Mark Bailie, non-executive director notes that “current plans show benefits realising in 2030, which is inconsistent with publicly stated ambitions and needs to be reconciled” and adds that there is no clear vision for neighbourhood technology.
From a review of its resilience programme and Cyber Accelerator, NHSE notes significant overlap but not enough alignment between teams. The Cyber Accelerator programme “spans a wide range of actions but lacks clarity on prioritisation”, it continues, with a request for the team to develop an urgent/important matrix to present a clear plan of action. Moving forward, NHSE states: “Strategic and policy decisions will be consolidated within the Cyber Accelerator; the resilience programme has been refocused on its original scope — mission critical systems and completing minimum controls for each.”
Also on cyber, NHSE reflects on slow progress toward its request for a national business continuity exercise around the event of a severe cyber attack, highlighting the importance of testing and planning for major failure scenarios with a focus on business operations and decision-making resilience, “rather than technical restoration”.
The board further shares concerns about the “unmitigated risk” of cyber specialist skills being lost as a result of the voluntary redundancy programme, adding: “Scarce specialist capacity is being drawn away from critical cyber and resilience work, and this constraint is not yet resolved. The committee felt that the approach to VR may be a symptom of a wider root cause that we have a system which needs to be digital but doesn’t know how we grow and nurture the technology workforce and make it much more part of the DNA of the organisation.”
Looking to programmes presented with the ambition of accelerating benefits delivery from the 10-Year Plan, NHSE voices a number of concerns to be addressed prior to committing material investment. These include a lack of executive involvement and no clear business owner to be accountable for resulting operational and business change; the absence of a technical or operational deliverability assessment; and “no clear articulation” of how accelerated components like Wayfinder connect to the Modern Service Framework pathway redesign approach. Detailed acceleration plans will now be drawn up to identify and address these challenges.
Elsewhere, the board turns its attention to research, innovation, and growth, receiving an update from a health tech event on challenges around legacy tech and the potential for MSFs to focus more heavily on where the adoption of high value technologies could help improve outcomes and reduce cost. Detailed proposals will now reportedly be submitted on how to better integrate health tech into MSFs, and how NICE could expand its evaluation of health tech products.
An update on the genomics programme explored the expected increase in genomic testing from April 2026, including additional cancer and rare diseases testing. NHSE also noted that Polygenic Risk Scores, which look at genetic predisposition to complex diseases, will begin with cardiovascular disease.
Wider trend: Health sector cyber plans and directions
NHS England has shared an open letter to current suppliers across the health and care system, outlining the shared responsibility to strengthen cyber security, and plans for direct supplier engagement. From January 2026, NHS England will be looking to contact suppliers directly to discuss current cyber security controls, requesting supporting information or evidence “where appropriate”, such as in instances where suppliers deliver services deemed to be critical to patient care or operational continuity. “This is not an audit, and it is not a pass or fail exercise,” NHS England explains. “This programme is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone.”
South West London ICB has shared an update on its current cyber assurance and details of system-wide cyber improvement activities, extending to progress around governance and promoting alignment with provider organisations. The update follows news that the ICB’s digital team has secured more than £1 million in funding from NHS England to support its delivery of the SWL Cyber Strategy in 2025/26. The ICB’s latest Cyber Security Strategy set out six objectives to be achieved by 2030: strengthening governance, managing risk, understanding critical systems and suppliers, prevention and resilience, detecting and responding to threats and incidents, and embedding cyber awareness and culture.
The European Telecommunications Standards Institute has announced the launch of a new standard, ETSI EN 304 223, outlining minimum cyber security requirements for AI models and systems as the “first globally applicable European Standard (EN) for AI cyber security”. The new standard is designed specifically for AI systems to protect them from sophisticated cyber attacks, pointing to the need to secure against emerging forms of risk such as data poisoning, model obfuscation, and indirect prompt injection. It outlines 13 principles and requirements across five phases: secure design, secure development, secure deployment, secure maintenance, and secure end of life.
