NHS England has announced a simulation exercise planned for July 2026 to test the health service's ability to withstand a major cyber incident as concerns mount that the health system is unprepared for a large-scale attack.
The exercise will assess whether critical services can be maintained and whether a coordinated national response can be mounted during a prolonged period of disruption. A representative sample of NHS organisations will take part, with findings intended to inform system-wide preparedness rather than remain confined to participants.
NHS England has warned that cyber risk across the health service remains at its highest severity rating despite a range of mitigations already in place, with a report published this weekreport published this week revealing the threat environment is "significant and increasing".
The report said that from an NHS England organisational perspective, a cyber incident is considered more likely and more impactful than a pandemic and is therefore rated higher in the risk registers.
The Risk Management report, presented to the NHS England Board on 4 June by Chief Operating Officer Sarah-Jane Marsh and Director of Corporate Governance John Lester, shows cyber security and service resilience rated as one of just four operational risks carrying a score of 25, the most serious level on the organisation's risk register.
At a strategic level, NHS England said that cyber risk will remain above its own risk appetite in the medium term. A target score of 16 has been set, but this is pegged to a delivery horizon of 2030, aligned to the NHS Cyber Strategy lifecycle.
The report attributes the slow trajectory to three persistent challenges: the scale and pace of the external threat environment; inconsistent cyber maturity across NHS organisations; and continued reliance on supplier assurance and recovery planning capabilities that require both sustained investment and time to embed.
The assessment comes despite the report noting broader improvements across NHS England's risk profile, with several other strategic risks reducing in score following what the board described as clearer strategic direction and stronger governance.
Data breach risk shows some improvement
The data breach risk, closely linked to cyber, has seen a modest improvement. Strengthened controls - including data protection health checks, enhanced third-party assurance and improved incident response arrangements - have reduced both the likelihood and impact scores. A target score of 16 has been set, aligned to the internal cyber trajectory. The report also notes clearer separation between cyber and non-cyber drivers of data breach risk, enabling what it describes as "a clearer pathway to reduction."
The report signals growing concern about the cyber implications of international conflict. Risk owners across NHS England have been asked to ensure their assessments adequately reflect the potential impact of geopolitical instability, with cyber attacks specifically identified alongside supply chain disruption and financial pressures as one of the areas of greatest concern.
A newly escalated operational risk warns of a potential "innovation freeze" in the adoption of AI-enabled medical devices if NHS England cannot keep pace with evolving regulatory requirements. While not a cyber risk in the traditional sense, the assessment underlines the broader digital vulnerability of an organisation increasingly dependent on technology to deliver care.
The board papers also identified persistent difficulties in recruiting and retaining digital and data specialists as a separate high-scoring operational risk. Described as a "critical dependency" for digital transformation and service continuity, the workforce gap risks undermining the very capabilities needed to address the cyber threat, the report concluded.
