Question to the Department of Health and Social Care:

To ask His Majesty's Government what steps they are taking to ensure that the NHS has sufficient cyber security defences in place to protect systems.

In the past year we have invested £37.6 million across health and social care, building on the £338 million invested since 2017. Through our ambitious Cyber Improvement Programme, we are tackling the changing cyber risk head-on, expanding protection and services to better protect the health and care system.

The health and social care supply chain is large and complex. We have a dedicated workstream in the Cyber Improvement Programme that is focused on this particular risk, developing tools and processes to increase cyber assurance and resilience.

Published in May 2025, the cyber security supply chain charter is designed to support suppliers and their customers in reducing the likelihood and impact of a cyber incident. The eight statements contained within the charter are fundamental security measures that should be reasonably expected from suppliers to help secure their organisation.

In September 2024, the National Cyber Security Centre’s Cyber Assessment Framework was implemented into the Data Security and Protection Toolkit (DSPT) for large National Health Service organisations. This enables them to understand and manage their own cyber and information governance risks, while maintaining the high standards necessary to protect patients. Over 56,000 organisations completed a DSPT assessment for 2023/24. As of July 2024, 82% of NHS trusts, or 172 trusts, had met or exceeded the standard.

72% of adult social care providers are now compliant with the DSPT, and the Government funded Better Security, Better Care programme continues to support care providers to prioritise safety and security when handling the data of those drawing on care.

The Department for Science, Innovation and Technology’s upcoming Cyber Security and Resilience Bill will help us address the evolving cyber threat to our supply chain. It will strengthen our defences and ensure that essential healthcare services are better protected.

Through the Cyber Operations division in NHS England, we are able to respond to the ever-changing threat landscape and monitor security threats to IT systems and networks. Cyber Operations provide a range of specialist services that help NHS organisations manage cyber risk, and these are delivered through a range of centrally funded products and services.

We work to ensure that patient data and information is stored in systems that are safe and secure. We do this by providing services, guidance, and support to health and care organisations.