Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what recent assessment he has made of the readiness of the NHS to respond to co-ordinated cyber attacks.

In the past year, we have invested £37.6 million across health and social care, building on the £338 million invested since 2017. Through our ambitious Cyber Improvement Programme, we are tackling the changing cyber risk head-on, expanding protection and services to better protect the health and care system.

NHS England’s Cyber Operations team provides 24/7 monitoring and expert support to National Health Service organisations who have been impacted by cyber-attacks. This includes specialist, on the ground, certified incident response services free of charge to NHS organisations who have been severely impacted by cyber incidents as well as technical and operational support to contain, investigate, and remediate incidents. Furthermore, we have developed guidance for leaders involved in cyber incidents to ensure there is a clear policy and process for how to respond across all elements of incidents.

We have a process in place to identify lessons and implement improvements following cyber incidents. Following the Synnovis cyber-attack in 2024, the Department and NHS England have made improvements to critical communications processes, additional measures to improve resilience in the supply chain, and setting out clearer roles and responsibilities in incident management.

In 2023, a Health and Care Cyber Security Strategy was launched. Pillar 5 of the strategy focuses on exemplary response and recovery, and as set out in the strategy, health and care organisations should run annual cyber exercises to ensure there is a well-practiced and rapid response when incidents do occur.