The board of Cheshire and Merseyside ICB in a recent meeting focused on cyber security risk, assurance, and improvement activity across the region. While the ICB claims to have established a “strong foundation”, it proposes to refresh its cyber improvement programme to offer a clearer link between strategy, delivery, measurable outcomes, and board assurance, with the next phase to focus on governance and improve consistency in reporting across the system.
Progress to date has included the development of a system-wide cyber strategy, target operating model, and roadmap; the development of an ICS cyber incident response plan with exercises delivered across the organisation; template security policies for ICS adoption; and the completion of skills surveys with training and certifications delivered, it states.
Moving forward, a standards-based approach to assurance will be introduced, with core assurance sources to be consistently applied throughout the ICB. These cover the DSPT and Cyber Assurance Framework, Microsoft Defender for Endpoint scores, the Digital Maturity Assessment and Safe Practice; and local and system-level reporting on risks, control coverage, vulnerabilities, patching, incidents, and training. Future planning will also look to potential accreditation such as Cyber Security, Cyber Security +, and Information Security standards like ISO27001.
Cyber requirements will be built into design and procurement, according to the ICB, rather than being addressed retrospectively. Culture and capability are also to be developed through awareness activity, role-based development, leadership behaviours, shared learnings, and board development.
Key deliverables will include confirmed reporting routes and escalation thresholds, set programme milestones and defined completion evidence, cyber requirements built into architecture standards and solution designs, and the identification of critical pathways and suppliers with a dependency map, risk register, supplier assurance outputs, and mitigation plans. A three-day regional cyber incident simulation is scheduled to take place in July 2026, with a post-exercise review to consider lessons learned, an action plan, and updated incident response documents.
Ultimately, Cheshire and Merseyside shares hopes that updated cyber plans will help support the digital foundations required for service transformation and the introduction of AI and productivity tools by protecting underlying data and systems. “Shared systems and interoperable data support integrated care, but also increase shared exposure,” it considers. “Cyber security at system level must therefore be a priority for integrated clinical pathways and platforms. The ICB has clearly defined responsibilities for leading strategic cyber security standards, system assurance and improvement across constituent organisations.”
Wider trend: Cyber security
HTN was joined by a panel including Ciara Moore, EPR operations director at Bath, Salisbury and Great Western Group, Stuart Cooney, CTO at Royal Berkshire NHS Foundation Trust, and Julian Wiggins, healthcare solution director at Rackspace Technology, for a discussion focusing on cloud adoption, AI maturity, and cyber resilience. Panellists explored how healthcare organisations are tackling delivery, legacy systems, and rising digital expectations, and what this means for future strategy and plans. We also looked at the fragmented cloud landscape, integration pressures, legacy infrastructure, AI, and the growing urgency around cyber resilience, finishing by asking where NHS leaders should prioritise investment and focus in 2026.
In its most recent meeting, the NHS England board offered a series of updates around cyber resilience, single patient record, neighbourhood technology, the genomics programme, and 10-Year Plan acceleration programmes, citing “a number of concerns” that need to be addressed prior to investment commitments. NHSE reflects on slow progress toward its request for a national business continuity exercise around the event of a severe cyber attack, highlighting the importance of testing and planning for major failure scenarios with a focus on business operations and decision-making resilience, “rather than technical restoration”.
The European Telecommunications Standards Institute has announced the launch of a new standard, ETSI EN 304 223, outlining minimum cyber security requirements for AI models and systems as the “first globally applicable European Standard (EN) for AI cyber security”. The new standard is designed specifically for AI systems to protect them from sophisticated cyber attacks, pointing to the need to secure against emerging forms of risk such as data poisoning, model obfuscation, and indirect prompt injection. It outlines 13 principles and requirements across five phases: secure design, secure development, secure deployment, secure maintenance, and secure end of life.
