The UK’s National Cyber Security Centre (NCSC) has outlined a strategic plan aimed at enhancing cyber resilience within the National Health Service (NHS). The intricate details were made public through a blog post on April 17, as the agency emphasized the need for continuous improvements in the face of rising cyber threats.
In the last 18 months, the NCSC has worked closely with various government and industry stakeholders to fortify the NHS against cyber risks and improve threat detection capabilities. The agency highlighted several foundational pillars of this ambitious strategy. One of these includes piloting new tools and services through the Active Cyber Defence (ACD) 2.0 program, which is designed to proactively address vulnerabilities. Additionally, there is a significant focus on enhancing the security of the software supply chain, which is vital for safeguarding the various applications used by healthcare providers.
Another crucial element of the plan involves managing vulnerability disclosures and fostering the sharing of threat intelligence across organizations. Improving visibility to better understand the threat landscape and deploying what’s referred to as “defensive tradecraft” is also essential. Furthermore, the NCSC is advocating for its own tools and services. These include the Early Warning service, the Cyber Action Toolkit, and the Cyber Essentials scheme, all of which aim to arm organizations with the necessary resources to bolster their cybersecurity measures.
Nicholas W., a representative of the NCSC’s National Resilience Directorate, elaborated on the impact of the government’s Software Security Code of Practice, which the NHS has begun utilizing in its procurement process. This code serves to better gauge the cyber maturity of suppliers, thereby enabling more informed decision-making when it comes to partnerships.
The NCSC has also formed partnerships with healthcare organizations, utilizing advanced data science tools to prioritize and assess supplier risk. Plans are in place to expand this initiative, integrating data such as incident histories and vulnerability activity drawn from the NCSC Early Warning service with technical metrics like remediation patterns and potential attack surfaces. This comprehensive approach is expected to enhance risk assessment and response strategies within the NHS.
Moreover, the NCSC has played a pivotal role in assisting NHS England, the NHS Business Services Authority, and NHS Scotland in establishing internal processes for vulnerability disclosures. This ongoing effort is complemented by the agency’s Vulnerability Reporting Service (VRS), which has supported various health facilities, including GP surgeries and NHS trusts, since its inception in 2019.
Additional initiatives that are part of this widespread cybersecurity effort include the NHS App, which has become the first government-sponsored application to offer passkeys, with many other organizations likely to adopt similar practices soon. The ongoing exploration of External Attack Surface Management (EASM) and deception technology also plays a central role in enhancing security defenses across the healthcare sector. Furthermore, analytics are being employed to identify and mitigate DNS-related risks, while NCSC Threat Hunting Workshops convene cyber analysts from across the sector to address real-world threats and develop effective defensive strategies.
The necessity for such resilience-building initiatives in the UK’s healthcare sector cannot be overstated, especially in light of historical cyber incidents. The WannaCry ransomware attack in 2017 wreaked havoc on the NHS, costing an estimated £92 million and showcasing the vulnerabilities present within the organization. More recently, a ransomware assault on the supplier Synnovis in 2024 resulted in the cancellation of around 1,500 operations and appointments, a situation further complicated by its reported link to a patient’s death.
Another significant cyber event occurred in 2022 when a ransomware attack struck the IT partner Advanced Computer Software Group, leading to the theft of sensitive data belonging to tens of thousands of individuals. The repercussions included a disruption of critical services such as patient referrals, out-of-hours appointment bookings, emergency prescriptions, and ambulance dispatches.
The cornerstone of the NCSC’s plan for enhancing resilience lies in fostering collaboration among various stakeholders from both industry and the government, according to Nicholas W. He asserted the importance of aligning efforts around a shared goal, noting that this approach not only streamlines efforts and fosters learning but also mitigates cyber risks across the entire healthcare system, beyond individual organizations.
In conclusion, Nicholas W. noted that the collaborative framework being established through this initiative offers a viable model for other critical sectors facing similar cybersecurity challenges, emphasizing that the complexities of cyber threats require a collective response rather than isolated efforts.