The board of NHS England has ranked a cyber incident higher on its organisational risk registers than a pandemic, following an assessment of mitigations and preparedness already in place, likelihood, and impact.
Explaining the findings from the latest Emergency Preparedness, Resilience, and Response Annual Assurance Report, NHSE stated: “EPRR assessments are guided by the government’s national risk register, which considers risks at a whole‑country level, whereas NHS England’s risk registers focus specifically on the organisation, with linkage to the wider health system. As a result, while a pandemic is assessed as a high risk at a national level given its potential to affect every person and organisation and place significant pressure on the health system, our organisational risk rating is lower due to the mitigations and preparedness measures already in place.”
The cyber risk target score has been set at 16 by 2030, which NHSE claims offers closer alignment with the cyber strategy lifecycle, whilst remaining “above appetite” due to persistent external threat levels, “variable sector maturity”, and a reliance on supplier assurance and recovery planning. A simulation exercise is scheduled to take place in July with a small sample of NHS organisations, to help evaluate resilience to a cyber event, looking at ability to maintain critical services and coordinate a national response during a prolonged period of disruption.
Digital workforce capacity is recognised as another significant operational risk, particularly as relates to the recruitment and retention of digital and data specialists, according to NHSE. This is due, it states, to “critical dependency” for delivery of digital transformation and service continuity.
NHSE introduces four further new risks in line with emerging pressures, including tech, digital, and data transformation risk, identifying potential impact on service continuity during structural change; and medical device regulation compliance, noting risk of “innovation freeze” if new regulatory requirements cannot be met for AI-enabled technologies.
Across the board, several strategic risks have a reduced current or target score compared with the last report, NHSE notes, including strategy and delivery planning, reflecting “clearer national priorities and improved governance”; technology and innovation, due to confirmed funding, Treasury approvals, and “embedded digital strategies, moving from dependency to active delivery”; and data breach risk, to reflect strengthened information governance and AI governance.
Elsewhere, NHSE updates on research and innovation covering the need for a more integrated health tech delivery approach, with four areas prioritised for the testing of innovative procurement approaches: AI-enabled dermatology triage; digital health therapeutics for insomnia; robotic-assisted surgery; and wearables for digital cardiac rehabilitation.
Wider trend: Cyber security
HTN was joined by a panel including Ciara Moore, EPR operations director at Bath, Salisbury and Great Western Group, Stuart Cooney, CTO at Royal Berkshire NHS Foundation Trust, and Julian Wiggins, healthcare solution director at Rackspace Technology, for a discussion focusing on cloud adoption, AI maturity, and cyber resilience. Panellists explored how healthcare organisations are tackling delivery, legacy systems, and rising digital expectations, and what this means for future strategy and plans. We also looked at the fragmented cloud landscape, integration pressures, legacy infrastructure, AI, and the growing urgency around cyber resilience, finishing by asking where NHS leaders should prioritise investment and focus in 2026.
The European Telecommunications Standards Institute has announced the launch of a new standard, ETSI EN 304 223, outlining minimum cyber security requirements for AI models and systems as the “first globally applicable European Standard (EN) for AI cyber security”. The new standard is designed specifically for AI systems to protect them from sophisticated cyber attacks, pointing to the need to secure against emerging forms of risk such as data poisoning, model obfuscation, and indirect prompt injection. It outlines 13 principles and requirements across five phases: secure design, secure development, secure deployment, secure maintenance, and secure end of life.
The board of Cheshire and Merseyside ICB in a recent meeting focused on cyber security risk, assurance, and improvement activity across the region. While the ICB claims to have established a “strong foundation”, it proposes to refresh its cyber improvement programme to offer a clearer link between strategy, delivery, measurable outcomes, and board assurance, with the next phase to focus on governance and improve consistency in reporting across the system. Progress to date has included the development of a system-wide cyber strategy, target operating model, and roadmap; the development of an ICS cyber incident response plan with exercises delivered across the organisation; template security policies for ICS adoption; and the completion of skills surveys with training and certifications delivered, it states.
